Loading…
AppSec California 2020, January 21-24 at the Annenberg Beach House, Santa Monica, CA
Tuesday, January 21
 

8:00am PST

Registration and Breakfast
TBD

Tuesday January 21, 2020 8:00am - 9:00am PST
Annenberg Community Beach House

9:00am PST

Attacking and Defending Containerized Apps and Serverless Tech [Day 1 of 2]
Abstract
Organizations are rapidly moving towards microservice style architectures for their applications which has led to container and serverless technology being implemented and taking over at a rapid rate with a few organizations even leapfrogging containers by implementing serverless technology for scalability. Containers have risen in popularity and has been widely used because they help package and deploy consistent-state applications across multiple environments, and are also extremely scalable especially when they’re complemented with orchestration technologies.


Serverless on the other hand, seems to be taking over at a rapid rate with increased usage of micro-services and polyglot development of applications and services across organizations. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications across multiple environments. Serverless and container orchestration technologies like Kubernetes help these deployments massively scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required. Security continues to remain a key challenge that both Organizations and security practitioners face with containerized and serverless deployments.


While containers continue to be vulnerable to security threats that plague any typical application deployment, they also face specific security threats related to the containerization daemon, the shared kernel and other shared resources like network, process and the filesystem. Serverless deployments face risks such as insecure deployment configurations, inadequate monitoring and logging of functions, broken authentication, function event data injection, insecure secret storage, and many more. Attacking applications leveraging container and serverless technology requires specific skill set and a deep understanding of their underlying architecture. This 2-day training is a practical approach with both Offensive and Defensive flavours making it ideal for security engineers, red-teammers, devops engineers and developers with a plethora of hands-on exercises that have been designed from real-world attacks and the security-specific challenges that we faced while implementing these technologies, helping them test and implement security in a scalable manner.


The training consists of, but not limited to the following focus areas in Container Security and
Serverless Deployment:
● Introduction to Container Technology
● Containerized Deployments and Container Orchestration Technologies
● Container Threat-Model
● Attacking Containers and Security deep-dive
● Introduction to Kubernetes
● Threat-Model of Orchestration technologies
● Attacking Kubernetes
● Kubernetes Defense-in-Depth
● Logging & Monitoring Orchestrated deployments
● Introduction to Serverless
● Deploying Application to AWS Lambda
● Serverless Threat-Model
● Attacking a Serverless Stack
● Serverless Security Deep-dive

Course Outline
Evolution to Container Technology and Container Tech Deep-Dive:
● Introduction to Container Technology: Namespace, Cgroups, Mount
● Setting up a Minimal Container with nothing but Namespaces and CGroups
Introduction to Containerized Deployments - Understanding and getting comfortable
using Docker.
● An Introduction to containers: LXC and Linux Containers
● Introducing Docker Images and Containers
● Hands-on: Deep-dive into Docker - Docker commands, Dockerfile, Images

Introduction to Basic Container Orchestration with Docker-Compose
● Docker Compose
● Hands-on: Application Deployment Using docker

Threat Landscape-An Introduction to possible threats and attack surface when using
Containers for Deployments.
● Threat Model for Containerized Deployments: Daemon-related,Network related, OS and
Kernel Threats, Threats with Application Libraries and Threats from Containerized
Applications
● Traditional Threat-Modelling for Containers with STRIDE

Attacking Containers and Containerized Deployments
● Hands-on: Attacking Containers and Containerized Deployments - Container Breakout,
Exploiting Insecure Docker Configurations, OS and Kernel level exploits, Trojanized
Docker images

Securing Containers and Container Deployments
● Hands-on: Container Security Deep-Dive - AppArmor/SecComp, Restricting Capabilities,
Analysing Docker images
● Hands-on: Katacontainers
● Container Security Mitigations
● Hands-on: Container Vulnerability Assessment - Clair, Dagda, Anchore, Docker-bench

Introduction to Scalable Container Orchestrators
● Introduction to Container Orchestrators
● Hands-on: Getting started with Kubernetes - Exploring Kubernetes Cluster, Deploying
application to Kubernetes

Attacking Kubernetes Cluster
● Threat Model and Attack Surface for a Kubernetes Cluster
● Hands-on: Attacking application deployed on Kubernetes, Exploiting a Vulnerable

Kubernetes cluster, Maintaining Persistent Access and Pivoting in the K8s Cluster
● Dissecting the K8s Attack and identifying Security Missteps
● Attacking a kubelet and gaining access to all configurations and secrets on the cluster

Kubernetes Security Deep-Dive
● K8s Threat Model and its counterpoint in Security Practices
● Hands-on: Ideal Kubernetes Security Journey - Pod Security, Access Control, Secret

Management
● Hands-on: Kubernetes Vulnerability Assessment - Kube-sec, Kube-hunter, Kube-bench
● Hands-on: Logging and Monitoring - Identifying security anomalies in a K8s Cluster
● Hands-on: Kubernetes Network Security Implementation - Network Security Policy, Service Mesh - Istio/Envoy

Serverless Introduction
● Understanding Serverless and FAAS(Function-As-A-Service)
● Quick tour of FAAS(Function-As-A-Service) and BAAS(Backend-As-A-Service)
● Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options

Serverless Deep-Dive
● Introduction to the Architecture of Serverless Deployments
● Hands-on: Deploying a Serverless application

Attacking Serverless applications
● Serverless Architectures Security Top 10 - A Project similar to OWASP Top 10 for
Serverless Apps
● Hands-on: Function Data Event Injection Attacks against FaaS Implementations:
● Hands-on: Remote Code Execution attacks against Serverless Apps
● Broken Access Control
● Hands-on: Attacking Stateless Authentication and Authorization (JSON Web Tokens) -
Algorithm Confusion, Inherent JWT flaws - none signed token, etc, Attacks based on JWK and JWT Claims
● Hands-on: Attacking Identity and Access Management through Serverless
Implementations - View of IAM Sprawl and Permissions, Attacking with DynamoDB
Injection + IAM Permissions creep
● Hands-on: Extracting Secrets from FaaS Implementations
● Hands-on: Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion
Attacks
● Hands-on: Exploiting Function Execution Order for fun and profit!

Securing Serverless applications
● Securing Serverless applications - Identity and Access Management, Secret
management
● Hands-on :Secrets Management with AWS Secret Manager + Rotation
● Hands-on: Logging and Monitoring Functions - Using AWS X-Ray/Zipkin to leverage
tracing for security
● Hands-on: Serverless Vulnerability Assessment - Static Code Analysis[SCA], Static
Application Security Testing[SAST], Dynamic Analysis Security Testing[DAST]

Upon Completion of this training, attendees will know

This training has been created with the objective of understanding both offensive and defensive security for container orchestrated and serverless deployments. It will be a 2 day program that will detail through specific theory elements with extensive hands-on exercises that are similar to real-world threat scenarios that the attendees will understand and take part in and will also understand

Speakers
avatar for Tilak Thimmappa

Tilak Thimmappa

Senior Solution Engineer, we45
I work at an Application Security company (we45) and have a unique perspective of developing secure and deliberately insecure apps in Python and NodeJS. I have contributed to the development of several Web-Applications using Django, Django-Rest-Framework, NodeJs and more, that have... Read More →
avatar for Nithin Jois

Nithin Jois

Senior Security Solutions Engineer, we45
Nithin Jois dons two hats - Apart from being one of the lead trainers at AppSecEngineer, he is also a Senior Solutions Architect at We45 where he has helped build multiple solutions ranging from Vulnerability management to scalable scanner orchestrating systems that leveraged container... Read More →


Tuesday January 21, 2020 9:00am - 5:00pm PST
Terrace Lounge

9:00am PST

Building Secure API's and Web Applications [Day 1 of 2]
Course Abstract
The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects.


The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.


As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript, and .NET programmers, but any software developer building web applications and webservices will benefit.


Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.


Laptop Requirements: Any laptop that can run an updated web browser and "Burp Community Edition".


The course will include several hacking and secure coding labs!


Syllabus
Day 1 of the course will focus on web application basics:- Introduction to Application Security
- Introduction to Security Goals and Threats
- HTTP Security Basics
- CORS and HTML5 Considerations
- XSS Defense
- Content Security Policy
- Intro to Angular.JS Security
- Intro to React.JS Security
- SQL and other Injection
- Cross-Site Request Forgery
- File Upload and File IO Security
- Deserialization Security
- Input Validation Basics
- OWASP Top Ten 2017
- OWASP ASVS

Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security, where he specializes in training software developers on secure coding and security engineering. He is actively involved in multiple ventures, serving as an investor/advisor for companies like SemGrep, Nucleus Security, Defect Dojo, KSOC... Read More →


Tuesday January 21, 2020 9:00am - 5:00pm PST
Club Room

9:00am PST

Hacking for DevOps & Technologists [Day 1 of 2]
Abstract
Two days of happy hacking joy, learning by doing hands-on labs learning and attacking. A smile will spread across your face as you explore weaknesses in IT systems, applications and web apps, IoT devices, protocols and ICS/SCADA systems. If the ever-connected world gives you vulnerable targets, hack all the things. The OWASP Top Ten will be the focus over a variety of different types of vulnerabilities from a hacker perspective, moving beyond the white hat tester mentality. Threat modelling Underground economies and markets where intellectual property and data are sold.


Discussing the reality of the economic consequences of exploitable technology from terrorism to cyber warfare. Who knew software vulnerabilities could lead to some crazy nation on nation shi*t? You'll learn how to find some serious issues and exploit that code so hard the original developer or vendor will feel it.


You’ll jump right in and learn with a customized Kali pen testing operating system. Using OWASP ZAP,
BeEF, Metasploit, Nmap, Recon NG, Nessus, Nikto, Maltego, Shodan, Censys, alternative search
engines, OSINT, SpiderFoot and metadata tools. Finding exploitable systems, scanning, sniffing for
credentials, XSS reflected and stored attacks, attacking browsers via JavaScript, SQL injection, CSRF,
data leaks, replay attacks, exploiting vulnerable operating systems, applications, websites, embedded
systems and critical infrastructure ICS/SCADA. How attackers cover their tracks and take advantage of
insufficient logging and monitoring. How attackers discover then pivot from one weak system to
another, burrowing deep into an organisation to steal intellectual property, data or anything of juicy
value.


Expectations and Goals
Discover vulnerabilities, data leaks, insecure systems and devices using the tools and techniques in the
course.
Approach technology and security controls from an attacker and black hat hacker perspective.
Understand the OWASP Top Ten and threat modeling with IT, IOT and ICS/SCADA systems.
Recognize patterns in observations of weak and risky systems and applications and construct threat
models to explain the jeopardy.


Required Materials
Attendees must bring a curious mind and some technology. Caution, using a Windows 10 host operating
system can sometimes be problematic due to various auto-protection mechanisms in place by
Microsoft. Mac/Apple operating systems can be used as a host but try to use the VM Fusion 64-bit
version.
  • Laptop with administrative privileges and 8 GB of RAM with 100 GB hard disk free
  • Installation of VM Ware Player or Fusion
  • Network connection, RJ45 and can be a USB to RJ45
  • API keys and accounts setup in advance for the course
  • Bring your own hoodie

Optional Materials
Want to add more tables to your document that look like the Course Schedule and Exam Schedule
tables that follow? Nothing could be easier. On the Insert tab, just select Table to add a new table.
New tables you create in this template are automatically formatted to match.

Required Text
OWASP Version 4 Testing Guide PDF, OWASP (Free)
Course Workbook (Provided) Print, Chris Kubecka
Hack the World with OSINT (Provided)

Course Schedule (Tentative)
Day 1
[Topics]
Day 1 Introduction to course & Attendees
Setup of lab machines
Hacker/Pen Tester/Nation State mentalities
OWASP Top Ten
Reconnaissance 1
OSINT tool setup
Reconnaissance 2
Reconnaissance 3

[Exercises]
Victim & attack machine(s), API keys
Document overview & mission objectives
OWASP Guide introduction with framework
Examples & introduction to methodology
OWASP ZAP, Metasploit, Nmap, SpiderFoot,
Nikto, Maltego, etc.
Hands-on passive OSINT
Hands-on direct OSINT

Upon Completion of this training, attendees will know

How attackers cover their tracks and take advantage of insufficient
logging and monitoring
How attackers discover then pivot from one weak system to another,
burrowing deep into an organization to steal intellectual property,
data or anything of juicy value
Basic understanding of IT/ IOT/ ICS protocols
Web application testing from a sophisticated attacker point of view
Nation-state attack techniques and tools

Speakers
avatar for Chris Kubecka

Chris Kubecka

CEO, Hypasec
The founder and CEO of HypaSec, Chris is an expert advisor and panelist for several governmentsand parliaments. She was head of the Information Protection Group for the Aramco family. Chris assumed the role with Aramco in order to respond and recover from a nation-state attack, Shamoon... Read More →


Tuesday January 21, 2020 9:00am - 5:00pm PST
Guest House Parlor

9:00am PST

The DevSecOps MasterClass - AppSec Edition [Day 1 of 2]
Course Abstract 
Managing comprehensive security for continuous delivery of applications across organizations continues to remain a serious bottleneck in the DevOps movement. The methodology involved in implementing effective security practices within delivery pipelines can be challenging.

This training is designed to give a practical approach of implementing Security across Continuous Delivery Pipelines by leveraging the plethora of cloud offerings and is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work.

The training starts with Application Security Automation for SAST, DAST, SCA, IAST and RASP, apart from Vulnerability Management and Correlation. Finally, the training concludes with leveraging Security Automation in the Cloud with detailed perspectives of implementing scalable security for cloud-native deployments. By the end of this 2-day training, attendees will have enough ideas and hands-on experience in-order to successfully kickoff DevSecOps implementations.

In addition, students will walk away with a powerful DevSecOps toolkit that can be used to integrate and orchestrate security tools This training has been very popular as a sold-out program in BlackHat USA 2019, CodeBlue Japan, as well as several OWASP events in the past.


Course Objectives 
* Practical and Scalable Application Security Automation Techniques that work across different segments of the Agile SDL or DevOps pipeline
* Integration of AppSec test activities in the CI/CD pipeline
* Leverage open-source tools and test automation frameworks to integrate SAST, DAST, SCA, IAST in the CI/CD Pipeline
* Leverage Automation Techniques to implement Security practices for Cloud Deploy

Training Syllabus 
Day 1
The Problem with the old models of Application Delivery
A Quick History of Agile and DevOps
The Coming of DevOps
The Need for Security in DevOps
Security in Continuous Integration
Security Integrations for Jenkins and other CI Tools
Introduction to Static Application Security Testing (SAST) for
Continuous Integration
Success Factors for SAST - Tool Focus
FindSecBugs
NodeJSScan
Bandit
Brakeman
MobSF (Mobile SAST)
Hands-on Labs - SAST Framework for CI Tools like Jenkins
Rolling out custom SAST Workflows – using Abstract Syntax Trees
and Regular Expressions
Hands-on SAST - Write your own AST checks for SAST
Dynamic Application Security Testing with Continuous Integration
Concepts of DAST with Security Testing
Security Automation Testing using BurpSuite Professional, OWASP
ZAP, w3af, Selenium, OpenAPI (Swagger)
Security Regression Tests - How to design and write them
Hands on Labs - Creating Parameterized Security Automation Testing
Scripts for w3af, OWASP ZAP, BurpSuite Pro and Selenium
Hands-on Labs: Leveraging Functional Test Automation with multiple
frameworks for Security Testing
Robot Framework
NighwatchJS
Tavern - REST API Testing
Puppeteer
Hands on labs - Integrating Custom Security Automation with Jenkins
and other CI Tools
Hands-on Automation for Security Regressions
Application Security Automation – Deep-Dive:
Hands-on:
OWASP ZAP Deep-Dive
Scan Policy
Extensions
Certificate Management
OWASP ZAP API Deep-Dive
OWASP ZAP Scripting Workshop
Create Active Scan Scripts for Custom Application Vulnerabilities
Create Zest Scripts for Authentication
OWASP ZAP API Testing with OpenAPI Specification
BurpSuite 2.0 API Deep-Dive
Scan
Leveraging Burp 2.x API with Selenium for testing browser-based
applications
Leveraging Burp 2.x API and (Tavern/RESTInstance/Chai) to test web
services and microservices
Scan Profiles with Audit and Crawl Profiles
BurpSuite Knowledge Definitions
Introduction to Robot Framework:
Introduction to BDD and ATDD Frameworks
Introduction to Robot Framework and its Declarative Syntax
Writing Application Security Test Recipes using Robot Framework
Hands-on: OWASP ZAP - Robot Framework Integration
Creating Parameterized AppSec Automation with Robot Framework,
Selenium, OWASP ZAP and BurpSuite Pro
Identifying Insecure Software Libraries in Continuous Integration
Hands-on Labs: OWASP Dependency Check and Dependency Track
Hands-on labs: RetireJS
Hands-on Labs: RoboNPMAudit
Hands-on Labs: Integrating Source Composition Analysis into the CI
Pipeline
Software Bill of Materials (SBOM) and Source Composition Analysis
Standardizing Software Metadata to identify security issues against
Third-Party Libraries
Hands-on Labs: Using CycloneDX and OWASP Dependency Track to
continuously track and monitor Software components in a CI Pipeline
with Jenkins/Gitlab
Hands-on: Using these techniques to create an "Continuous
Application Security Test Pipeline”
Introduction to IAST and RASP
Why IAST? Why RASP? And when to use it
A look at the tools for IAST and RASP
Hands-on Labs: Deploying IAST and RASP on an Intentionally
Vulnerable Java Application

Upon Completion of this training, attendees will know
A plethora of Implementation techniques and ideas with hands-on experience to be able to implement a full-fledged Application Security Pipeline

Battle-tested Application Security Automation Techniques + Practical Security Pipelines, with both conventional and unconventional techniques like leveraging AWS Lambda and Fargate

Detailed Cloud Security Automation coverage with Terraform and boto3. Tools that are extensively used to provision cloud environments. Gives participants immediate approaches to implement scalable cloud security

Attendees will be provided with (by trainer)
* Instructions for the Labs
* Slides for the entire session + Speaker notes
* Access to we45 cloud labs
* Code snippets used and the setup files to configure lab
environment post-training

Attendees should bring
* A Laptop with an SSH client and ability to connect to WiFi networks in class (Optional) BurpSuite License for 1 Lab around BurpSuite Automation
=> However, code will be provided for practice offline as well
* AWS Account with Administrative Access to the account. We will be using free-tier resources to provision and quickly deprovision resources through Terraform/boto3. Recommend to NOT bring work AWS accounts.

** Note on the Lab Environment **
The participants will be using our state-of-the-art lab management system that has evolved over the years based on the feedback received from our trainings across the world. This eliminates the need for participants to bring high-compute machines with third-party applications installed, that is typically required for most trainings. The lab management system provisions on-demand lab servers that can be accessed via. any browser providing a terminal interface, code-editor and all other dependencies that are necessary to run the labs.
This enables the participants to essentially walk into our trainings with any device that has a browser installed and they will be able to participate in all hands-on labs. All artefacts such as code snippets, slides and setup scripts used in the training will be available for the participants to download and use even after the training concludes!

Pre-requisites for attendees:
- Working knowledge of Application Security concepts and vulnerabilities (OWASP Top 10, Application Security concepts)
- Basic knowledge of Linux command line
- Basic knowledge of some (any) programming language
- Basic/Rudimentary understanding of Cloud concepts and services




Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Founder, we45
"Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron"", a leading Application Vulnerability Correlation and Orchestration Framework.  He has created some pioneering... Read More →


Tuesday January 21, 2020 9:00am - 5:00pm PST
Garden Terrace Room

12:00pm PST

Lunch
Tuesday January 21, 2020 12:00pm - 1:30pm PST
Annenberg Community Beach House
 
Wednesday, January 22
 

8:00am PST

9:00am PST

Attacking and Defending Containerized Apps and Serverless Tech [Day 2 of 2]
Abstract
Organizations are rapidly moving towards microservice style architectures for their applications which has led to container and serverless technology being implemented and taking over at a rapid rate with a few organizations even leapfrogging containers by implementing serverless technology for scalability. Containers have risen in popularity and has been widely used because they help package and deploy consistent-state applications across multiple environments, and are also extremely scalable especially when they’re complemented with orchestration technologies.


Serverless on the other hand, seems to be taking over at a rapid rate with increased usage of micro-services and polyglot development of applications and services across organizations. Leading container technologies like Docker have risen in popularity and have been widely used because they have helped package and deploy consistent-state applications across multiple environments. Serverless and container orchestration technologies like Kubernetes help these deployments massively scale which can potentially increase the overall attack-surface to a massive extent, if security is not given the attention required. Security continues to remain a key challenge that both Organizations and security practitioners face with containerized and serverless deployments.


While containers continue to be vulnerable to security threats that plague any typical application deployment, they also face specific security threats related to the containerization daemon, the shared kernel and other shared resources like network, process and the filesystem. Serverless deployments face risks such as insecure deployment configurations, inadequate monitoring and logging of functions, broken authentication, function event data injection, insecure secret storage, and many more. Attacking applications leveraging container and serverless technology requires specific skill set and a deep understanding of their underlying architecture. This 2-day training is a practical approach with both Offensive and Defensive flavours making it ideal for security engineers, red-teammers, devops engineers and developers with a plethora of hands-on exercises that have been designed from real-world attacks and the security-specific challenges that we faced while implementing these technologies, helping them test and implement security in a scalable manner.


The training consists of, but not limited to the following focus areas in Container Security and
Serverless Deployment:
● Introduction to Container Technology
● Containerized Deployments and Container Orchestration Technologies
● Container Threat-Model
● Attacking Containers and Security deep-dive
● Introduction to Kubernetes
● Threat-Model of Orchestration technologies
● Attacking Kubernetes
● Kubernetes Defense-in-Depth
● Logging & Monitoring Orchestrated deployments
● Introduction to Serverless
● Deploying Application to AWS Lambda
● Serverless Threat-Model
● Attacking a Serverless Stack
● Serverless Security Deep-dive

Course Outline
Evolution to Container Technology and Container Tech Deep-Dive:
● Introduction to Container Technology: Namespace, Cgroups, Mount
● Setting up a Minimal Container with nothing but Namespaces and CGroups
Introduction to Containerized Deployments - Understanding and getting comfortable
using Docker.
● An Introduction to containers: LXC and Linux Containers
● Introducing Docker Images and Containers
● Hands-on: Deep-dive into Docker - Docker commands, Dockerfile, Images

Introduction to Basic Container Orchestration with Docker-Compose
● Docker Compose
● Hands-on: Application Deployment Using docker

Threat Landscape-An Introduction to possible threats and attack surface when using
Containers for Deployments.
● Threat Model for Containerized Deployments: Daemon-related,Network related, OS and
Kernel Threats, Threats with Application Libraries and Threats from Containerized
Applications
● Traditional Threat-Modelling for Containers with STRIDE

Attacking Containers and Containerized Deployments
● Hands-on: Attacking Containers and Containerized Deployments - Container Breakout,
Exploiting Insecure Docker Configurations, OS and Kernel level exploits, Trojanized
Docker images

Securing Containers and Container Deployments
● Hands-on: Container Security Deep-Dive - AppArmor/SecComp, Restricting Capabilities,
Analysing Docker images
● Hands-on: Katacontainers
● Container Security Mitigations
● Hands-on: Container Vulnerability Assessment - Clair, Dagda, Anchore, Docker-bench

Introduction to Scalable Container Orchestrators
● Introduction to Container Orchestrators
● Hands-on: Getting started with Kubernetes - Exploring Kubernetes Cluster, Deploying
application to Kubernetes

Attacking Kubernetes Cluster
● Threat Model and Attack Surface for a Kubernetes Cluster
● Hands-on: Attacking application deployed on Kubernetes, Exploiting a Vulnerable

Kubernetes cluster, Maintaining Persistent Access and Pivoting in the K8s Cluster
● Dissecting the K8s Attack and identifying Security Missteps
● Attacking a kubelet and gaining access to all configurations and secrets on the cluster

Kubernetes Security Deep-Dive
● K8s Threat Model and its counterpoint in Security Practices
● Hands-on: Ideal Kubernetes Security Journey - Pod Security, Access Control, Secret

Management
● Hands-on: Kubernetes Vulnerability Assessment - Kube-sec, Kube-hunter, Kube-bench
● Hands-on: Logging and Monitoring - Identifying security anomalies in a K8s Cluster
● Hands-on: Kubernetes Network Security Implementation - Network Security Policy, Service Mesh - Istio/Envoy

Serverless Introduction
● Understanding Serverless and FAAS(Function-As-A-Service)
● Quick tour of FAAS(Function-As-A-Service) and BAAS(Backend-As-A-Service)
● Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options

Serverless Deep-Dive
● Introduction to the Architecture of Serverless Deployments
● Hands-on: Deploying a Serverless application

Attacking Serverless applications
● Serverless Architectures Security Top 10 - A Project similar to OWASP Top 10 for
Serverless Apps
● Hands-on: Function Data Event Injection Attacks against FaaS Implementations:
● Hands-on: Remote Code Execution attacks against Serverless Apps
● Broken Access Control
● Hands-on: Attacking Stateless Authentication and Authorization (JSON Web Tokens) -
Algorithm Confusion, Inherent JWT flaws - none signed token, etc, Attacks based on JWK and JWT Claims
● Hands-on: Attacking Identity and Access Management through Serverless
Implementations - View of IAM Sprawl and Permissions, Attacking with DynamoDB
Injection + IAM Permissions creep
● Hands-on: Extracting Secrets from FaaS Implementations
● Hands-on: Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion
Attacks
● Hands-on: Exploiting Function Execution Order for fun and profit!

Securing Serverless applications
● Securing Serverless applications - Identity and Access Management, Secret
management
● Hands-on :Secrets Management with AWS Secret Manager + Rotation
● Hands-on: Logging and Monitoring Functions - Using AWS X-Ray/Zipkin to leverage
tracing for security
● Hands-on: Serverless Vulnerability Assessment - Static Code Analysis[SCA], Static
Application Security Testing[SAST], Dynamic Analysis Security Testing[DAST]

Upon Completion of this training, attendees will know

This training has been created with the objective of understanding both offensive and defensive security for container orchestrated and serverless deployments. It will be a 2 day program that will detail through specific theory elements with extensive hands-on exercises that are similar to real-world threat scenarios that the attendees will understand and take part in and will also understand

Speakers
avatar for Tilak Thimmappa

Tilak Thimmappa

Senior Solution Engineer, we45
I work at an Application Security company (we45) and have a unique perspective of developing secure and deliberately insecure apps in Python and NodeJS. I have contributed to the development of several Web-Applications using Django, Django-Rest-Framework, NodeJs and more, that have... Read More →
avatar for Nithin Jois

Nithin Jois

Senior Security Solutions Engineer, we45
Nithin Jois dons two hats - Apart from being one of the lead trainers at AppSecEngineer, he is also a Senior Solutions Architect at We45 where he has helped build multiple solutions ranging from Vulnerability management to scalable scanner orchestrating systems that leveraged container... Read More →


Wednesday January 22, 2020 9:00am - 5:00pm PST
Terrace Lounge

9:00am PST

Building Secure API's and Web Applications [Day 2 of 2]
Course Abstract
The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects.


The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.


As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various
languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript, and .NET programmers, but any software developer building web applications and webservices will benefit.


Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.


Laptop Requirements: Any laptop that can run an updated web browser and "Burp Community Edition".


The course will include several hacking and secure coding labs!


Syllabus
Day 2 of the course will focus on API secure coding, Identity, and other advanced topics:

- Webservice, Microservice and REST Security
- Authentication and Session Management
- Access Control Design
- OAuth 2 Security
- OpenID Connect Security
- HTTPS/TLS Best Practices
- 3rd Party Library Security Management
- Application Layer Intrusion Detection

Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security, where he specializes in training software developers on secure coding and security engineering. He is actively involved in multiple ventures, serving as an investor/advisor for companies like SemGrep, Nucleus Security, Defect Dojo, KSOC... Read More →


Wednesday January 22, 2020 9:00am - 5:00pm PST
Club Room

9:00am PST

Hacking for DevOps & Technologists [Day 2 of 2]
Abstract
Two days of happy hacking joy, learning by doing hands-on labs learning and attacking. A smile will spread across your face as you explore weaknesses in IT systems, applications and web apps, IoT devices, protocols and ICS/SCADA systems. If the ever-connected world gives you vulnerable targets, hack all the things. The OWASP Top Ten will be the focus over a variety of different types of vulnerabilities from a hacker perspective, moving beyond the white hat tester mentality. Threat modelling Underground economies and markets where intellectual property and data are sold.


Discussing the reality of the economic consequences of exploitable technology from terrorism to cyber warfare. Who knew software vulnerabilities could lead to some crazy nation on nation shi*t? You'll learn how to find some serious issues and exploit that code so hard the original developer or vendor will feel it.


You’ll jump right in and learn with a customized Kali pen testing operating system. Using OWASP ZAP,
BeEF, Metasploit, Nmap, Recon NG, Nessus, Nikto, Maltego, Shodan, Censys, alternative search
engines, OSINT, SpiderFoot and metadata tools. Finding exploitable systems, scanning, sniffing for
credentials, XSS reflected and stored attacks, attacking browsers via JavaScript, SQL injection, CSRF,
data leaks, replay attacks, exploiting vulnerable operating systems, applications, websites, embedded
systems and critical infrastructure ICS/SCADA. How attackers cover their tracks and take advantage of
insufficient logging and monitoring. How attackers discover then pivot from one weak system to
another, burrowing deep into an organisation to steal intellectual property, data or anything of juicy
value.


Expectations and Goals
Discover vulnerabilities, data leaks, insecure systems and devices using the tools and techniques in the
course.
Approach technology and security controls from an attacker and black hat hacker perspective.
Understand the OWASP Top Ten and threat modeling with IT, IOT and ICS/SCADA systems.
Recognize patterns in observations of weak and risky systems and applications and construct threat
models to explain the jeopardy.


Required Materials
Attendees must bring a curious mind and some technology. Caution, using a Windows 10 host operating
system can sometimes be problematic due to various auto-protection mechanisms in place by
Microsoft. Mac/Apple operating systems can be used as a host but try to use the VM Fusion 64-bit
version.
  • Laptop with administrative privileges and 8 GB of RAM with 100 GB hard disk free
  • Installation of VM Ware Player or Fusion
  • Network connection, RJ45 and can be a USB to RJ45
  • API keys and accounts setup in advance for the course
  • Bring your own hoodie

Optional Materials
Want to add more tables to your document that look like the Course Schedule and Exam Schedule
tables that follow? Nothing could be easier. On the Insert tab, just select Table to add a new table.
New tables you create in this template are automatically formatted to match.

Required Text
OWASP Version 4 Testing Guide PDF, OWASP (Free)
Course Workbook (Provided) Print, Chris Kubecka
Hack the World with OSINT (Provided)

Course Schedule (Tentative)
Day 2
[Topics]
Scanning
OWASP #1 Injections
OWASP #2 Broken Authentication
OWASP #3 Sensitive Data Disclosure
OWASP #4 Security Misconfiguration

[Exercises]
Using scanning tools against targets
Hands-on SQL and other injection attack

Upon Completion of this training, attendees will know
How attackers cover their tracks and take advantage of insufficient
logging and monitoring
How attackers discover then pivot from one weak system to another,
burrowing deep into an organization to steal intellectual property,
data or anything of juicy value
Basic understanding of IT/ IOT/ ICS protocols
Web application testing from a sophisticated attacker point of view
Nation-state attack techniques and tools

Speakers
avatar for Chris Kubecka

Chris Kubecka

CEO, Hypasec
The founder and CEO of HypaSec, Chris is an expert advisor and panelist for several governmentsand parliaments. She was head of the Information Protection Group for the Aramco family. Chris assumed the role with Aramco in order to respond and recover from a nation-state attack, Shamoon... Read More →


Wednesday January 22, 2020 9:00am - 5:00pm PST
Guest House Parlor

9:00am PST

The DevSecOps MasterClass - AppSec Edition [Day 2 of 2]
Course Abstract 
Managing comprehensive security for continuous delivery of applications across organizations continues to remain a serious bottleneck in the DevOps movement. The methodology involved in implementing effective security practices within delivery pipelines can be challenging.

This training is designed to give a practical approach of implementing Security across Continuous Delivery Pipelines by leveraging the plethora of cloud offerings and is backed by a ton of hands-on labs, original research and real-world implementations of DevSecOps that work.

The training starts with Application Security Automation for SAST, DAST, SCA, IAST and RASP, apart from Vulnerability Management and Correlation. Finally, the training concludes with leveraging Se curity Automation in the Cloud with detailed perspectives ofimplementing scalable security for cloud-native deployments.

By the end of this 2-day training, attendees will have enough ideas and hands-on experience in-order to successfully kickoff DevSecOps implementations. In addition, students will walk away with a powerful DevSecOps toolkit that can be used to integrate and orchestrate security tools This training has been very popular as a sold-out program in BlackHat USA 2019, CodeBlue Japan, as well as several OWASP events in the past.

Course Objectives 
* Practical and Scalable Application Security Automation Techniques
that work across different segments of the Agile SDL or DevOps
pipeline
* Integration of AppSec test activities in the CI/CD pipeline
* Leverage open-source tools and test automation frameworks to
integrate SAST, DAST, SCA, IAST in the CI/CD Pipeline
* Leverage Automation Techniques to implement Security practices
for Cloud Deploy

Training Syllabus 
Day 2
Application Security Pipelines in Continuous Integration Suites
Approaches to Application Security Pipelines
Ground Truths and Challenges with Security Pipelines
Differences between traditional and security pipelines
“Breaking the Build” - Myth and Reality
False Positive Management
Types of Application Security Pipelines
Incremental Security Pipeline
Autonomous Security Pipeline
“Build-only” Security Pipeline
Hands-on Labs
Incremental Security Pipelines with Jenkins Pipeline Jobs
Autonomous Pipelines with ThreatPlaybook (Application Security
Automation Framework, built on Robot Framework) Recipes and
Jenkins/Gitlab
Asynchronous Security Pipelines with AWS Lambda and Fargate
Application Vulnerability Correlation and Management
Approaches to Vulnerability Correlation and Orchestron
Integrating Vulnerability Management with Bug Tracking/SDLC tools
like JIRA
Using Orchestron Community and Webhooks to manage and
correlate vulnerabilities as part of Continuous Application Security
DevSecOps - Cloud Focus
Intro to Cloud and Cloud Services
Intro to AWS and AWS Service Offerings
AWS Products and Service Offerings
Azure and Google Cloud
IaaS, PaaS, FaaS, and SaaS
Variation in Services Management
Security Services in the Cloud
AWS Security Services
Responsibility Matrix - AWS Services
Security Responsibilities of Users vs AWS
AWS Compliance and Security Implementations
PCI-DSS, HIPAA, SOC, GDPR
Common AWS Security Mistakes
Security Automation in the Cloud with Terraform and boto3
A Hands-on Introduction to Terraform and boto3 (Amazon SDK for
Python)
Hands-on: IAM => Roles, Policies, Groups and Users
Host and Network Security Practices:
Hands-on VPC, Security Groups, Private and Public Subnets
Hands-on: Host Security Assessment with Automated deployments
of Hardening tools like Lynis
Hands-on: Post-Deploy Vulnerability Assessment with Amazon
Inspector and Vuls.io
Hands-on: Security Configuration with AWS Config
Security Automation with Cloud-Native Environments
Hands-on: Leveraging AWS Lambda for Security Monitoring
Hands-on: AWS Step Functions
Hands-on: Code Pipeline and Azure DevOps
Vulnerability Assessment for Cloud Environments
Common Vulnerabilities in AWS environments
IAM Sprawl => Demonstrated with multiple examples, including
DynamoDB Injection
S3
Vulnerability Assessment for Cloud-Native environments:
Scout2
Prowler
CSSuite
Cloud-Custodian

Upon Completion of this training, attendees will know
A plethora of Implementation techniques and ideas with hands-on experience to be able to implement a full-fledged Application Security Pipeline

Battle-tested Application Security Automation Techniques + Practical Security Pipelines, with both conventional and unconventional techniques like leveraging AWS Lambda and Fargate

Detailed Cloud Security Automation coverage with Terraform and boto3. Tools that are extensively used to provision cloud environments. Gives participants immediate approaches to implement scalable cloud security

Attendees will be provided with (by trainer)
* Instructions for the Labs
* Slides for the entire session + Speaker notes
* Access to we45 cloud labs
* Code snippets used and the setup files to configure lab
environment post-training

Attendees should bring
* A Laptop with an SSH client and ability to connect to WiFi networks in class (Optional) BurpSuite License for 1 Lab around BurpSuite Automation
=> However, code will be provided for practice offline as well
* AWS Account with Administrative Access to the account. We will be using free-tier resources to provision and quickly deprovision resources through Terraform/boto3. Recommend to NOT bring work AWS accounts.

** Note on the Lab Environment **
The participants will be using our state-of-the-art lab management system that has evolved over the years based on the feedback received from our trainings across the world. This eliminates the need for participants to bring high-compute machines with third-party applications installed, that is typically required for most trainings. The lab management system provisions on-demand lab servers that can be accessed via. any browser providing a terminal interface, code-editor and all other dependencies that are necessary to run the
labs.
This enables the participants to essentially walk into our trainings with any device that has a browser installed and they will be able to participate in all hands-on labs. All artefacts such as code snippets, slides and setup scripts used in the training will be available for the participants to download and use even after the training concludes!

Pre-requisites for attendees:
- Working knowledge of Application Security concepts and vulnerabilities (OWASP Top 10, Application Security concepts)
- Basic knowledge of Linux command line
- Basic knowledge of some (any) programming language
- Basic/Rudimentary understanding of Cloud concepts and services



Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Founder, we45
"Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron"", a leading Application Vulnerability Correlation and Orchestration Framework.  He has created some pioneering... Read More →


Wednesday January 22, 2020 9:00am - 5:00pm PST
Garden Terrace Room

9:00am PST

Web Application Hacking Training
ABSTRACT
The Application Security Training is a “1 Day Hands-On Training”. This Training is intended for students/professionals interested in making a career in the Information Security domain. This training involves real world scenarios that every Security Professional must be well versed with. It involves decompiling, real-time analyzing and testing of the applications from security standpoint.

This training covers understanding the internals of web and mobile applications, Real-time testing of web applications and android applications and a strategic approach to analyze applications for OWASP Top 10 vulnerabilities (Web) security issues such as Injections, Cross Site Scripting (XSS), CSRF Attacks, Insecure API’s, Insecure logging, Insecure communication, Insufficient cryptography, Insecure authentication and Poor code quality and many more.

WHO THIS TRAINING IS FOR?
● Students interested in Application Security
● Security Analysts/Researchers.
● IT Professionals working in Web Application Development domain.
● IT professionals working in Information Technology-Security domain.

KEY TAKEAWAYS
● Understanding of manual & automated tools and techniques and when to apply them.
● Clear understanding of the Web Application Penetration Testing
● Ability to analyze a Web Application from a Security Standpoint
● Gain confidence in customizing your Application Security Testing Approach to suit the
application specific pentesting needs, by gaining clarity on the powerful features of Burp
Suite Tool
● Build a clear scope to prioritize your security testing

What will be covered
  • Opening
    • about the class
    • about OWASP
  • Introduction
    • Security Awareness/hacker mindset
    • Introduction to the training environment and tools
  • Reconnaissance
    • Web application Reconnaissance
    • HTTP / HTTPS basics
    • Web application and Web server fingerprinting
  • Most common vulnerabilities, detection, and exploitation 3 hours
    • XSS (HTML, Attribute, DOM)
    • SQLi
    • IDOR Vulnerabilities
    • XXE
    • SSRF
    • File Upload Vulnerabilities
    • Insecure API
  • Where to go from here
    • Introduction cloud security (AWS, Azure)
    • SCADA
    • Embedded
  • Recap

Prerequisites
  • Laptop with
    • ### Workshop software installed and configured as specified in the PDF at the end of this page -- please do this BEFORE the workshop ###
    • make sure you have actually run a Virtual image before
    • minimal 4GB RAM
    • 10 GB free space
    • VMware or VirtualBox installed
    • If possible, administrator privileges
  • Basic understanding of software development and or networking

Upon Completion of this training, attendees will know
● Understanding of manual & automated tools and techniques and when to apply them.
● Clear understanding of the Web Application Penetration Testing
● Ability to analyse a Web Application from a Security Standpoint
● Gain confidence in customising your Application Security Testing
Approach to suit the application specific pen-testing needs, by
gaining clarity on the powerful features of Burp Suite Tool
● Build a clear scope to prioritise your security testing

Attendees will be provided with (by trainer)

Training Deck
Virtual Machines
Answers Sheets
Help in revisiting the session challenges post the class

Speakers
avatar for Vandana Verma Sehgal

Vandana Verma Sehgal

Chair, Global Board of Directors, OWASP Foundation
Vandana Verma Sehgal is Security Leader at Snyk. She is a member of the OWASP Global Board of Directors. She has experience ranging from Application Security to Infrastructure and now dealing with Product Security. She also works in various communities towards diversity initiatives... Read More →



Wednesday January 22, 2020 9:00am - 5:00pm PST
Sand and Sea Room

12:00pm PST

Lunch
Wednesday January 22, 2020 12:00pm - 1:30pm PST
Annenberg Community Beach House
 
Thursday, January 23
 

7:30am PST

8:40am PST

Welcome Address
TBD

Speakers
avatar for Richard Greenberg

Richard Greenberg

Global Board of Directors, OWASP
Richard Greenberg, CISSP is a well-known Cyber Security Leader and Evangelist, CISO, Advisor, and speaker. Richard brings over 30 years of management experience and has been a strategic and thought leader in IT and Information Security. His Project Management, Security Management... Read More →



Thursday January 23, 2020 8:40am - 8:55am PST
Garden Terrace Room

8:55am PST

Diamond Sponsor Greetings
Thursday January 23, 2020 8:55am - 9:00am PST
Garden Terrace Room

9:00am PST

Diamond Sponsor Greetings
TBD

Thursday January 23, 2020 9:00am - 9:05am PST
Garden Terrace Room

9:05am PST

Diamond Sponsor Greetings
TBD

Thursday January 23, 2020 9:05am - 9:10am PST
Garden Terrace Room

9:10am PST

Opening Keynote
TBD

Speakers
avatar for Alex Stamos

Alex Stamos

Director, Stanford Internet Observatory, Stanford University
Alex Stamos is a computer scientist and adjunct professor at Stanford University's Center for International Security and Cooperation. He is the former chief security officer (CSO) at Facebook. His planned departure from the company, following disagreement with other executives about... Read More →



Thursday January 23, 2020 9:10am - 10:00am PST
Garden Terrace Room

10:00am PST

Break
Thursday January 23, 2020 10:00am - 10:20am PST
Annenberg Community Beach House

10:10am PST

CTF / Capture the Flag
Test your skills on the CMD+CTRL Cyber Range
Security Innovation is proud to join OWASP AppSec California again in 2020 to host a unique and challenging CTF featuring our CMD+CTRL Cyber Range.

What is a Cyber Range?
CMD+CTRL Cyber Ranges are intentionally vulnerable applications and websites that tempt players to steal money, find out their boss’s salary, purchase costly items for free, and conduct other nefarious acts. Hundreds of vulnerabilities, common to most business applications, lay waiting to be exploited.
For each vulnerability you find you'll be awarded points (based on the level of difficulty) that will be charted on our live leaderboard. Top scorers get prizes, but all players have fun!

Free CTF Training
Along with the competition, we'll be offering free training lessons so that newcomers can also do some hands-on work even if they don’t feel ready to participate in the official CTF event.

Space is limited, so sign up to save your space today!


Training and CTF schedule

Day 1 - Thursday, January 23

Training Site – Beginner/Intermediate
10:10 - 10:30am Kickoff, overview and Thinking Like an Attacker
10:30 - 10:45am Cheat sheet and Cyber Range Walk Through
10:45 - 11:00am Hands-on Exploit Demonstrations
11:00 - 12:30pm Open Hacking
12:30 - 01:30pm Break
01:30 - 01:45pm Afternoon Kickoff
01:45 - 02:00pm Hands-on Exploit Demonstrations
02:00 - 05:10pm Open Hacking
CTF Site - Beginner/Intermediate/Advanced
10:10 - 10:20am Brief introduction
10:20 - 05:10pm Open Hack with periodic scoreboard displays

Both Cyber Range sites will turn off at 03:00pm and the CTF competition winners will be announced on Friday during the Closing Keynote at 03:10pm.


Thursday January 23, 2020 10:10am - 5:10pm PST
Guest House Parlor

10:10am PST

IoT Village
Want to learn how to attack IoT devices? We will have a network of new and old IoT products along with Cisco Meraki enterprise and medical devices to play with! A free virtual machine (VM) with vulnerable emulated firmware and tons of preloaded tools will be available for download. The IoT Village is hosted by Aaron Guzman and Walter Martín Villalba. You don't want to miss out!

Aaron Guzman / https://www.linkedin.com/in/scriptingxss/ / @scriptingxss
Walter Martín Villalba / https://www.linkedin.com/in/wmvillalba/ / @act1vand0

Thursday January 23, 2020 10:10am - 5:10pm PST
Guest House Dining Room

10:20am PST

Lightning Talk: RaiseMe Introduction
Introduction to RaiseMe and Career events for the remainder of the day.


Speakers
avatar for Lori Barfield

Lori Barfield

Founder, RaiseMe
Lori joined her first Internet startup as a senior system administrator. When that company went public, she was hooked, and helping smaller firms prevail against well established rivals has been her passion ever since. She is currently a consulting C*O and a chair at the SCaLE and... Read More →



Thursday January 23, 2020 10:20am - 10:45am PST
Terrace Lounge

10:20am PST

Lightning Talk: DevSecOps enabled micro-perimeter API protection
The current "Shift Left" DevSecOps approach puts more and more responsibility on Developers. Taking into consideration the current shortage of cybersecurity specialists among software developers, that can end up with unintended consequences. In my presentation, I would like to focus on a solution that allows the decoupling of the application API security logic from business workloads utilizing the sidecar pattern. This design pattern provides developers an ability to describe the security of their services utilizing the declarative approach. Configuration artifacts representing security as a code can be then used as part of the DevSecOps pipeline and provide multilevel security for APIs, including micro-segmentation, multilevel authorization, communication channel security, as well as enabling the service identity. The presentation will include the theoretical concepts as well as the example of a real implementation.

Speakers
avatar for Lukasz Radosz

Lukasz Radosz

Chief Product Officer, Cloudentity
Lukasz Radosz is a co-founder and Chief Product Officer at Cloudentity solving problems related to API Security and Authorization. Lukasz considers himself a member of a dying breed of Information Technology versatilists with over 15 years of industry experience delivering high complexity... Read More →



Thursday January 23, 2020 10:20am - 10:45am PST
Club Room

10:20am PST

Lightning Talk: OWASP Project Showcase: Threat Model Cookbook
This lightning talk will present an overview of the OWASP Threat Model Cookbook Project that is about creating and publishing threat model examples.

We will take a sneak peek into various examples in the form of code, graphical or textual representations. You will be able to see the resulting outputs of diverse technologies, methodologies and techniques.

For those who want to participate, we will quickly explain how to contribute on GitHub. https://github.com/OWASP/threat-model-cookbook

Speakers
avatar for Jonathan Marcil

Jonathan Marcil

Sr. AppSec Engineer, Twitch
Jonathan has created over a hundred threat models during his career and enjoys sharing his experience. He currently co-leads the OWASP Threat Model Cookbook Project and is a board member of the OWASP Orange County chapter located in beautiful Irvine, California. Originally from Montreal... Read More →



Thursday January 23, 2020 10:20am - 10:45am PST
Garden Terrace Room

10:20am PST

Lightning Talk: OAuth 2.0 Misimplementation, Vulnerabilities and Best Practices
OAuth 2.0 is an authorization framework that enables third party applications to obtain temporary limited authorization to access a protected resource on behalf of a resource owner. The framework is defined by authorization interactions that are each restricted to the type of client obtaining authorization and the type resource owner that must grant access. Diverging from these defined restricted interactions can open up various interception and redirect attack vectors that can grant a malicious actor access to protected resources. For this talk, we will be discussing Public Clients vs Confidential Clients, User Authentication vs Client Authentication, Proof Key for Code Exchange (PKCE) for Public Clients, and how restricting certain OAuth flows to either Public or Confidential Clients is required to mitigate unauthorized access to protected resources.

Speakers
avatar for Pak Foley

Pak Foley

Security Engineer, Procore Technologies
Pak Foley is a Security Engineer at Procore Technologies. He has specialized in Identity and Access Management with a focus on architecting enterprise OAuth and SAML solutions for authentication and authorization throughout distributed systems. With a passion for OAuth in particular... Read More →



Thursday January 23, 2020 10:20am - 10:45am PST
Sand and Sea Room

10:55am PST

JWT Parkour
Nowadays, JSON Web Tokens are everywhere. They are used as session tokens or just to pass data between applications or µservices. By design, JWT contains a high number of security and cryptography pitfalls. In this talk, we are going to learn how to exploit (with demos) some of those issues. After covering the basics (None and Algorithm confusion), we are going to move to kid injection, embedded JWK (CVE-2018-0114). Finally, we will look at jku and x5u attributes and how they can be abused by chaining vulnerabilities.

Speakers
avatar for Louis Nyffenegger

Louis Nyffenegger

Security Engineer and Founder, PentesterLab
Louis is a security engineer based in Melbourne, Australia where he performs pentest, architecture and code review. Louis is the founder of PentesterLab, a learning platform for web penetration testing. Recently, Louis talked at Owasp AppsecDay Melbourne, BSides Canberra (one of the... Read More →



Thursday January 23, 2020 10:55am - 11:45am PST
Terrace Lounge

10:55am PST

Lessons from the war zone to the cyber trenches, what leaders need to know
Are you prepared to respond to an epic clash between hackers that turns into a battle of survival? How does an intense, immersive experience builds critical cybersecurity skills throughout an organization? What happens when people, technology, organizations, & processes are tested under duress? Find out how US Services Members use battle-tested practices and apply them to cyber crisis response.

Speakers
avatar for Hise Gibson

Hise Gibson

Academy Professor of Systems Engineering, United States Military Academy at West Point
Colonel Gibson is a Master Army Aviator and has over 20 years of military service. He led teams in Korea, Germany, Afghani stan, and Iraq. His previous assignments were as a Company Commander in Germany and Iraq, a Battalion Operations Officer (COO) and Deputy Commander (Chief of... Read More →
avatar for Chris Kubecka

Chris Kubecka

CEO, Hypasec
The founder and CEO of HypaSec, Chris is an expert advisor and panelist for several governmentsand parliaments. She was head of the Information Protection Group for the Aramco family. Chris assumed the role with Aramco in order to respond and recover from a nation-state attack, Shamoon... Read More →
avatar for JC Vega

JC Vega

Retired Colonel & Dr.
JC Vega is a retired senior Army cyber officer, proven executive and visionary with over three decades of security leadership experience. He served29 years in the Army inmultiple leadership, advisory and mentorship rolesthat include CIO, Board Member, Advisor, CISO,Director of Cyber... Read More →


Thursday January 23, 2020 10:55am - 11:45am PST
Sand and Sea Room

10:55am PST

Continuous Cloud Security Monitoring (CCSM)
When I first started working with AWS, there were a handful of core services. Since then, AWS has been announcing hundreds of new services per year in dozens of regions around the world. With a rapidly changing landscape, relevant documentation, tutorials, and how-to's can be difficult to come by. AWS is its own beast and traditional Incident Response and Forensics techniques don't work. Try to perform full packet inspection between EC2 instances in the same VPC or use a write blocker while analyzing an EBS. Better yet, try to build a timeline with default log settings. Organizations are desperately looking for tools available to them to detect and respond to threats. This talk will provide a much needed summary of Continuous Cloud Security Monitoring (CCSM) strategies, techniques, and best practices so you don't have to spend the next 12 months reading AWS white papers. Takeaways from this presentation will be methods to immediately apply logging, monitoring, alerting, and Honey[Things] that can be applied in any AWS environment.

Speakers
avatar for Michael Wylie

Michael Wylie

Director, Cybersecurity Services, Richey May Technology Solutions
Michael Wylie, MBA, CISSP is the Director of Cybersecurity Services at Richey May Technology Solutions. In his role, Michael is responsible for delivering information assurance by means of vulnerability assessments, cloud security, penetration tests, risk management, and training... Read More →



Thursday January 23, 2020 10:55am - 11:45am PST
Garden Terrace Room

10:55am PST

The State of Credential Stuffing and the Future of Account Takeovers
Credential Stuffing has existed since the first leaked password but has exploded in the past 3 years. Why? What has changed and where does it go from here?

The tools that enable credential stuffing attacks and other OWASP Automated Threats are converging on a single strategy, the complete imitation of user behavior and characteristics – real user behavior on real devices on real home networks. This level of extreme mimicry makes discerning good from bad difficult and the web is having a hard time keeping up.

This level of sophistication is not cheap and is only possible because the cost vs value of modern credential stuffing attacks is weighted dramatically in an attacker's favor.

After this session you'll:
- Understand the cost vs value of modern attacks and why the economics are driving greater sophistication.
- Learn how attacks have evolved and how attackers are bypassing all modern defenses.
- See how account takeover attacks are diversifying with other malware and why MFA is not a silver bullet.

Speakers
avatar for Jarrod Overson

Jarrod Overson

Director, F5
Jarrod is a Director of Engineering at Shape Security where he led the development of Shape's Enterprise Defense. Jarrod is a frequent speaker on modern web threats and cybercrime and has been quoted by Forbes, the Wall Street Journal, CNET among others. He’s the co-author of O’Reilly’s... Read More →



Thursday January 23, 2020 10:55am - 11:45am PST
Club Room

10:55am PST

RaiseMe Career Workshops - Clinic: Resumes the RaiseMe Way (at Career Fair)
Co-Taught by Lori Barfield and Merissa Villalobos
The Infosec industry is an eccentric field, and following standard job placement advice can put candidates in a stall. Whether you’re a security professional looking for a new situation, or just trying to break in, we’ll work with you in real time on your resume language and your job hunting situation. You'll learn about the job hunting dogma you need to avoid, and where the free online resources are for researching potential employers.

RaiseMe clinics are special because you’ll get group feedback and support-  some of the people who have met in these groups stay in contact with each other long after the event is over, and they return to give us good news about progress in their careers.

Speakers
avatar for Merissa Villalobos

Merissa Villalobos

Recruiter, Tanium
Merissa Villalobos, has been a Cybersecurity Recruitment professional for over 10 years and she has built a national Talent Acquisition department from the ground up, managed a global recruiting team for the largest (purely) security consulting firm in the world and now works as a... Read More →
avatar for Lori Barfield

Lori Barfield

Founder, RaiseMe
Lori joined her first Internet startup as a senior system administrator. When that company went public, she was hooked, and helping smaller firms prevail against well established rivals has been her passion ever since. She is currently a consulting C*O and a chair at the SCaLE and... Read More →


Thursday January 23, 2020 10:55am - 12:15pm PST
Marion Davies Guest House, Veranda North

11:55am PST

[In]secure deserialization, and how [not] to do it
Serialized data is neither new nor exciting. Serialization and deserialization have been in use by countless applications, services and frameworks for a long time. Many programming languages support serialization natively, and most people seem to understand it well. However, many of us don’t fully understand security implications of data deserialization, and in the last couple of years this topic got an increasing focus in the security community, up to the point that insecure deserialization made it to the list of OWASP Top 10 most critical web application security risks! Needless to say high-severity vulnerabilities in some well-known applications as well as popular frameworks such as Apache Struts and Apache Commons Collections raised awareness of this risk.

In this session, we’ll discuss how serialized data are used in software, talk about different serialization formats and the dangers of deserializing untrusted input. We will review some real life vulnerabilities and related exploits. The presentation will contain lots of code examples with live demos of bypassing security controls by exploiting deserialization vulnerabilities. We’ll forge a session cookie, elevate privileges, alter execution flow, and even perform a remote code execution - all via insecure deserialization! The demos will use native Java and .NET serialization, as well as JSON, XML, and other formats. Of course, we’ll also talk about how to deserialize in secure way!

Next time you develop your awesome web or mobile app or a microservice, keep in mind how a clever attacker could create and supply malicious data to your application, and thinking like a hacker you could write more secure code!

Speakers
avatar for Alexei Kojenov

Alexei Kojenov

Lead Product Security Engineer, Salesforce
Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting engineering teams in delivering... Read More →



Thursday January 23, 2020 11:55am - 12:45pm PST
Terrace Lounge

11:55am PST

Introducing the OWASP Nettacker Project
OWASP Nettacker project was created to automate the information gathering, vulnerability scanning and in general to aid the penetration testing engagements. Nettacker is able to run various scans using a variety of methods and generate scan reports for applications and networks, including services, bugs, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This relatively new (Summer 2017) and a lesser-known OWASP project has generated a huge amount of interest at BlackHat Europe 2018 Arsenal live demo gathering massive crowds of seasoned hackers and penetration testers eager to see this new tool in practice. This talk will showcase the OWASP Nettacker project giving an overview of its features including the live demo of the tool.

Speakers
avatar for Sam Stepanyan

Sam Stepanyan

Independent Application Security Consultant and Security Architect, OWASP London
Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant and Security Architect with over 20 years of experience in the IT industry with a background in software engineering and web application development. Sam has worked for various financial... Read More →



Thursday January 23, 2020 11:55am - 12:45pm PST
Club Room

11:55am PST

Solving trust issues at scale
Microservices are social constructs: they can’t function without talking with other services. This also raises an interesting question: do we trust all of our microservices?

Not all microservices are the same: some are more sensitive - for example, services that handle personal user data or payment information. Others are user-facing and therefore riskier. We shouldn’t treat all services as equal. A robust mechanism that describes who can talk with who is required.

We have been dealing with this challenge for a while at Soluto. In this talk, I’ll share the journey we went through until we found a solution we’re happy with: a simple and declarative system that allows services to define who can access them. Any dev can request access to any service, and the service owner can review it. I’ll share how we build this solution (including all the technical details and live demos!), using open source tools like Open Policy Agent, so you can easily build something similar.

Speakers
avatar for Omer Levi Hevroni

Omer Levi Hevroni

DevSecOps Engineer, Soluto by Asurion
I’m coding since 4th grade when my dad taught me BASIC, and I got hooked. From that point, I learned to code in many programming languages (today my favorite is C#). Today I’m working at Soluto by Asurion, and coding is a huge part of my day job.My passion for AppSec started by... Read More →



Thursday January 23, 2020 11:55am - 12:45pm PST
Sand and Sea Room

11:55am PST

Diversity by Design: Securing the Cyber Workforce Development Lifecycle
We invite this year's AppSec California attendees to join us for panel discussion on the importance of diversity and inclusion in information security, as well as shared experiences and best practices around building diversity and inclusion into the constantly evolving cybersecurity ecosystem.

Topics covered will include the following:

Professional learning (from both the educator and learning perspectives)
The importance of diversity on an AppSec team or organization
How executives and managers can best incorporate diversity and initiatives within their organization
Opportunities from open source projects and communities, like OWASP, for building industry-wide diversity and inclusion initiatives.


The selected panelists will include representation from all four groups, referenced in the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework ( https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-181.pdf ):
Employers
Current and Future Cybersecurity Workers
Educators / Trainers
Technology providers

Moderators
avatar for Zoe Braiterman

Zoe Braiterman

Consultant / Researcher / Educator, OWASP
Zoe Braiterman (Moderator) brings her combined business, technology and data science expertise into her work as a cybersecurity researcher, consultant and educator.She goes by the title, “Innovation Intelligence Strategist (Machine and Human)”, to emphasize her work on both the... Read More →

Speakers
avatar for Richard Greenberg

Richard Greenberg

Global Board of Directors, OWASP
Richard Greenberg, CISSP is a well-known Cyber Security Leader and Evangelist, CISO, Advisor, and speaker. Richard brings over 30 years of management experience and has been a strategic and thought leader in IT and Information Security. His Project Management, Security Management... Read More →
avatar for Chris Kubecka

Chris Kubecka

CEO, Hypasec
The founder and CEO of HypaSec, Chris is an expert advisor and panelist for several governmentsand parliaments. She was head of the Information Protection Group for the Aramco family. Chris assumed the role with Aramco in order to respond and recover from a nation-state attack, Shamoon... Read More →
avatar for Kavya Pearlman

Kavya Pearlman

Global Cybersecurity Strategist, Wallarm
Well known as the “Cyber Guardian”, Kavya Pearlman is an Award-winning cybersecurity professional with a deep interest in emerging technologies. Kavya is the Global Cybersecurity Strategist at Wallarm, a global security company that protects hundreds of customers across e-commerce... Read More →
avatar for Vandana Verma Sehgal

Vandana Verma Sehgal

Chair, Global Board of Directors, OWASP Foundation
Vandana Verma Sehgal is Security Leader at Snyk. She is a member of the OWASP Global Board of Directors. She has experience ranging from Application Security to Infrastructure and now dealing with Product Security. She also works in various communities towards diversity initiatives... Read More →
avatar for Lisa Jiggetts

Lisa Jiggetts

Founder and President, Women's Society of Cyberjutsu (WSC)
Lisa Jiggetts is the Founder and President of the Women's Society of Cyberjutsu (WSC), one of the fastest growing nonprofits dedicated to women in cybersecurity.  WSC provides women with the resources and support required to enter and advance as a cybersecurity professional. Her... Read More →
avatar for Malia Mason

Malia Mason

Co-Founder and CEO, Integrum
Malia is an experienced cyber security engineer and the recent co-founder and CEO of Integrum, a cyber security consulting firm focusing on security compliance for small businesses and non-profit organizations. She is also the current president and co-founder of the Women in Cybersecurity... Read More →


Thursday January 23, 2020 11:55am - 12:45pm PST
Garden Terrace Room

12:45pm PST

Lunch and Vendor Expo
Lunch Poolside

Thursday January 23, 2020 12:45pm - 2:00pm PST
Annenberg Community Beach House

1:15pm PST

Vendor Spotlight Talk: Contrast Security: Security Instrumentation Is the Future of All Software
Building security in has failed. After decades of attempts to improve software security, vulnerability rates are still staggering, attacks are increasing in volume and severity, development speed is increasing, and we have perennial talent shortages.  In essence, despite brilliant and well-intentioned efforts, we have been unable to push security into software through software development. Security keeps trying to constrain and correct software development with requirements, architecture, training, scanning. We spend enormous time and effort, yet we’re generating roughly zero assurance.
 
Let’s start with the end in mind. We need security code (tests, defenses, libraries) in our applications, but we can’t get it through development. Maybe there’s another way. In this talk, we’ll explore the use of software instrumentation to achieve this.  Software instrumentation is a surgically accurate way to add capabilities to applications without changing code, recompiling, or redeploying. Instrumentation is safe and proven – it’s been used at massive scale for over a decade and is part of most critical production applications – but security has only just begun to take advantage of this powerful technology.
 
Come learn the amazing things you can already achieve with security instrumentation. We’ll show how SAST, DAST, IAST, WAF, RASP, and SCA are all merging together into a unified security assessment and protection instrumentation platform that’s ideal for DevSecOps and modern software. We’ll also take a look into the future of software security. We’re only scratching the surface of what can be achieved with security instrumentation.

Speakers
avatar for Jeff Williams

Jeff Williams

Cofounder and CTO, Contrast Security
Jeff brings more than 25 years of application security leadership experience as co-founder and Chief Technology Officer of Contrast Security. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by... Read More →



Thursday January 23, 2020 1:15pm - 1:50pm PST
Garden Terrace Room

1:15pm PST

Vendor Spotlight Talk: Shiftleft: Beyond the Top 10: Finding Business Logic Flaws, Data Leakage and Hard-Coded Secrets in Development
The focus of many application security programs has long been the OWASP Top 10 or SANS Top 25 vulnerabilities. While there are many SAST solutions that can identify these technical vulnerabilities such as SQLi, CSRF or XEE, SAST is not effective in identifying vulnerabilities that require context such as conditions leading to business logic, data leakage or hard-coded secrets.

While pattern-matching techniques can be used to identify the symptoms of an injection vulnerability across any code-base, pattern-matching is not sufficient for business logic, data leakage or hard-coded secrets because these issues are unique to each code-base. Manual code review or penetration testing can help, but neither scales to the pace of modern release velocities.

This presentation will cover:
  1. Identifying sensitive data variables and mapping their flows across all sources and sinks
  2. Finding the conditions leading to business logic flaws
  3. Identifying hard-coded secrets and literals in source code such as usernames, passwords, tokens and API keys
  4. How-to insert the above security checks into pull requests or builds w/o slowing releases down

Speakers
AB

Arun Balakrishnan

Director of Product Management, ShiftLeft



Thursday January 23, 2020 1:15pm - 1:50pm PST
Sand and Sea Room

1:15pm PST

Vendor Spotlight Talk: Tala Security: Secure the Modern Web with Client-Side Web Application Firewall
Modern web architecture relies on enabling ‘third-parties’ to access the client-side (front-end) of a web application.  These third parties operate via largely unmanaged and unmonitored connections to provide richness (chat tools, images) or extract analytics (Google Analytics). Up to 70% of the code executing on websites today comes from such third parties. Website owners have great reason to care about leakage from vulnerable client-side connections since the business and financial implications of losing customer data has never been greater.

The three most important security considerations of any website or web application are the server (back-end), the network, and the client (front-end).
Regulatory mandates like GDPR and CCP and prescriptive frameworks such as PCI-DSS have driven significant adoption of WAF and HTTPS. While these strategies were sound in the past, they are no longer adequate to protect web applications against new and advanced attacks that focus on attacking the client-side (front-end). As defined above, there are three security considerations for safeguarding your customer’s end-to-end website experience. To follow the nomenclature defined in the widely considered PCI-DSS framework consider these as:
- Data at rest
- Data in motion
- Data origination
Today, security frameworks and most security practitioners consider only two of these three when evaluating security capability.

Data at Rest defines content that typically resides on owned servers protected by massive security perimeters and on company owned premises. This data includes PII, credit card numbers, financial information and credentials. WAFs, firewalls and the like are deployed to provide effective defense for data at rest. “Data in Motion” refers to data in transit. This is easily envisioned as this same sensitive data moving from a website form that captures PII, credit card information, credentials, etc. back to secure storage. Data in motion is often encrypted by HTTPS transactions. In fact, many security-savvy online consumers put a lot of faith in seeing the HTTPS designation as ensuring the end-to-end security of their online transaction.

Unfortunately, security specification for securing the point of “Data Origination” is largely missing. Data Origination is the point at which data is created as it is input into a website or web application. This data origination point is increasingly the browser as a site visitor or online shopper enters information into a form including user credentials, credit card numbers, healthcare data, financial data etc. Such datasets are hiwas found to exist on less that 2% of websites. Consider the extreme lack of deployed client-side security measures that would ensure protections for this point of data origination and it’s easily understood why attacks like Magecart, Formjacking and XSS are rapidly accelerating.


Speakers
avatar for Aanand Krishnan

Aanand Krishnan

CEO and Founder, Tala Security
Aanand Krishnan is the CEO and Founder of Tala Security. Prior to Tala, Aanand was most recently a senior director of product management at Symantec where he built Symantec’s first big data security analytics platform and led key strategy projects that helped establish the company’s... Read More →


Thursday January 23, 2020 1:15pm - 1:50pm PST
Terrace Lounge

2:00pm PST

Do certain types of developers or teams write more secure code?
Do certain types of developers or teams write more secure code?

Speakers
avatar for Anita D'Amico

Anita D'Amico

CEO, Code Dx, Inc.
Anita D’Amico, PhD. is CEO of Code Dx, Inc., which provides application security orchestration and correlation solutions that automate AppSec workflows. Prior to taking on the role of CEO, Anita was the Director of Secure Decisions, a cybersecurity R&D organization that developed... Read More →
avatar for Chris Horn

Chris Horn

Senior Researcher, Secure Decisions
Chris Horn is a Senior Researcher at Secure Decisions, an R&D division of Applied Visions, Inc. He has 18 years of experience in research, software systems, and new product development. Currently, he leads cybersecurity research & development projects and focuses on developing technology... Read More →



Thursday January 23, 2020 2:00pm - 2:50pm PST
Club Room

2:00pm PST

From the OWASP Top Ten(s) to the OWASP ASVS
Some people are under the misconception that if they follow the OWASP top 10 that they will have secure web applications. But in reality, the OWASP Top Ten (and other top ten lists) are just the bare minimum that
at best provide entry-level general awareness. A more comprehensive understanding of Application Security is needed.

This talk with review the OWASP Top Ten 2017 and the OWASP Top Ten Proactive Controls 2018 and
compare them to a more comprehensive standard: the OWASP Application Security Verification Standard (ASVS) v4.0. OWASP's ASVS contains over 180 requirements that can provide a basis for defining what secure software really is.

The OWASP ASVS can be used to help test technical security controls of web and API applications. It can also be used to provide developers with a list of requirements for secure development with much more nuance and detail than a top ten list! You cannot base a security program off a Top Ten list. You can base an Application Security program off of the OWASP ASVS.

Speakers
avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security, where he specializes in training software developers on secure coding and security engineering. He is actively involved in multiple ventures, serving as an investor/advisor for companies like SemGrep, Nucleus Security, Defect Dojo, KSOC... Read More →



Thursday January 23, 2020 2:00pm - 2:50pm PST
Sand and Sea Room

2:00pm PST

More Than Turbulence
Ever wonder how digitally secure the aviation industry is? Take a peek inside the world's largest aircraft manufacturer Boeing as Chris takes you on a journey of surprisingly weak security which can potentially affect passenger and aircrew safety. XSS Exploitable vulnerabilities, email spoofing, bypassing authentication into the Aviation ID system for accessing flight control software live and test and the cabin viewing system with IoT camera in the cockpit. Chris will describe safety risks and struggles to coordinate disclosure and legal pressure by Boeing to keep silent.

Key takeaways
Boeing is in the IT business and happen to produce aircraft. Applications and software live and breathe throughout aerospace. Changing the way digital technology is regarded by industry is paramount.
Ever critical manufacturing involved with safety must have a functional coordinated disclosure program. Software affects safety system, especially when planes have already fallen out of the sky due to code errors.

Speakers
avatar for Chris Kubecka

Chris Kubecka

CEO, Hypasec
The founder and CEO of HypaSec, Chris is an expert advisor and panelist for several governmentsand parliaments. She was head of the Information Protection Group for the Aramco family. Chris assumed the role with Aramco in order to respond and recover from a nation-state attack, Shamoon... Read More →



Thursday January 23, 2020 2:00pm - 2:50pm PST
Garden Terrace Room

2:00pm PST

Open Source Developers Are Security’s New Front Line
As vital as open source is to building software in today’s world, it’s a mistake to think of it as a silver bullet. The ability to change the world with it is clear - but so is the significant room for error, when not properly managed.

A shifting battlefield of attacks based on OSS consumption has emerged. Five years ago, large and small enterprises alike witnessed the first prominent Apache Struts vulnerability. In this case, Apache responsibly and publicly disclosed the vulnerability at the same time they offered a new version to fix the vulnerability. Despite Apache doing their best to alert the public and prevent attacks from happening — many organizations were either not listening, or did not act in a timely fashion — and, therefore, exploits in the wild were widespread. Simply stated, hackers profit handsomely when companies are asleep at the wheel and fail to react in a timely fashion to public vulnerability disclosures.

Since that initial Struts vulnerability in 2013, the community has witnessed Shellshock, Heartbleed, Commons Collection and others, including the 2017 attack on Equifax, all of which followed the same pattern of widespread exploit post-disclosure.

Shift forward to today - and hackers are now creating their own opportunities to attack.

This new form of attack on our software supply chains, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. The vulnerable code is then downloaded repeatedly by millions of software developers who unwittingly pollute their applications to the direct benefit of bad actors. In the past 24 months, no less than 17 real-world examples of this attack pattern have been documented.

It’s become clear that we are in the middle of a systematic attack on the social trust and infrastructure used to distribute open source. In just a few years, we’ve gone from attacks on pre-existing vulnerabilities occurring months after a disclosure down to two days - and now, we are at the point where attackers are directly hijacking publisher credentials and distributing malicious components.

Open source developers are the front line of the new battle. Attackers have recognized the power of open source and are seeking to use that against the industry. We must not let them ruin the reputation of the things we’ve built. Or worse, the entire open source ecosystem.

Key takeaways:
Understand the details and the events leading to today’s “all-out” attack on the OSS industry - leading to more vulnerabilities in production applications
How the open source industry needs to change, given today’s new normal
How developers can step into the role of security, to protect themselves, and the millions of people depending on them
What enterprises can do to educate their developers on this growing trend of malicious attacks on open source
Why this is trend is only going to continue to grow - leaving more people more and more vulnerable if action isn’t taken

Speakers
avatar for Brian Fox

Brian Fox

Co-founder and CTO, Sonatype
Co-founder and CTO of Sonatype, Brian Fox is a Governing Board member for the Open Source Security Foundation (OpenSSF), a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin... Read More →



Thursday January 23, 2020 2:00pm - 2:50pm PST
Terrace Lounge

2:00pm PST

RaiseMe Career Workshops - Clinic: Interviewing and Negotiating (at Career Fair)
Co-Taught by Lori Barfield and Merissa Villalobos
Are you prepared to present your best self at your next interview, or do you experience interview anxiety? Are you frustrated by attending interviews over and over without getting job offers? We'd like to help, and this group clinic is an ideal setting.

Once the interview process is complete, are you comfortable with negotiating your offer? A well-understood negotiation is essential. The compensation parameters and working conditions have to be right in order for you to do what a company needs most- to commit for the long run. We'll also show you how to navigate the complexities of employee packages, so you can compare competing offers side by side. And we'll give tips to the hiring managers in attendance for how to successfully advocate for their new hires. This training is in a group environment to offer maximum support and feedback.

Speakers
avatar for Merissa Villalobos

Merissa Villalobos

Recruiter, Tanium
Merissa Villalobos, has been a Cybersecurity Recruitment professional for over 10 years and she has built a national Talent Acquisition department from the ground up, managed a global recruiting team for the largest (purely) security consulting firm in the world and now works as a... Read More →
avatar for Lori Barfield

Lori Barfield

Founder, RaiseMe
Lori joined her first Internet startup as a senior system administrator. When that company went public, she was hooked, and helping smaller firms prevail against well established rivals has been her passion ever since. She is currently a consulting C*O and a chair at the SCaLE and... Read More →


Thursday January 23, 2020 2:00pm - 3:30pm PST
Marion Davies Guest House, Veranda North

2:00pm PST

Career Fair Recruiting Expo
Stop by and take in the amazing view from the second floor Veranda at the historic Marion Davies Guest House.  And talk to CitrixiHerb, LLC and Bird about their opportunities in Information Security!

The scheduled hours are 2pm to 4pm, however staff will be on-site throughout the day, so stop by and find out about the available job opportunities.


Thursday January 23, 2020 2:00pm - 4:00pm PST
Veranda South

3:00pm PST

Owning the cloud through SSRF and PDF Generators
With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to an unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.

Outline:
- Intro
What is Server-Side Request Forgery (SSRF)?
What can you do with it?
SSRF via URI Schemes
JIRA CVE SSRF (CVE-2017-9506)
Jenkins SSRF (CVE-2018-1000600)
SSRF via Javascript (XSS)
SSRF via Styling
SSRF using (PDF Gen ‘0day’)
SSRF via DNS Rebinding
SSRF to XXE
Bonus: RCE via ERB Template Injection
SSRFTest (Tool)
Takeaways

Speakers
avatar for Chris Holt

Chris Holt

Senior Bug Bounty Operations Lead, Verizon Media
Certified by GAIC, NTISSI, PADI, and previously by the USSF, Chris Holt is constantly learning something new. As the Senior Bug Bounty Operations Lead at Verizon Media, he is responsible for the bug bounty program operations, development and growth including live hacking events. Previously... Read More →
avatar for Ben Sadeghipour

Ben Sadeghipour

Manager, Hacker Operations, HackerOne
Ben is the Head of Hacker Operations at HackerOne by day, and a streamer and hacker by night. He has helped identify and exploit over 600 security vulnerabilities across 100s of web and mobile applications for companies such as Yahoo, Airbnb, Snapchat, The US Department of Defense... Read More →



Thursday January 23, 2020 3:00pm - 3:50pm PST
Club Room

3:00pm PST

Achieve AI-powered API Privacy using Open Source
I’ll begin with a brief survey of today’s privacy landscape: how it affects the software development industry now, and how it might in the future. Of particular interest are requirements imposed by recent regulations like GDPR and the CCPA, which require all processors of data to pay more attention to how they treat, store, and disseminate customers’ sensitive personal data.

Next, I’ll introduce the Privacy-by-Design (PbD) approach. With PbD, we hope to “shift privacy to the left” in the software development life cycle; similar to using the DevSecOps philosophy for security.

I’ll explore the challenges that organizations face in the new regulation-heavy climate, particularly in terms of taking into account privacy concerns in legacy software, which may have been written before privacy regulations became a significant factor.

Moving on, I’ll share what AI, more specifically Deep Neural Networks, can bring to the table in terms of assisting with a thorough review of the applications to make sure that they do not harbor privacy risks. Likewise, for all new developments, I’ll explore how AI can be harnessed to help ensure that privacy principles are successfully implemented.

I’ll then explore a reference application, specifically its dataflows, through which leakages of sensitive data that are not allowed by a privacy policy defined in a compliance context might occur.

Next, I will introduce an open source project (PrivAPI) that uses deep learning - mainly on top of Keras and Tensorflow - to detect sensitive data leakages, specifically within RESTful API communication.I’ll drill down on PrivAPI’s core architecture and design principles, as well as the use cases that it supports. I’ll explain how it can be integrated into the SDLC, as well as in production environments.

Finally, I’ll provide a live demo of PrivAPI (https://github.com/veridax/privapi), covering the detection capabilities with real world APIs communication.

Speakers
avatar for Gianluca Brigandi

Gianluca Brigandi

Security and Privacy Researcher, Atricore Inc.
Gianluca Brigandi is a developer, security researcher, entrepreneur and open source contributor. His work in the past 15 years has revolved around delivering products at the intersections of privacy, application and container security, Identity & Access Management and AI.Gianluca... Read More →



Thursday January 23, 2020 3:00pm - 3:50pm PST
Terrace Lounge

3:00pm PST

Machine Learning and Application Security: Evolution of Attack Detection
In this talk, we will take an in-depth look at various mechanisms of attack detection, from signatures and regular expressions to machine learning. Attack detection is critical for most security solutions, whether we are talking about a load balancer-based (NIDS, WAF), host-based or in-application solutions (HIDS, RASP). Interestingly, regardless of the differences in architecture and data flow, most solutions use similar detection principles and techniques. We will explore how the detection architecture evolved over time and how the new generation of detection logic, such as the architecture implemented by some of the advanced application security tools, are principally different from that of the legacy solutions.

Speakers
avatar for Kavya Pearlman

Kavya Pearlman

Global Cybersecurity Strategist, Wallarm
Well known as the “Cyber Guardian”, Kavya Pearlman is an Award-winning cybersecurity professional with a deep interest in emerging technologies. Kavya is the Global Cybersecurity Strategist at Wallarm, a global security company that protects hundreds of customers across e-commerce... Read More →



Thursday January 23, 2020 3:00pm - 3:50pm PST
Garden Terrace Room

3:00pm PST

Where’s Waldo’s W-2? Building Data Discovery and Classification at Scale
As a company scales, keeping track of user data becomes an increasingly hard problem to solve, as data is constantly generated and propagated across different data stores. With the rise of new privacy laws such as GDPR and CCPA, tackling this problem is more important than ever before. To address this challenge, we built a platform for data discovery and classification across all of our data stores, such as S3, MySQL and Hive, providing powerful privacy and security engineering capabilities. In this talk, we are going to share the experience we had building and operating this platform for Airbnb. We will present the high level architecture and technical specifics of the platform that allow it to leverage traditional algorithms and machine learning to scan petabytes of user data against growing numbers of data types, every single day.

Speakers
avatar for Elizabeth Nammour

Elizabeth Nammour

Software Engineer, Airbnb
Elizabeth Nammour is a Software Engineer at Airbnb, where she builds tools to enable data security and privacy across the company. Prior to that, she earned her undergraduate degree in Computer Science from the University of Pennsylvania. She is passionate about protecting user data... Read More →
avatar for Pinyao Guo

Pinyao Guo

Software Engineer, Airbnb
Pinyao Guo is a Software Engineer at Airbnb working on building data security and privacy tooling and infrastructure. Previously, he worked on building the phishing detection pipeline for Airbnb. Prior to that, he received a Ph.D. from Pennsylvania State University in Information... Read More →



Thursday January 23, 2020 3:00pm - 3:50pm PST
Sand and Sea Room

3:50pm PST

Break and Vendor Expo
Thursday January 23, 2020 3:50pm - 4:20pm PST
Annenberg Community Beach House

4:20pm PST

RaiseMe Career Workshops - Talk: From Private to CISO: a CISO's Journey (at Career Fair)
One CISO’s journey from a Marine Corps Private (and eventually Sergeant) to Chief Information Security and Privacy Officer. The discussion will include steps I took prior to leaving the Marines and the steps taken outside of the military. This includes principles to live by, selecting a mentor and how to determine what you have as your real goal versus the components of your goal.

Speakers
avatar for Paul Love

Paul Love

CISOO, COOP
Paul Love joined CO-OP Financial Services as Chief Information Security Officer in 2017 where he leads the Information Security and Privacy program. Mr. Love brings more than 25 years in risk management, financial services and technology experience to CO-OP. He has held Information... Read More →



Thursday January 23, 2020 4:20pm - 4:50pm PST
Marion Davies Guest House, Veranda North

4:20pm PST

The Security Phoenix from the ashes of DevOps
The talk will take the audience on a journey from the origin of the security architecture, the challenge of cloud security and the role of an architect in the dev-sec-ops world. The talk explains the difference between traditional command and control governance and the solution to avoid starving automation and innovation with traditional security governance. During the talk, we will look at modern SDLC and what should be deployed step by step in each stage. We will explore: Security Gates and why they do not always work in dev-ops Automation how-tos: How to deploy cybersecurity at scale Why is important to know how to deal with people Automation in the pipeline is the king How to secure the design phase (design and requirements) How to secure dev and test How to convert threat modelling in use stories How to Deploy in production ensuring that the artefacts have been reviewed Audience Take Away: How to build a cybersecurity programme with architecture at the heart How to avoid traditional architecture pitfalls how to do governance at pace and when to apply traditional security governance how to mix governance and agile development as well as dev sec ops how to extract patterns from existing design the value of design principle patterns and why they are key to go fast. how and when to use tools (SAST/DAST) and how to lead engineer into secure code analysis How to manage libraries and how to guide team during the triage

Speakers
avatar for Francesco Cipollone

Francesco Cipollone

Director NSC42Ltd, Head of Security Architecture HSBC GBM, Chair Cloud Security Alliance UK & Ireland, NSC42Ltd,
I’m Francesco, a Chief Information Security Officer (CISO) and cybersecurity advisor who specialises in strategy and cloud security. Fuelled with passion, curiosity and dissatisfaction for the status quo, I believe in protecting identities in cyberspace and creating a safer, more... Read More →



Thursday January 23, 2020 4:20pm - 5:10pm PST
Club Room

4:20pm PST

Kubernetes Security From The Trenches
Everybody is talking about Kubernetes these days. Whether you are in DevOps, Development Security, you’re thinking about containers, micro-services and orchestrators. Kubernetes has become the standard orchestrator to manage containerized applications. Kubernetes is accelerating the move from monolithic applications to distributed, containerized applications. This technology shift is also forcing companies and people to adapt to organizational changes, for example adopting DevOps and CI/CD workflows, and the ever increasing decentralization of IT and development teams.

Security has to evolve along with these technology and process changes. Security requirements for monolithic applications must be translated to distributed micro-applications, it has to “shift left” to the developer teams to allow for continuous deployments, and new threats models have to be created. Unfortunately, most companies transitioning to Kubernetes are rightly concerned that their Security Teams are not ready to help them maintain the same level of security they had before.

In the past year, I have been working directly with many developers, DevOps, and Security teams to understand their security concerns and the new security issues they have faced. This talk explains the state of Security in Kubernetes, how to secure the different layers of this new infrastructure, what are the common threats and how to respond. I will share real-world examples of security issues and best practices that companies are putting in place, how Security Teams are changing to adapt, and how the responsibility for security is being split between different teams in the organization.

Speakers
avatar for Julien Sobrier

Julien Sobrier

Product Line Manager, VMWare
Julien Sobrier has spent 15+ years in the Security industry, as a Security Researcher at Netscreen/Juniper and Zscaler, then Product Manager at Zscaler, Salesforce and now Octarine (Kubernetes Security). He has co-authored Power Security Tools (O'Reilly) and released many browser... Read More →



Thursday January 23, 2020 4:20pm - 5:10pm PST
Terrace Lounge

4:20pm PST

Scaling Up Is Hard To Do (Down dooby doo down down) - The Threat Modeling Cover
It is no secret that Appsec is hard to scale. We never have enough people, our methods and tools tend to be heavy, the training is lacking and sometimes we feel that the only way out of the security debt hole is to throw more people at it.

In this talk we would like to share the experience we have had with Continuous Threat Modeling applied to product teams over the last year, where it works and where it breaks, and what we are doing to solve the breakage in a way that scales up and allows the process to flow while keeping the sanity of the AppSec team.

Speakers
avatar for Izar  Tarandach

Izar Tarandach

Sr. Staff Engineer
Long-time security practitioner, currently a Sr. Staff Engineer, previously Principal Security Engineer at Squarespace, where he also acted as (Interim) Head Of Security. With experience ranging from Bridgewater Associates to DellEMC via RSA, Autodesk, startup founder, investor and... Read More →
avatar for Allison Schoenfield

Allison Schoenfield

Application Security Engineer, Autodesk
Allison Schoenfield is from Berkeley and also attended UC Berkeley, but is now a San Franciscan. She works as an Application Security Engineer at Autodesk. She enjoys threat modeling and working in partnership with developers to secure applications. Previously, she worked as a security... Read More →



Thursday January 23, 2020 4:20pm - 5:10pm PST
Sand and Sea Room

4:20pm PST

Who Dis? The Right Way to Authenticate
Online verification of identity today extends across microservices, cloud providers, IoT devices, emerging systems, and end-user. In a brief study we conducted on 100 most visited websites, over 95% supported authenticated sessions with more than 97% of these are username and password-based. 81% of discovered breaches are due to broken authentication, indicate there is still a problem to solve and this is the focus of our talk.

Developers are generally aware of different authentication methods used for secure interaction between these entities, but most often miss out on best practices. In this context, we discuss popular authentication schemes like OAuth, token, magic links, adopted by developers today and emerging ones like WebAuthN. We will present incorrectly coded authentication patterns observed from our study and also highlight recurring mistakes like MFA bypass, token leakages, and other authentication misconfigurations. We briefly highlight our talk's evolution based on feedback provided by audiences at prior conferences. Finally, we provide secure blueprints that developers can leverage to bake security into their software development lifecycle.

Detailed Outline :
1. Introduce Authentication and various schemes used today
1.a.Token-based: Oauth, magic links, service to service
1.b. passwords, MFA
1.c. Password-less

2. Problem prevalence
2.a. Study overview: Major sites - selection category, login crawler and collect auth related data.
2.b. summary and dataset
2.c. disclosed reports and correlation with study data

3. Discussion on authentication pitfalls
3.a. Walkthrough password handling and MFA bypasses
3.b. Token-based misconfigurations: leakages, expiry, revocation handling.
3.c. Callouts to related artifacts: headers, cookies, storage
3.d. Password-less: potential pitfalls and contextual examples

4. How to fix this?
4.a. Walkthrough sample applications demonstrating best practices for authentication schemes discussed so far
4.b. Highlight corrected code patterns that address specific pitfalls identified earlier.

5. Comparison of best practice vs business case compromise
5.a. Highlight cases where documented best practices cannot be applied
5.b. Address how developers can use context to secure authentication workflow.

6. Closing Notes
6.a. Open source repo containing code samples and checklists
6.b. Any developer should be able to clone this and use it as a definition of done for commits related to authentication.

Speakers
avatar for Lakshmi Sudheer

Lakshmi Sudheer

Senior Security Partner, Netflix
Lakshmi Sudheer is a Security engineer who is passionate about all things Information security and mostly been on Application Security side of the world. She also enjoys speaking about her open-source projects and has spoken at Defcon’s BTV, BSides LV, RSA 2018, Appsec USA & AppSec... Read More →
avatar for Dhivya Chandramouleeswaran

Dhivya Chandramouleeswaran

Security Engineer, Lyft
Dhivya Chandramouleeswaran is a security engineer at Lyft providing proactive security guidance to key product teams. She develops security automation tools and enjoys reviewing the security of new technologies. She has given talks at OWASP App Sec DC, Defcon BTV, CSA summit and BSides... Read More →



Thursday January 23, 2020 4:20pm - 5:10pm PST
Garden Terrace Room

5:20pm PST

Platinum Sponsor Greetings
TBD

Thursday January 23, 2020 5:20pm - 5:25pm PST
Garden Terrace Room

5:25pm PST

Platinum Sponsor Greetings
TBD

Thursday January 23, 2020 5:25pm - 5:30pm PST
Garden Terrace Room

5:30pm PST

Closing Keynote
Eva Galperin is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF's Tor Relay Challenge, to writing privacy and security training materials (including Surveillance Self Defense and the Digital First Aid Kit), and publishing research on malware in Syria, Vietnam, Kazakhstan. When she is not collecting new and exotic malware, she practices aerial circus arts and learning new languages.

Speakers
avatar for Eva Galperin

Eva Galperin

Director of Cybersecurity, Electronic Frontier Foundation
Eva Galperin is the Director of Cybersecurity at the Electronic Frontier Foundation (EFF) and technical advisor for the Freedom of the Press Foundation. She is noted for her extensive work in protecting global privacy and free speech and for her research on malware and nation-state... Read More →


Thursday January 23, 2020 5:30pm - 6:20pm PST
Garden Terrace Room

6:20pm PST

Opening Reception
Join us under the stars for an awesome evening of food, drink, music, and networking.

Thursday January 23, 2020 6:20pm - 9:00pm PST
Pool
 
Friday, January 24
 

7:30am PST

8:50am PST

Welcome Address
TBD

Speakers
avatar for Haral Tsitsivas

Haral Tsitsivas

AppSec Cali Co-Chair, OWASP
Security professional experienced in securing networks, systems and applications.S-SDL (secure software development lifecycle) evangelist, incorporating Threat Modeling and Product Security Assessments to the software development lifecycle.



Friday January 24, 2020 8:50am - 9:00am PST
Garden Terrace Room

9:00am PST

Opening Keynote: Attribution
TBD

Speakers
avatar for Taiye Lambo

Taiye Lambo

Founder, HISPI
Taiye Lambo is a global serial entrepreneur and security subject matter expert in the area of Information Security Governance; with 30 years IT including 23 years of experience assisting various organizations globally to build robust, comprehensive, effective and sustainable information... Read More →



Friday January 24, 2020 9:00am - 9:50am PST
Garden Terrace Room

10:00am PST

Lightning Talk: Modern Web Security: The Art of Creating and Breaking Assertions
Modern web security is a mix of relatively recent frameworks, methods, languages, and abstractions. The age of injection bugs has come and gone. We are firmly in the age of assertions. This age is widely defined by business logic flaws. On a deeper level this age is governed by the security auditor's skill in creating and breaking assertions in the target. Assertions come from any source and they represent statements of security or functionality made by the target.

We'll talk about our experience auditing modern web applications over the last three years. We'll talk about the current state of web application security, how its evolved, and where its going. We give examples of assertions (big and small) created and broken during various security audits and the value this brought to the customer. Our goal is to introduce the age of assertions into the zeitgeist and provide auditors a more refined way of thinking beyond injection bugs.

Speakers
avatar for John Villamil

John Villamil

Co-founder, Doyensec
John has worked in a variety of infosec roles from forensics and consulting to large enterprise security. He was most recently part of the Yahoo! Paranoids red team, operating on a network with over 600,000 systems servicing nearly a billion users. That kind of scale totally alters... Read More →



Friday January 24, 2020 10:00am - 10:25am PST
Garden Terrace Room

10:00am PST

Lightning Talk: Operationalizing our Open Source Security Scanner
During Summer 2019, two excellent interns (Ryan Slama and Matt Dwoncyzk) came to Slack to help us build a tool to scan for insecure, out-of-date open source dependencies. But this talk (mostly) isn’t about their tool - it’s about what happened after they wrote the tool and returned to school. We’ll tell you about how we took their awesome proof of concept and integrated it into our daily operations at Slack to help tackle the difficult and ongoing issues around including open source components in enterprise grade software. Along with the specifics of our situation, we'll also reflect on general lessons learned about integrating tooling into reality.

Speakers
avatar for Nikki Brandt

Nikki Brandt

Staff Security Engineer, Slack
Nikki Brandt is a Staff Tech Lead/Manager on the Product Security team at Slack, where she currently leads the Product Security team and drives the security review process. Before joining Slack, Nikki was a senior security consultant at NCC Group (via Matasano), and a security engineer... Read More →
avatar for Oliver Grubin

Oliver Grubin

Senior Security Engineer, Slack
Oliver Grubin is a Senior Security Engineer on the Product Security Team at Slack where he works on developing tooling, libraries and services to help keep Slack secure.



Friday January 24, 2020 10:00am - 10:25am PST
Terrace Lounge

10:00am PST

Lightning Talk: Purple is the new black: Modern Approaches to Application Security
Gone are the days when breaches were rare and security could safely be put low on the priority list; product security is now a customer demand and cyber crime has reached epic proportions. Our idolization of hackers, penetration testing and ‘breaking’ has not resulted in secure software for our industry, only egos, stereotypes and unaffordable security models. Modern application security approaches need to address both offensive (red team) and defensive (blue team) approaches, as well as continuous learning and advocacy for developers. This means Purple Team. This talk will explore how to combine defence, offence, automation, empathy and continuous learning, all without the requirement of ever wearing a hoodie. The future of security is PURPLE.

Speakers
avatar for Tanya Janca

Tanya Janca

Security Consultant and Training, SheHacksPurple.dev
Tanya Janca is a Security Consultant at SheHacksPurple.dev. Her obsession with securing software runs deep, from starting her company, to running her own OWASP chapter for 4 years and founding the OWASP DevSlop open-source and education project. With her countless blog articles, workshops... Read More →



Friday January 24, 2020 10:00am - 10:25am PST
Sand and Sea Room

10:00am PST

Lightning Talk: Securing Third Party Apps in a Marketplace Ecosystem
In the era of modern computing, the phenomenon of app stores is becoming common place. A growing number of companies are creating entire ecosystems for vendors proving extensibility and customization of their core product. While third party apps provide additional features that customers value, they also come with an increased security risk.

Atlassian is a good example of a thriving Marketplace ecosystem https://marketplace.atlassian.com/. As such, we are responsible to provide a secure platform and also make sure that the marketplace apps are properly screened and scanned for security vulnerabilities. In this talk, we will go over some of the practices we have established at Atlassian to ensure that our customers can trust our Ecosystem.

We will cover some of the security policies that we enforce on third party apps, how we perform vendor and application security reviews, metrics obtained from running our bug bounty program on third party apps and the lessons learnt.




Speakers
avatar for Jana Geddis

Jana Geddis

Senior Security Engineer, Atlassian



Friday January 24, 2020 10:00am - 10:25am PST
Club Room

10:00am PST

CTF / Capture the Flag
Test your skills on the CMD+CTRL Cyber Range
Security Innovation is proud to join OWASP AppSec California again in 2020 to host a unique and challenging CTF featuring our CMD+CTRL Cyber Range.

What is a Cyber Range?
CMD+CTRL Cyber Ranges are intentionally vulnerable applications and websites that tempt players to steal money, find out their boss’s salary, purchase costly items for free, and conduct other nefarious acts. Hundreds of vulnerabilities, common to most business applications, lay waiting to be exploited.
For each vulnerability you find you'll be awarded points (based on the level of difficulty) that will be charted on our live leaderboard. Top scorers get prizes, but all players have fun!

Free CTF Training
Along with the competition, we'll be offering free training lessons so that newcomers can also do some hands-on work even if they don’t feel ready to participate in the official CTF event.

Space is limited, so sign up to save your space today!


Training and CTF schedule

Day 2 - Friday, January 24
Training Site – Beginner/Intermediate

10:00 - 10:20am Day 2 Kickoff
10:20 - 10:45am Hands-on Exploit Demonstrations
10:45 - 12:30pm Open Hacking
12:30 - 01:30pm Break
01:30 - 03:00pm Open Hacking


CTF Site - Beginner/Intermediate/Advanced
10:00 - 10:10am Brief introduction
10:10 - 03:00pm Open Hack with periodic scoreboard displays

Both Cyber Range sites will turn off at 03:00pm and the CTF competition winners will be announced on Friday during the Closing Keynote at 03:10pm.


Friday January 24, 2020 10:00am - 3:00pm PST
Guest House Parlor

10:00am PST

IoT Village
Want to learn how to attack IoT devices? We will have a network of new and old IoT products along with Cisco Meraki enterprise and medical devices to play with! A free virtual machine (VM) with vulnerable emulated firmware and tons of preloaded tools will be available for download. The IoT Village is hosted by Aaron Guzman and Walter Martín Villalba. You don't want to miss out!

Aaron Guzman / https://www.linkedin.com/in/scriptingxss/ / @scriptingxss
Walter Martín Villalba / https://www.linkedin.com/in/wmvillalba/ / @act1vand0

Friday January 24, 2020 10:00am - 3:00pm PST
Guest House Dining Room

10:25am PST

Break and Vendor Expo
Friday January 24, 2020 10:25am - 10:55am PST
Annenberg Community Beach House

10:55am PST

Hacking Cryptocurrencies
Forget stealing private keys. Recent attacks have seen attackers steal money by breaking the protocols underlying the integrity of the cryptocurrency itself. This talk will explore the tactics, techniques, and procedures used by attackers in three separate 51% attacks against three different cryptocurrencies: Bitcoin Gold (BTG), Vertcoin (VTC), Ethereum Classic (ETC).



Speakers
avatar for Mark Nesbitt

Mark Nesbitt

Security Engineer, Coinbase
Mark Nesbitt is a security engineer with Coinbase. Mark's responsibilities focus on security support for Coinbase's crypto engineering teams, which write services that integrate with cryptocurrency networks. Mark is also responsible for threat modeling and threat mitigations for the... Read More →



Friday January 24, 2020 10:55am - 11:45am PST
Garden Terrace Room

10:55am PST

Web App Containers: Applied Threat Modelling
Applied threat modeling moves beyond theory to expose the real attack vectors to containerized web applications. We dive deep into near real-time container threat detection, prevention, and management with an emphasis on automation to prevent the latest container and orchestration Common Vulnerabilities and Exposures from compromising a cloud deployment. Our container orchestration threat model is a reusable architecture design pattern that can enrich an organization’s cloud security model.

We take the practice of threat modeling and dive deep into a customize attack library for the Cloud that has been created to capture the cyber security and privacy risks associated with deploying and managing container and orchestration technologies. We investigate proof-of-concept exploits and validate them against an architectural design pattern that is resilient to attack and misuse.

Speakers
R

Richard

security, N/A



Friday January 24, 2020 10:55am - 11:45am PST
Terrace Lounge

10:55am PST

Dr. DevSecOps: Or How I stopped worrying about CI and started loving the cloud
Continuous Integration (CI) and Continuous Deployment (CD) is at the heart of DevOps, and by extension, DevSecOps. Traditionally teams have used traditional CI services like Jenkins and Bamboo to continuously deliver applications.

However, there are significant issues with running traditional, on-prem CI services like Jenkins, namely:
* Not suited for Cloud-Native Deployments
* Maintenance Overhead - On-Prem CI is hard to maintain and even harder to secure (vulnerable plugins)
* Unsuited for Container-Native workloads - Traditional CI tools are hard to orchestrate for containers.

This talk aims to showcase some innovative approaches to running DevSecOps pipelines with Cloud and Container Native approaches, including but not limited to:
* Leveraging services like AWS Fargate, Lambda and Step Functions for Security Orchestration and Security Workflows
* Leveraging JenkinsX for Security Orchestration in Kubernetes

The idea behind these approaches is to:
* Leverage ephemeral compute technologies to run CI services as opposed to persistent services, reducing overhead
* Leveraging State Machines to run more complex security workflows, especially in Micro-service workloads
* Running asynchronous security pipelines with feedback loops
* Leveraging query systems like AWS Athena to be able to achieve aggregation (and dare I say correlation)

Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Founder, we45
"Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron"", a leading Application Vulnerability Correlation and Orchestration Framework.  He has created some pioneering... Read More →



Friday January 24, 2020 10:55am - 11:45am PST
Sand and Sea Room

10:55am PST

OWASP SAMM2 - your dynamic software security journey
OWASP SAMM (https://owaspsamm.org) is the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyse and improve their software security posture. Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance will have a significant impact on the organisation. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP Software Assurance Maturity Model (SAMM) gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation. In this talk, we give an overview of the new release of the SAMM model. After 10 years since its first conception, it was important to align it with today’s development practices.

We will cover a number of topics in the talk: (i) the core structure of the model, which was redesigned and extended to align with modern development practices, (ii) the measurement model which was setup to cover both coverage and quality and (iii) the new security practice streams where the SAMM activities are grouped in maturity levels. We will demonstrate the new SAMM2 toolbox to measure the maturity of an example DevOps team and how you can create a roadmap of activities.

Latest version delivered: https://github.com/OWASP/samm/blob/master/Supporting%20Resources/presentations/OWASP%20SAMM2%20Talk%20Global%20AppSec%20AMS2019%20vfinal.pdf

Speakers
avatar for Brian Glas

Brian Glas

Assistant Professor, Union University
Brian has 22 years of experience in various roles in IT with the majority of that in application development and security. His day job is serving as an Assistant Professor teaching a full load of Computer Science and Cybersecurity classes at Union University. He helped build the FedEx... Read More →



Friday January 24, 2020 10:55am - 11:45am PST
Club Room

11:55am PST

How do JavaScript frameworks impact the security of applications?
The best way to enable developers to create secure applications is to “shift left” in security. That means providing developers with the tools and techniques that help build more secure applications from the get-go. Developers may get security controls into their applications in different ways. They may write them from scratch following security training or guidance, they may use open source libraries, or they may use frameworks that have the security features built in already. In this talk we explore JavaScript applications that use different types of security controls implemented at levels ranging from developer code, to libraries and plugins, to different frameworks, and analyze which applications actually turn out to be more secure. This work is based on analysis of over 500 open source JavaScript applications on GitHub that use client-side frameworks and template engines to prevent XSS, as well as server-side frameworks (Express, Koa, Hapi, Sails, Meteor) and CSRF prevention mechanisms.
In conclusion, we provide data-driven recommendations for framework maintainers and application developers on how to develop and choose a framework that will actually make applications more secure.

Speakers
avatar for Ksenia Peguero

Ksenia Peguero

Sr. Research Engineer, Synopsys
Ksenia Peguero is a Sr. Research Engineer within Synopsys Software Integrity Group. She has nine years of experience in application security and five years in software development. Ksenia focuses her research in static analysis and JavaScript security, frameworks, and technologies... Read More →



Friday January 24, 2020 11:55am - 12:45pm PST
Club Room

11:55am PST

An Opinionated Guide to Scaling Your Company's Security
There have been hundreds of blog posts and conference talks about DevSecOps and scaling security. As a busy security professional, it can be difficult to stay on top of the current state of the art.

Don’t worry, I’ve put in the time for you.

This talk distills the unique tips and tricks, lessons learned, and tools discussed in a vast number of blog posts, conference talks, and in-person discussions I've had with security engineers at tens of companies.

Using this info, I've created an opinionated guide to systematically scaling your company's security. This talk is about results: tools and hyped approaches that don't work will be called out.

I’ll cover:
* Principles, mindsets, and methodologies of highly effective security teams
* Valuable security primitives to invest in, upon which high leverage initiatives can be built
* Security metrics and creating a data-driven security program
* High value engineering projects that can prevent classes of bugs
* How and where to integrate security automation into the CI/CD process in a high signal, low noise way
* Useful open source tools

You’ll leave this talk with an understanding of the current state of the art in DevSecOps, links to tools you can use, resources where you can dive into specific topics of interest, and most importantly, an actionable path forward for taking your security program to the next level.

Speakers
avatar for Clint Gibler

Clint Gibler

Research Director, NCC Group
Clint Gibler (@clintgibler) is a Research Director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He’s helped companies implement security automation and DevSecOps best practices as well as performed penetration... Read More →



Friday January 24, 2020 11:55am - 12:45pm PST
Terrace Lounge

11:55am PST

Protecting the Bridge from Dollars to Bitcoin: Securing Coinbase’s Edge Payments Infrastructure
Integrating with fiat payments systems globally challenges the maturity of an entire security program. A security issue leads to identity theft and direct money loss, but integration is often a critical business priority. These payment systems span many types of architectures introducing more complexity and bugs. We’ll go over the typical API patterns and follow the lifecycle of an entire payment from pre-payment to reconciliation and map common payments vulnerabilities and remediation to their application security equivalents. We’ll go over how Coinbase has adapted traditional AppSec tools like 3rd party vendor reviews, threat modelling, static analysis, security champions, and bug bounties to the payments world to find and eliminate money loss and personal data loss bugs. We’ll even go through some of the privacy conundrums involved with interacting with the current financial system.

Speakers
avatar for Nishil Shah

Nishil Shah

Application Security Engineer, Coinbase
I currently work on the Application Security team at Coinbase where I work on securing our payments infrastructure along with maintaining Salus, Coinbase's security scanning orchestration tool.



Friday January 24, 2020 11:55am - 12:45pm PST
Garden Terrace Room

11:55am PST

What if we had TLS for Phone Numbers? An introduction to SHAKEN/STIR
If you've noticed a surge in unwanted robocalls from your own area code in the last few years, you're not alone. The way telephony systems are set up today, anyone can spoof a call or a text from any number. With an estimated 85 billion spam calls globally, it's time to address the problem.

This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We'll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.

Speakers
avatar for Kelley Robinson

Kelley Robinson

Twilio, Speaker
Kelley works on the Account Security team at Twilio. Previously she worked in a variety of API platform and data engineering roles at startups. Her research focuses on authentication user experience and design trade-offs for different risk profiles and 2FA channels. Kelley lives in... Read More →



Friday January 24, 2020 11:55am - 12:45pm PST
Sand and Sea Room

12:45pm PST

Lunch and Vendor Expo
TBD

Friday January 24, 2020 12:45pm - 2:10pm PST
Annenberg Community Beach House

2:10pm PST

Car Hacking: A Security Analysis of an In-Vehicle-Infotainment System and App Platform
Many of today’s automobiles leave the factory with secret passengers: prototype software features with undiscovered vulnerabilities, even if these features are disabled by the manufacturer, but still can be unlocked by clever hackers.

There is an increasing trend in the automotive industry towards integrating trusted third-party apps with In-Vehicle-Infotainment systems (IVI) via smartphones. But there has been little public analysis of the security of these protocols and the frameworks that implement these apps on the IVI. This raises the question: to what extent are these apps, protocols and underlining IVI implementations vulnerable to an attacker who might gain control of a driver’s smartphone?

In this work, we focused on gaining insights into this question by performing the first comprehensive security analysis on one of the standardized protocols, called MirrorLink (similar to Apple CarPlay), that enables seamless connectivity between smartphones and the car infotainment systems.

In this talk, I will explain the steps we took to conduct this security analysis and will demonstrate the discovered vulnerabilities in the MirrorLink protocol and IVI implementation that could potentially enable an attacker with control of a driver’s smart phone to send malicious messages to the vehicle’s infotainment system and, consequently, to the car’s critical components.

As a proof of concept, we have created a demonstration malicious app that exploits vulnerabilities discovered in the implementation of MirrorLink on the IVI.

Given our findings, we have some recommendations on how the security of these IVI app platforms can be made more resilient to these types of attacks. Our hope is that, this analysis will help motivate and spur more secure designs and implementations of smartphone to IVI platforms.

Speakers
avatar for Sahar Mazloom

Sahar Mazloom

PhD Candidate and Security Researcher, George Mason University
Sahar Mazloom is a PhD candidate in Cryptography at George Mason University, and received her Master’s in Artificial Intelligence. Her current research focus is on the problem of computation on encrypted data, with focus on design and development of secure machine learning models... Read More →



Friday January 24, 2020 2:10pm - 3:00pm PST
Garden Terrace Room

2:10pm PST

Are You Properly Using JWTs?
JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation.

This session focuses on best practices and real world examples of JWT usage, where we cover:

- Typical scenarios where using JWT is a good idea
- Typical scenarios where using JWT is a bad idea!
- Principles of Zero trust architecture and why you should always validate
- Best practices to thoroughly validate JWTs and potential vulnerabilities if you don’t.
- Use cases when encryption may be required for JWT

Speakers
avatar for Dmitry Sotnikov

Dmitry Sotnikov

Chief Product Officer, 42Crunch
Dmitry Sotnikov serves as Chief Product Officer at 42Crunch – an enterprise API security company – and is curator of APISecurity.io, a popular community site with daily API Security news and weekly newsletter on API vulnerabilities, breaches, standards, best practices, regulations... Read More →



Friday January 24, 2020 2:10pm - 3:00pm PST
Club Room

2:10pm PST

Choosing the right static code analyzers based on hard data
Published research shows that static code analysis cost-effectively catches security weaknesses before they become exploitable vulnerabilities. But finding the right code analyzers can be challenging.

This talk will discuss research funded by the U.S. Department of Homeland Security to deliver unbiased methods and information to assess and compare the performance of static analyzer products.

In this talk we introduce a new, freely-available website that presents the results of our research. We will discuss plans to track the types of weaknesses that analyzers can detect to help people quickly find the right analyzer and how to achieve good detection coverage of multiple weaknesses.

We’ll discuss the properties of analyzers important to consider when bringing one (or a few!) into your development pipeline. We’ll also cover plans to benchmark results quality using real code, not artificial data sets. Finally, we’re looking forward to audience feedback on what information or capabilities are important.

Speakers
avatar for Chris Horn

Chris Horn

Senior Researcher, Secure Decisions
Chris Horn is a Senior Researcher at Secure Decisions, an R&D division of Applied Visions, Inc. He has 18 years of experience in research, software systems, and new product development. Currently, he leads cybersecurity research & development projects and focuses on developing technology... Read More →



Friday January 24, 2020 2:10pm - 3:00pm PST
Terrace Lounge

2:10pm PST

Practical OWASP CRS in High Security Settings
Traditionally, the OWASP ModSecurity Core Rule Set, an OWASP flagship project, has been hard to use. However, the release of CRS 3.0 in 2017 and the advancements made with CRS 3.1 successfully removed most of the false positives in the default installation. This improved the user experience when running the only general purpose open source web application firewall. The presentation explains how to run CRS successfully in high security settings. This includes practical advice to tuning, working with the anomaly thresholds, the paranoia levels and complementary whitelisting rule sets. This talk is based on many years of experience gained by using CRS in various high security settings, including the one by Swiss Post for it's national online voting service.

Speakers
avatar for Christian Folini

Christian Folini

OWASP project co-lead, OWASP
Christian Folini is a security engineer and open source enthusiast. He holds a PhD in medieval history and enjoys defending castles across Europe. Unfortunately, defending medieval castles is not a big business anymore and so, he turned to defending web servers, which he finds equally... Read More →



Friday January 24, 2020 2:10pm - 3:00pm PST
Sand and Sea Room

3:10pm PST

Closing Keynote: Browser Manipulation for Bypassing Firewalls
Browsers are an excellent and ubiquitous tool for accessing and sharing information. With their wide feature set, it's sometimes overlooked that they are in fact tools for remotely executing code on a user, or in our case, target's system, and can play a strong role in the overall infrastructure of a network. In this talk, we'll learn how an attacker can abuse the browser and network in order to remotely access any TCP/UDP service bound to that victim's machine, entirely bypassing the victim’s NAT and firewall, providing arbitrary firewall pinhole control, simply by the victim visiting a website.

Speakers
avatar for Samy Kamkar

Samy Kamkar

Co-founder, Openpath
Samy Kamkar is an American privacy and security researcher, computer hacker, whistleblower and entrepreneur. At the age of 16, Kamkar dropped out of high school and one year later, co-founded Fonality, a unified communications company based on open source software, which raised over... Read More →



Friday January 24, 2020 3:10pm - 4:00pm PST
Garden Terrace Room

4:00pm PST

 
Filter sessions
Apply filters to sessions.