Attending this event?
One Track
Lots of Flavor
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Wednesday, April 17


James spends a lot of time at the intersection of the DevOps and Security communities. He works as Head of Research at Signal Sciences and is a supporter of the Rugged Software and DevSecOps movements. Seeing the gap in software testing, James founded an open source project, Gauntlt, to serve as a Rugged Testing Framework. He is the author of several security and DevOps courses onLinkedIn Learning, including: DevOps Foundations, Infrastructure as Code, DevSecOps: Automated Security Testing, Continuous Delivery (CI/CD), and Site Reliability Engineering.
He got his start in technology when he founded a startup as a student at the University of Oklahoma and has since worked in environments ranging from large, web-scale enterprises to small, rapid-growth startups. He is a dynamic speaker on topics in DevOps, AppSec, InfoSec, cloud security, automated security testing, DevSecOps and serverless.
James is the creator and founder of the Lonestar Application Security Conference which is the largest annual security conference in Austin, TX. He also runs DevOps Days Austin and previously served on the global DevOps Days board. He also bears several security certifications including CISSP and GWAPT.
In his spare time he is trying to learn how to make a perfect BBQ brisket.

avatar for James Wicket

James Wicket

Head of Research, Signal Sciences
James spends a lot of time at the intersection of the DevOps and Security communities. He works as Head of Research at Signal Sciences and is a supporter of the Rugged Software and DevSecOps movements. Seeing the gap in software testing, James founded an open source project, Gaun... Read More →

Wednesday April 17, 2019 8:30am - 9:15am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


How not to use OAuth
OAuth is the most important framework for federated authorization on the web. It also serves as the foundation for federated authentication using OpenID Connect. While RFC6749 and RFC6819 give advice on securing OAuth deployments, many subtle and not-so-subtle ways to shoot yourself in the foot remain. One reason for this situation is that OAuth today is used in much more dynamic setups than originally anticipated. Another challenge is that OAuth today is used in high-stakes environments like financial APIs and strong identity proving.

To address these challenges, the IETF OAuth working group is working towards a new Security Best Current Practice (BCP) RFC that aims to weed out insecure implementation patterns based on lessons learned in practice and from formal security analyses of OAuth and OpenID Connect. The BCP gives concrete advice to defend against attacks discovered recently (like the AS mix-up attack) and deprecates less-secure grant types such as the Implicit Grant.

This talk will outline the challenges faced by OAuth in dynamic and high-stakes environments and go into the details of the MUSTs, MUST NOTs, and SHOULDs in the new Security BCP.

avatar for Daniel Fett

Daniel Fett

Security Research, yes.com
Daniel Fett is a security researcher and security specialist at yes.com. Before that, he received a PhD in Computer Science from University of Stuttgart, Germany. During his research, he developed new methods to formally analyze the security of web applications and standards. He used these formal methods to find new attack vectors on OAuth, OpenID Conn... Read More →

Wednesday April 17, 2019 9:15am - 10:00am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


The path to code provenance at uber
The landscape of Uber applications and services moves and evolves quickly. At
our scale, where a one-in-a-million ride happens 10 times every day and production code changes thousands of times a day, scaling security at the rate of business is critical.

Fundamentally we must assure, across our multitude of services and engineering teams, that all production code meets defined security requirements, including compliance obligations. An important piece of this is providing documented assurance that code is authored/reviewed/approved by the appropriate parties and that code running in production is one and the same.

We will share some specific examples and use cases from our Uber’s product security team that can be applied in other environments including:
- deploying hooks for developers to sign commits (and enforcement of signatures before building container images)
- making security a first-class citizen in our build pipelines to harden and sign builds (and integrations with our container orchestration framework to ensure that our build/image artifacts have been appropriately hardened and vetted to be run within our infrastructure)
- improvements to our container runtime security, in order to efficiently detect and block any unauthorized code (including runtime anomaly detection and a process for remediation of newly-blacklisted packages)
- deploying security policies around third-party dependencies (and how we hook into the SDLC in order to warn and enforce when something is out of policy compliance)

We'll talk through integration pain points, key takeaways, infrastructure-specific challenges we faced, surprising discoveries, and issues/questions we've tackled along the way.

avatar for Matthew Finifter

Matthew Finifter

Security Engineer, Uber
Matthew Finifter is a security engineer on Uber's Application Security team. His recent work focuses on the design and implementation of application security automation and improvements within Uber's software development lifecycle. He received his PhD in Computer Science from UC Berkeley... Read More →
avatar for Tony Ngo

Tony Ngo

Security Engineer, Uber
Tony Ngo is a security engineer on Uber’s Application Security team.  He hasspent the last 12 years of his professional life doing defensive securityengineering ranging from designing/implementing obfuscation/anti-tamperingtools, to mucking with mobile security and most recently... Read More →

Debosmit (Debo) Ray

Software Engineer, Uber
Debosmit Ray (Debo) is a software engineer on Uber's Application Security team.His most recent work includes integrating security primitives into the CI/CDand container orchestration components of Uber's software development lifecycleand service-to-service authentication. He received... Read More →

Wednesday April 17, 2019 10:20am - 11:05am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Content Security Policy: A successful mess between hardening and mitigation
In this talk, we distill our multi-year experience fighting XSS at Google with nonce-based Content Security Policy (CSP), one of the most misunderstood and, arguably, most powerful web mitigation techniques.

We aim to provide a technical in-depth analysis of the effectiveness of different flavors of CSP for the many classes of XSS vulnerabilities, busting myths and common misunderstandings, and explore the often fuzzy boundaries between hardening and mitigation techniques. In a world where there are a dozen major root causes of XSS, each with its own, distinct, preventive measures, we define a threat model in which CSP can provide strong defense-in-depth guarantees and enforce best coding practices, leading to a real hardening effect.
We present advanced CSP kung-fu: setting more than one policy, pinning CSP to an origin with Origin-Policy manifests, and highlight special cases with Service Workers, Web Assembly and web modules.

Finally, we share for the first time data on real-world sensitive applications where exploitation of XSS vulnerabilities has been prevented on modern browsers by CSP.
After attending this talk you will finally understand CSP, knowing its strengths and limits while appreciating its complexity and multifaceted nature.

avatar for Michele Spagnuolo

Michele Spagnuolo

Senior Information Security Engineer, Google
Michele Spagnuolo is a Senior Information Security Engineer at Google focusing on security enhancements and mitigations for web applications. He co-authored the specification for ‘strict-dynamic’ in the W3C Content Security Policy specification, serving as a strong mitigation... Read More →
avatar for Lukas Weichselbaum

Lukas Weichselbaum

Senior Information Security Engineer, Google
Lukas Weichselbaum is a Senior Information Security Engineer at Google focusing on security enhancements and mitigations for web applications. He co-authored the specification for ‘strict-dynamic’in the W3C Content Security Policy specification and wrote the CSP Evaluator (c... Read More →

Wednesday April 17, 2019 11:05am - 11:50am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Wednesday April 17, 2019 11:50am - 1:00pm


Security learns to sprint: DevSecOps
This talk will explain what security teams needs to adjust in order to turn DevOps into
DevSecOps within their organizations. Several strategies are presented for weaving
security into each of the "Three Ways", with clear steps audience members can start
implementing immediately.

This talk will argue that DevOps could be the best thing to happen to application security
since OWASP, if developers and operations teams are enabled to make security a part of
their everyday work. With a ratio of 100/10/1 for Development, Operations, and Security,
security now needs to concentrate on creating tools, processes and opportunities for dev
and ops that result in more-secure products, instead of trying to do it all themselves like they
did in days past. We must build security into each of “The Three Ways”; automating and/or
improving efficiency of all security activities to ensure we don’t slow down developers,
speeding up feedback loops for security related activities so that we fix the bugs faster and
sooner, and providing continuous learning opportunities in relation to security, for both
teams. Security can no longer be a gate or stumbling block, and ‘adding security in’ can no
longer be used as a justification for project delays. If developers are sprinting, then we need
to sprint too. So put on your running shoes; it’s time for DevSecOps!

avatar for Tanya Janca

Tanya Janca

Senior Cloud Security Advocate, Microsoft
Tanya Janca is a senior cloud security advocate for Microsoft, specializing in application and cloud security; evangelizing software security and advocating for developers and operations folks alike through public speaking, her open source project OWASP DevSlop, and various forms... Read More →

Wednesday April 17, 2019 1:00pm - 1:45pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Trusted Types & the end of DOM XSS
18 years have passed since Cross-Site Scripting (XSS) has been identified as a web vulnerability class. Since then, numerous efforts have been proposed to detect, fix or mitigate it. We've seen vulnerability scanners, fuzzers, static & dynamic code analyzers, taint tracking engines, linters, and finally XSS filters, WAFs and all various flavours of Content Security Policy.

Various libraries have been created to minimize or eliminate the risk of XSS: HTML sanitizers, templating libraries, sandboxing solutions - and yet XSS is still one of the most prevalent vulnerabilities plaguing web applications.

It seems like, while we have a pretty good grasp on how to address stored & reflected XSS, "solving" DOM XSS remains an open question. DOM XSS is caused by ever-growing complexity of client-side JavaScript code (see script gadgets), but most importantly - the lack of security in DOM API design.

But perhaps we have a chance this time? Trusted Types is a new browser API that
allows a web application to limit its interaction with the DOM, with the goal of obliterating
DOM XSS. Based on the battle-tested design that prevents XSS in most of the Google web applications, Trusted Types add the DOM XSS prevention API to the browsers. Trusted Types allow to isolate the application components that may potentially introduce DOM XSS into tiny, reviewable pieces, and guarantee that the rest of the code is DOM-XSS free. They can also leverage existing solutions like autoescaping templating libraries, or client-side sanitizers to use them as building blocks of a secure application.

Trusted Types have a working polyfill, an implementation in Chrome and integrate well with existing JS frameworks and libraries. Oddly similar to both XSS filters and CSP, they are also fundamentally different, and in our opinion have a reasonable chance of eliminating DOM XSS - once and for all.

avatar for Krzysztof Kotowicz

Krzysztof Kotowicz

Information Security Engineer, Google
Krzysztof Kotowicz is an Information Security Engineer at Google and a panel member of Google's Vulnerability Rewards Program. He's a web security researcher specialized in JavaScript, browser extensions and client-side security. Author of multiple open-source pentesting tools, and... Read More →

Wednesday April 17, 2019 1:45pm - 2:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA
Thursday, April 18


Secure development lifecycle track
Thursday April 18, 2019 8:30am - 12:00pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Thursday April 18, 2019 11:50am - 1:00pm


Operational security and open source track
Thursday April 18, 2019 1:00pm - 5:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA
Friday, April 19


Have You Adapted Your AppSec?
In the ever-evolving, fast-paced development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories, stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. David will talk through the various solutions using his experiences to help build security into the development process.

avatar for David Lindner

David Lindner

Chief Strategy Officer, nVisium
David Lindner is the Chief Strategy Officer at nVisium. David is an experienced Application Security Professional with over 18 years of experience in the computer security industry. During this time, David has worked within multiple disciplines in the security field, from application... Read More →

Friday April 19, 2019 8:30am - 9:15am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


The truth about cookies, tokens and APIs
With the rise of Single Page Applications, we also see a paradigm shift in session management techniques. Instead of using server-side cookie-based sessions, many developers are shifting towards client-side state mechanisms, using JWT tokens an custom HTTP headers. There’s plenty of conflicting advice out there, discussing cookie security issues, Cross-Site Request Forgery, and XSS. So how can you make a sensible choice, and how will that impact the security of your application?

This talk will guide you in this choice. We dive into the technicalities behind these technologies, and the actual security impact of your choices. We’ll look at compatibility with current web security mechanisms. You will learn how to assess your past choices, and how to substantiate future decisions. 

avatar for Philippe De Ryck

Philippe De Ryck

Founder, Pragmatic Web Security
Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security... Read More →

Friday April 19, 2019 9:15am - 10:00am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Mini job fair + collaborative capture the flag
avatar for Matt Langlois

Matt Langlois

Product Security Engineer, GitHub
Matt is a junior product security engineer at GitHub. Over the course of his University career he developed a passion for cyber security. Matt has gained a plethora of AppSec knowledge participating in bug bounty programs and CTFs. He previously organized monthly DefCon 613 meetups... Read More →

Friday April 19, 2019 1:00pm - 5:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA