LocoMocoSec: Hawai'i Product Security Conference: Full Schedule

One Track
Lots of Flavor

9:00am HST

Building Secure API's and Web Applications: Secure Coding with Aloha

Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.

Laptop Requirements: Any laptop that can run an udpated web browser and "Burp Community Edition".

Description:
The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript and .NET programmers, but any software developer building web applications and webservices will benefit.

Day 1 of the course will focus on web application basics.

Introduction to Application Security
Introduction to Security Goals and Threats
HTTP Security Basics
CORS and HTML5 Considerations
XSS Defense
Content Security Policy
Intro to Angular.JS Security
Intro to React.JS Security
SQL and other Injection
Cross Site Request Forgery
File Upload and File IO Security
Deserialization Security
Input Validation Basics
OWASP Top Ten 2017
OWASP ASVS

Day 2 of the course will focus on API secure coding, Identity and other advanced topics.

Webservice, Microservice and REST Security
Authentication and Session Management
Access Control Design
OAuth Security
OpenID Connect Security
HTTPS/TLS Best Practices
3rd Party Library Security Management
Application Layer Intrusion Detection

We end day 2 with a competitive hacking lab. It's a very fun and informative way to end the course.

Speakers

Jim Manico

Founder, Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. He is also an investor/advisor for 10Security, Aiya, MergeBase, Nucleus Security, KSOC, and Inspectiv. Jim is a frequent speaker on secure software practices... Read More →

Monday April 15, 2019 9:00am - 5:00pm HST
Nawiliwili Room

Training

9:00am HST

Defending Modern DevOps Environments: A Hands-on Approach: Kubernetes and Docker Demystified

Student Requirements: Familiarity with at least one public cloud provider is recommend- ed. Students should also have basic Docker knowledge and experience launching and managing basic cloud instances. Basic command line and scripting skills are highly recommended.

Laptop Requirements: Any laptop with at least 2GB of free ram available that can run Docker, Minikube, and Virtualbox.

Description:
The Cloud as we know it is changing. Containers have taken the center stage as the preferred method of developing and deploying software into production. As security practitioners, we must adapt to the latest technologies or be left in the dust.

This technical 2-day course will focus on the ins and outs of building a modern cloud infrastructure capable of taking containers from a developer’s laptop to production, in a secure manner.

The hands-on portion of the course will rely heavily on Kubernetes for the deployment and orchestration of Docker containers. Each student will build a sandbox Kubernetes cluster from scratch using Google Container Engine (GKE) or locally using Minikube.

At the completion of this course, students will have an operational, version controlled, deployment pipeline capable of shipping a container to a Kubernetes cluster while performing a number of automated security checks along the way.

Some of the principals and techniques covered in this course include:

DevSecOps Principles
Kubernetes and Docker Security Controls
Third-Party Security Considerations
Identity and Access Management Secure Deployment Pipelines
Security Automation
Infrastructure as Code
Scaling Security Operations
Data Security and Encryption
Logging, Monitoring, and Alerting

Speakers

Jimmy Mesta

CTO, Manicode Security

Jimmy Mesta is an application security leader that has been involved in Information Security for nearly 10 years. He is the chapter leader of OWASP Santa Barbara and co-organizer of the AppSec California security conference. Jimmy has spent time on both the offense and defense side... Read More →

Monday April 15, 2019 9:00am - 5:00pm HST
Ha'iku Room

Training

10:30am HST

Break

Snacks!

Monday April 15, 2019 10:30am - 10:45am HST
Courtyard

social

12:00pm HST

Lunch

Provided lunch!

Monday April 15, 2019 12:00pm - 1:00pm HST
Kukui's on Kalapaki Beach 3610 Rice St, Lihue, HI 96766

social

3:00pm HST

Break

Snacks!

Monday April 15, 2019 3:00pm - 3:15pm HST
Courtyard

social

9:00am HST

Building Secure API's and Web Applications: Secure Coding with Aloha

Introduction to Application Security
Introduction to Security Goals and Threats
HTTP Security Basics
CORS and HTML5 Considerations
XSS Defense
Content Security Policy
Intro to Angular.JS Security
Intro to React.JS Security
SQL and other Injection
Cross Site Request Forgery
File Upload and File IO Security
Deserialization Security
Input Validation Basics
OWASP Top Ten 2017
OWASP ASVS

Day 2 of the course will focus on API secure coding, Identity and other advanced topics.

Webservice, Microservice and REST Security
Authentication and Session Management
Access Control Design
OAuth Security
OpenID Connect Security
HTTPS/TLS Best Practices
3rd Party Library Security Management
Application Layer Intrusion Detection

We end day 2 with a competitive hacking lab. It's a very fun and informative way to end the course.

Speakers

Jim Manico

Founder, Manicode Security

Tuesday April 16, 2019 9:00am - 5:00pm HST
Nawiliwili Room

Training

9:00am HST

Defending Modern DevOps Environments: A Hands-on Approach: Kubernetes and Docker Demystified

DevSecOps Principles
Kubernetes and Docker Security Controls
Third-Party Security Considerations
Identity and Access Management Secure Deployment Pipelines
Security Automation
Infrastructure as Code
Scaling Security Operations
Data Security and Encryption
Logging, Monitoring, and Alerting

Speakers

Jimmy Mesta

CTO, Manicode Security

Tuesday April 16, 2019 9:00am - 5:00pm HST
Ha'iku Room

Training

10:30am HST

Break

Snacks!

Tuesday April 16, 2019 10:30am - 10:45am HST
Courtyard

social

12:00pm HST

Lunch

Provided lunch!

Tuesday April 16, 2019 12:00pm - 1:00pm HST

social

1:00pm HST

Speaker/Vendor early load in

Test out your presentation on our screen and audio. Set up your booth. Or just come and say hello!

Tuesday April 16, 2019 1:00pm - 6:00pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Logistics

3:00pm HST

Break

Snacks!

Tuesday April 16, 2019 3:00pm - 3:15pm HST
Courtyard

social

6:00pm HST

[Invite Only] Speaker, D&I, staff, sponsor dinner

RSVP required. Limited space, invitation only.

Tuesday April 16, 2019 6:00pm - 8:00pm HST
Cafe portofino 3481 Ho'Olaulea Way, Lihue, HI 96766

social

8:30am HST

The seven habits of a highly effective DevSecOp

DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new a ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And really, what makes a good DevSecOp?

This talk highlights the seven habits that the high-performing DevSecOp of today (and tomorrow) should develop. Topics range from empathy to lean to system safety with the hope to uncover a new playbook for devs, ops and security to work together.

Speakers

James Wickett

Sr. Security Engineer and Developer Advocate, Verica

James is a dynamic speaker on software engineering topics ranging from security to development practices. He spends a lot of time at the intersection of the DevOps and Security communities, and seeing the gap in software testing, James founded the open source project, Gauntlt, to... Read More →

locomocosec v2 1904171731172 pdf

Wednesday April 17, 2019 8:30am - 9:15am HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Keynote, Devops, Appsec

8:30am HST

Day Care

Wednesday April 17, 2019 8:30am - 4:30pm HST
Kipu Room

Day care

9:15am HST

How not to use OAuth

OAuth is the most important framework for federated authorization on the web. It also serves as the foundation for federated authentication using OpenID Connect. While RFC6749 and RFC6819 give advice on securing OAuth deployments, many subtle and not-so-subtle ways to shoot yourself in the foot remain. One reason for this situation is that OAuth today is used in much more dynamic setups than originally anticipated. Another challenge is that OAuth today is used in high-stakes environments like financial APIs and strong identity proving.

To address these challenges, the IETF OAuth working group is working towards a new Security Best Current Practice (BCP) RFC that aims to weed out insecure implementation patterns based on lessons learned in practice and from formal security analyses of OAuth and OpenID Connect. The BCP gives concrete advice to defend against attacks discovered recently (like the AS mix-up attack) and deprecates less-secure grant types such as the Implicit Grant.

This talk will outline the challenges faced by OAuth in dynamic and high-stakes environments and go into the details of the MUSTs, MUST NOTs, and SHOULDs in the new Security BCP.

Speakers

Daniel Fett

Security Research, yes.com

Daniel Fett is a security researcher and security specialist at yes.com. Before that, he received a PhD in Computer Science from University of Stuttgart, Germany. During his research, he developed new methods to formally analyze the security of web applications and standards. He used these formal methods to find new attack vectors on OAuth, OpenID Conn... Read More →

locomocosec 2019 how not to use oauth pdf

Wednesday April 17, 2019 9:15am - 10:00am HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, Appsec

10:00am HST

Break

Wednesday April 17, 2019 10:00am - 10:20am HST
Courtyard

social

10:20am HST

The path to code provenance at uber

The landscape of Uber applications and services moves and evolves quickly. At
our scale, where a one-in-a-million ride happens 10 times every day and production code changes thousands of times a day, scaling security at the rate of business is critical.

Fundamentally we must assure, across our multitude of services and engineering teams, that all production code meets defined security requirements, including compliance obligations. An important piece of this is providing documented assurance that code is authored/reviewed/approved by the appropriate parties and that code running in production is one and the same.

We will share some specific examples and use cases from our Uber’s product security team that can be applied in other environments including:
- deploying hooks for developers to sign commits (and enforcement of signatures before building container images)
- making security a first-class citizen in our build pipelines to harden and sign builds (and integrations with our container orchestration framework to ensure that our build/image artifacts have been appropriately hardened and vetted to be run within our infrastructure)
- improvements to our container runtime security, in order to efficiently detect and block any unauthorized code (including runtime anomaly detection and a process for remediation of newly-blacklisted packages)
- deploying security policies around third-party dependencies (and how we hook into the SDLC in order to warn and enforce when something is out of policy compliance)

We'll talk through integration pain points, key takeaways, infrastructure-specific challenges we faced, surprising discoveries, and issues/questions we've tackled along the way.

Speakers

Matthew Finifter

Security Engineer, Uber

Matthew Finifter is a security engineer on Uber's Application Security team. His recent work focuses on the design and implementation of application security automation and improvements within Uber's software development lifecycle. He received his PhD in Computer Science from UC Berkeley... Read More →

Tony Ngo

Security Engineer, Uber

Tony Ngo is a security engineer on Uber’s Application Security team. He hasspent the last 12 years of his professional life doing defensive securityengineering ranging from designing/implementing obfuscation/anti-tamperingtools, to mucking with mobile security and most recently... Read More →

Debosmit (Debo) Ray

Software Engineer, Uber Technologies, Inc.

Debosmit Ray (Debo) is an engineer on Uber's Product Security team. His most recent work includes extending Uber's data stores to have encryption support, integrating security primitives into various components of Uber's SDLC, infrastructure security and anomaly detection. He received... Read More →

The Path to Code Provenance at Uber Locomocosec 2019 pdf

Wednesday April 17, 2019 10:20am - 11:05am HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, Appsec

11:05am HST

Content Security Policy: A successful mess between hardening and mitigation

In this talk, we distill our multi-year experience fighting XSS at Google with nonce-based Content Security Policy (CSP), one of the most misunderstood and, arguably, most powerful web mitigation techniques.

We aim to provide a technical in-depth analysis of the effectiveness of different flavors of CSP for the many classes of XSS vulnerabilities, busting myths and common misunderstandings, and explore the often fuzzy boundaries between hardening and mitigation techniques. In a world where there are a dozen major root causes of XSS, each with its own, distinct, preventive measures, we define a threat model in which CSP can provide strong defense-in-depth guarantees and enforce best coding practices, leading to a real hardening effect.
We present advanced CSP kung-fu: setting more than one policy, pinning CSP to an origin with Origin-Policy manifests, and highlight special cases with Service Workers, Web Assembly and web modules.

Finally, we share for the first time data on real-world sensitive applications where exploitation of XSS vulnerabilities has been prevented on modern browsers by CSP.
After attending this talk you will finally understand CSP, knowing its strengths and limits while appreciating its complexity and multifaceted nature.

Speakers

Michele Spagnuolo

Senior Information Security Engineer, Google

Senior Information Security Engineer at Google Switzerland, Michele is a security researcher focused on web application security, and the Rosetta Flash guy. He is also author of BitIodine, a tool for extracting intelligence from the Bitcoin network.

Lukas Weichselbaum

Staff Information Security Engineer, Google

Lukas Weichselbaum is a Staff Information Security Engineer at Google with 10+ years of industry experience who frequently speaks at international infosec and developer conferences.He's passionate about securing Web applications from common Web vulnerabilities and leads the Google-wide... Read More →

CSP A Successful Mess Between Hardening and Mitigation (1) pdf

Wednesday April 17, 2019 11:05am - 11:50am HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, Appsec

11:50am HST

Lunch

Wednesday April 17, 2019 11:50am - 1:00pm HST
Courtyard

social

1:00pm HST

Security learns to sprint: DevSecOps

This talk will explain what security teams needs to adjust in order to turn DevOps into
DevSecOps within their organizations. Several strategies are presented for weaving
security into each of the "Three Ways", with clear steps audience members can start
implementing immediately.

This talk will argue that DevOps could be the best thing to happen to application security
since OWASP, if developers and operations teams are enabled to make security a part of
their everyday work. With a ratio of 100/10/1 for Development, Operations, and Security,
security now needs to concentrate on creating tools, processes and opportunities for dev
and ops that result in more-secure products, instead of trying to do it all themselves like they
did in days past. We must build security into each of “The Three Ways”; automating and/or
improving efficiency of all security activities to ensure we don’t slow down developers,
speeding up feedback loops for security related activities so that we fix the bugs faster and
sooner, and providing continuous learning opportunities in relation to security, for both
teams. Security can no longer be a gate or stumbling block, and ‘adding security in’ can no
longer be used as a justification for project delays. If developers are sprinting, then we need
to sprint too. So put on your running shoes; it’s time for DevSecOps!

Speakers

Tanya Janca

CEO and Founder, We Hack Purple

Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and weekly podcast that revolves around creating secure software. Tanya has been coding and... Read More →

Security Learns to Sprint pptx

Wednesday April 17, 2019 1:00pm - 1:45pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track

1:45pm HST

Trusted types & the end of DOM XSS

18 years have passed since Cross-Site Scripting (XSS) has been identified as a web vulnerability class. Since then, numerous efforts have been proposed to detect, fix or mitigate it. We've seen vulnerability scanners, fuzzers, static & dynamic code analyzers, taint tracking engines, linters, and finally XSS filters, WAFs and all various flavours of Content Security Policy.

Various libraries have been created to minimize or eliminate the risk of XSS: HTML sanitizers, templating libraries, sandboxing solutions - and yet XSS is still one of the most prevalent vulnerabilities plaguing web applications.

It seems like, while we have a pretty good grasp on how to address stored & reflected XSS, "solving" DOM XSS remains an open question. DOM XSS is caused by ever-growing complexity of client-side JavaScript code (see script gadgets), but most importantly - the lack of security in DOM API design.

But perhaps we have a chance this time? Trusted Types is a new browser API that
allows a web application to limit its interaction with the DOM, with the goal of obliterating
DOM XSS. Based on the battle-tested design that prevents XSS in most of the Google web applications, Trusted Types add the DOM XSS prevention API to the browsers. Trusted Types allow to isolate the application components that may potentially introduce DOM XSS into tiny, reviewable pieces, and guarantee that the rest of the code is DOM-XSS free. They can also leverage existing solutions like autoescaping templating libraries, or client-side sanitizers to use them as building blocks of a secure application.

Trusted Types have a working polyfill, an implementation in Chrome and integrate well with existing JS frameworks and libraries. Oddly similar to both XSS filters and CSP, they are also fundamentally different, and in our opinion have a reasonable chance of eliminating DOM XSS - once and for all.

Speakers

Krzysztof Kotowicz

Software Engineer, Google LLC

Krzysztof Kotowicz is a web security researcher specialising in discovery and exploitation of client-side vulnerabilities, and a software engineer in the Information Security Engineering team at Google. Speaker at various security conferences (ACM CCS 2017, Black Hat USA 2017, Owasp... Read More →

Trusted Types & the end of DOM XSS pdf

Wednesday April 17, 2019 1:45pm - 2:30pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, Appsec

2:30pm HST

Break

Wednesday April 17, 2019 2:30pm - 3:00pm HST
Courtyard

social

3:00pm HST

Bulletproof Shoes

Version control software has come a long way, and the barrier to creating an open source project has been lowered to a point of being negligible. Experienced and inexperienced developers alike use hosted version control systems, such as GitHub, to share their code with the world. This open sharing of ideas is beneficial, but does come with occasional risks - accidentally publishing credentials or sensitive data, to name one. This issue has become so prevalent that all major hosts have documentation on the removal of sensitive data, but it has also led to the creation of numerous tools which trawl repositories for such sensitive information (which, in the malicious case, is then stolen and abused).
These repository-scanning tools mean that time is of the essence. When a user accidentally publishes a credential, the damage an attacker can cause is limited only by the privilege of that credential. An AWS credential, once leaked, could allow an attacker to spin up EC2 instances for mining bitcoin. A Slack token could allow an attacker to access the information in a Slack workspace, or perform other malicious actions based on the scope of the token. Therefore, it’s important for us to stop the abuse of such tokens before they fall into the wrong hands. In this talk we will discuss our “token nuker” - the tool we use to search for accidentally published Slack tokens and revoke them before they can be abused. We will cover the history, evolution, and current state of our automation, in what we hope will serve to benefit other security teams and application developers.

Speakers

Fikrie Yunaz

Product Security Engineer, Slack

Fikrie Yunaz is a Product Security Engineer at Slack. He is a security enthusiast and loves breaking web applications. He specializes in the areas of application security and security test automation. He was previously a Security Engineer at Oracle.

Nikki Brandt

Staff Security Engineer, Slack

Nikki Brandt is a Staff Tech Lead/Manager on the Product Security team at Slack, where she currently leads the Product Security team and drives the security review process. Before joining Slack, Nikki was a senior security consultant at NCC Group (via Matasano), and a security engineer... Read More →

Bulletproof shoes token nuker (2) pdf

Wednesday April 17, 2019 3:00pm - 3:45pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track

3:45pm HST

Trust & Safety Engineering @ GitHub

GitHub is the #1 open source platform in the world, with over 30 million users working in over 100 million repositories. How do we protect our users from harassment while encouraging happy, healthy communities at such a large scale? In this session, I'll introduce the concept of Trust & Safety work in online platforms, talk a bit about different models used to tackle this problem, and then walk through some engineering challenges and trade-offs faced at GitHub.

Learning objective: User safety and privacy, just like security, needs to be built into the platform from the ground up. It is the job of every engineer writing user-facing code to understand and use these best practices.

Speakers

Lexi Galantino

Community & Safety Engineer, GitHub

LocoMocoSec Slides pdf

Wednesday April 17, 2019 3:45pm - 4:30pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track

4:30pm HST

Reception

Join us for the sunset after day one. Refreshments and hors d'ouvres will be served.

Wednesday April 17, 2019 4:30pm - 5:30pm HST
Courtyard

social

8:30am HST

Shifting Product Security from Forceful to Resourceful

This presentation will open the very first Product Security Operations Forum by reflecting on the unique challenges faced by Product Security organizations within modern software companies including the incredible impact that the community has on the industry.

Additionally, we will give an overview of the regulatory climate that is driving attack surface reduction and resulting in consumer demand for higher quality risk management within the software supply chain.

Speakers

Christine Gadsby

Head of Product Security Operations, BlackBerry

Christine Gadsby is the Head of Product Security Operations Team. This highly respected team is responsible for building and maintaining BlackBerry Secure software. Gadsby played a critical role in creating BlackBerry’s 30-day Android patching strategy, Customer Advisory program... Read More →

Thursday April 18, 2019 8:30am - 9:00am HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Keynote, SDLC

8:30am HST

Day Care

Thursday April 18, 2019 8:30am - 4:30pm HST
Kipu Room

Day care

9:00am HST

Who wants a thousand free puppies? Managing open source software security in the enterprise

Open source software (OSS) is ubiquitous in the modern enterprise, enabling rapid solution development through re-use of ready-to-use components, written and maintained by outside developers. And while using OSS unquestionably brings benefits, security vulnerabilities discovered in those components can have devastating consequences. From Heartbleed to Eslint-scope, Apache Struts to Zip Slip, awareness of security risk in OSS has gained mindshare in developers and executives alike. The growing size and complexity of the OSS ecosystem bring some particular challenges: How can you ensure the OSS used to run your business is trustworthy? How can you mitigate security risk in a "run fast" DevOps environment without getting in the way? In this interactive session, we will describe lessons learned building an OSS security program at Microsoft, explore best practices, and discuss how to tailor those practices effectively within your organization. Specifically, we'll cover the following: - Building a comprehensive, accurate inventory of OSS components used. - Understanding the security posture of each identified OSS component. - Responding to security vulnerabilities in OSS. Open source software isn't like a free Mai Tai; it's like a free puppy.

Speakers

Michael Scovetta

Principal Security PM Manager, Microsoft

Michael Scovetta is a Principal Security PM Manager at Microsoft, leading a team researching emerging security threats and building technology solutions to mitigate them. Prior to joining Microsoft, Michael held security and software engineering roles at CBS, CA Technologies, Cigital... Read More →

LocoMocoSec 2019 Who Wants a Thousand Free Puppies Michael Scovetta Microsoft pdf

Thursday April 18, 2019 9:00am - 9:30am HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, SDLC

9:30am HST

SBoMs (software bill of materials) – the looming format skirmish

SBoMs – suddenly an item on every customer’s checklist. They all _KNOW_ they simply must have one to accompany their latest enterprise software purchase. But how many know what they are asking for? Is SBoM even a defined thing? It may be more likely that they think about SBoMs theoretically than practice. Many define SBoMs.

SBoMs are supposed to provide us information efficiently. But how is that information stored – how do we generate it, and how do end users consume it? Despite the fact that it’s 2019 – it seems the overwhelming choice remains CSV files managed by Excel. That doesn’t mean that there aren’t viable formats beyond unstructured CSV files. Indeed, there are a plethora of formats that are purpose-built for describing the third-party components composition of a software package. Indeed we’ve had Software Bill of Materials available in human and machine readable formats for decades now; even if few were using them.

In this talk we’ll cover the leading SBoM formats (SWID, SPDX, and CSV) as well as glancing back at some of the tools that used in days gone by. We’ll examine the landscape of SBoM hype and which way governments, industry, and standards orgs are headed. After all there is nothing worse than delivering an SBoM that no one can read. We’ll also answer questions like “Is this a zero sum game?” and “
Attendees will learn about tools to generate and read SBoMs in numerous formats. We’ll also explore avoiding format lock-in. Attendees will also take away an understanding of the landscape, and the strengths and weaknesses of the formats to be able to make informed decisions on the path to SBoM happiness.

Speakers

David Nalley

Open Source Guy, BlackBerry

David Nalley is a recovering sysadmin who still feels phantom vibrations from decade plus absent pager. David is a former member of Apache Software Foundation’s Board of Directors and currently serves as the Vice-President of Infrastructure for the ASF. David helped build cloudy... Read More →

Thursday April 18, 2019 9:30am - 10:00am HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, SDLC

10:00am HST

Break

Thursday April 18, 2019 10:00am - 10:30am HST
Courtyard

social

10:30am HST

SDL at scale: growing security champions

If you’re tasked with securing a portfolio of applications it’s a practice in extremes. You’ve got a small team of security experts trying to help a multitude of developers, testers, and other engineers. You have to find a way to work with the team that’s been around forever doing Waterfall on one huge product, and at the same time you have to support all the microservices that the new Agile and DevOps teams are building. And to make things extra exciting, those agile teams are pushing to production anywhere from once a month to several times a day. Even if your security team is fully staffed, there still aren’t enough security experts to go around. Do you focus all your attention on the highly engaged team, the noisy and demanding team, or the team that never replies to your emails? They all need you.

By partnering with your development organization to create a guild of Security Champions you can help them all. Establishing a Security Champion role on your development teams enables them to be more self-sufficient while maintaining and even improving their security posture. With careful selection and well-defined goals, you can train Security Champions that go beyond just interfacing with the security team but also handle a range of security activities completely within their teams, helping you scale your program.

This presentation will examine the value of the Security Champion role within the development team, which groups need to commit for the program to succeed, how to find good champions, and what benefits everyone involved can expect to gain. Based on lessons learned building a successful Security Champion program over the past 5 years, it will detail actionable steps you can take to bootstrap, monitor, and maintain a customized program that fosters these champions in your organization.

Speakers

Ryan O' Boyle

Manager, Product Security, Veracode

Ryan O'Boyle is the Manager of Product Security at Veracode. Prior to joining Veracode, he helped create the internal penetration testing team at Fidelity Investments. He has presented at conferences including AppSec USA & EU, BlackHat EU, and RSA Europe. Throughout his career, Ryan... Read More →

Thursday April 18, 2019 10:30am - 11:00am HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, SDLC

11:00am HST

Upstreaming security to rails: a story about falling behind and catching back up again

Web frameworks have helped enable development that just would not be practical otherwise. While frameworks can introduce unseen attack surfaces, they can also solve problems including entire classes of vulnerabilities <caveat>when a supported version of the framework is used properly</caveat>. GitHub is in the interesting position of employing members of the rails security group, core maintainers, and public bounty members. We have introduced features, applied secure defaults, and taken away many rough edges. This talk will explore examples of features that other frameworks can or should use, some of which came from GitHub. We will also explore the history of some of these features across other frameworks.

It's no surprise that using out of date dependencies introduces many types of risk. It also makes it very hard to hire, retain, maintain, secure, or improve anything or anyone. Bleeding edge or die

Speakers

Neil Matatall

Product Security Engineer, GitHub

Neil is a product security engineer at GitHub. He has mostly worked on web application security and is frequently involved in AppSec communities. Previously, Neil has been an engineer at Twitter, a W3C-webappsec group member, an OWASP Chapter leader, and has organized multiple conferences... Read More →

LocoMocoSec Upstreaming security to rails pdf

Thursday April 18, 2019 11:00am - 11:30am HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, SDLC

11:30am HST

JavaScript supply chain security

In an npm survey of over 33,000 worldwide developers, 99% of JavaScript developers confirm they use open source code, 83% express concern about whether the open source software they use is secure, and 58% believe that there aren’t satisfactory methods for evaluating whether code is safe. npm is the worlds supplier of JavaScript, a very important piece of the dependency supply chain. In this talk Adam will discuss the current security state of the JavaScript ecosystem, what security challenges it faced and what npm has done and continues to do to make this supply chain more secure.

Speakers

Adam Baldwin

Sr. Product Manager, Supply Chain Security, GitHub

Adam Baldwin is a Senior Product Manager focused on supply chain security at GitHub. A security focused leader with over 25 years of experience, Adam has spent his career building companies, breaking into companies, managing teams, designing products, and talking about security non-stop. Previously... Read More →

LocoMocoSec 2019 JavaScript Supply Chain Security pdf

Thursday April 18, 2019 11:30am - 12:00pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, SDLC

about Adam Baldwin is Director of Security at npm Inc., the company that powers the world’s JavaScript. An information security professional with over 24 years of experience, Adam has spent his career building companies, breaking into companies, managing teams, designing products, and talking about security non-stop. Previously, Adam founded ^Lift Security, a successful application security and penetration testing service company, and the Node Security Platform, an initiative to track vulnerabilities in the JavaScript ecosystem. The project evolved into a SaaS platform at the forefront of the continuous security movement. Both were acquired by npm, Inc. in early 2018.

12:00pm HST

Lunch

Thursday April 18, 2019 12:00pm - 1:00pm HST
Courtyard

social

1:00pm HST

A good first impression can work wonders: creating AppSec training that developers ❤

Good vulnerability response practices are critical to software security. But good vulnerability response practices work even better on software built with security in mind.

At Segment, we use vulnerability report data and gamification to help our developers grow their security mindset. In this session, we’ll explain our two-tiered approach to both helping developers understand trends in our vulnerability reports. We take a two-tiered approach, first presenting vulnerability report and pentesting trends to help teach where vulnerabilities have been identified in the past, and then teaching our team how to hunt for and report security bugs they’ve found.

We’ve found this approach really helpful to increasing security before release, almost eliminating one class of vulnerability reports. In this session, I’ll talk about the details of how we do this security training—see if you think this could help you!

Speakers

Leif Dreizler

Senior Engineering Manager - Security Features, Twilio Segment

Leif Dreizler is an information security professional with over a decade of experience. Leif joined Segment (now part of Twilio) in 2017 and currently manages a team of Software Engineers focused on building security features. Leif joined as an early member of the security team and... Read More →

Delivering Training that Devs Love pdf

Thursday April 18, 2019 1:00pm - 1:30pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, Operational Security

1:30pm HST

Tips and tricks for effective vulnerability management

If you run a vulnerability response or bug bounty program (or both), there's a good chance you're experiencing substantial growth year over year. In this talk, Pieter Ockers of Adobe's PSIRT will tell the story of how incremental steps to mature a vulnerability management framework can help decrease the average number of unresolved vulnerabilities, as well as reducing the average age of unresolved cases.

Pieter will share tips on:

Developing productive relationships with resource-constrained engineering teams
Leveraging vulnerability submission platforms to scale your team
Developing vulnerability taxonomies to consistently score risk
Implementing an escalation protocol to improve response outcomes
Selecting the right data for the executive audience
Applications of the 80/20 rule for vulnerability response

Speakers

Pieter Ockers

PSIRT Manager, Adobe

Pieter Ockers is a Senior Security Program Manager and runs Adobe’s Product Security Incident Response Team (PSIRT). Based in San Francisco, Pieter is passionate about engaging with the security research community to build a stronger, more secure and resilient ecosystem.

Thursday April 18, 2019 1:30pm - 2:00pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, Operational Security

2:00pm HST

Multi-party vulnerability response in/with OSS

The Microsoft Security Response Center leads vulnerability response and disclosure for all Microsoft’s products and services – including open source software that Microsoft maintains and products or services that consume OSS. OSS security vulnerabilities usually affect multiple parties and in many cases it is necessary for these parties to come together to coordinate the disclosure to minimize the risk and disruption to end-users (this is usually known as multi-party coordinated disclosure). This talk will present examples in multi-party coordination involving OSS, including coordination related to hardware (e.g., CVE-2018-8897), software (e.g. CVE-2019-5736) and standards/protocol weaknesses (e.g. CVE-2018-5391). We will extract commonalities, challenges, and lessons learned across several scenarios and provide our recommendations on coordinated multi-party response for organizations that are building or improving their product security response programs.

Speakers

Jorge Lopez

Principal Security PM Manager, Microsoft

Jorge is a Principal Security PM Manager in the Vulnerability Response and Remediation team of Microsoft’s Security Response Center (MSRC). In this role, he leads a team responsible for intake, handling, and disclosure of security and privacy vulnerabilities in Microsoft’s products... Read More →

Thursday April 18, 2019 2:00pm - 2:30pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, Operational Security

2:30pm HST

Break

Thursday April 18, 2019 2:30pm - 3:00pm HST
Courtyard

social

3:00pm HST

Bug bounty botox: how to spot good security DNA & prevention from cosmetic security

Bug bounties are beautiful, when done right. But what about bug bounties gone bad? Bug bounties have risen in popularity across the globe since the success of Hack the Pentagon, but we are rushing in to use it everywhere, even where sensitive assets are concerned. The allure of "thorough" security vulnerability testing at a fraction of the cost of traditional professional penetration testing seems too good to be true. It is. Like an oversubscribed cell phone provider boasting network speeds that local congestion can never meet, the bug bounty platforms brag sheer account numbers, even as only a tiny fraction of bug hunters have any real luck (or skills). There's a reason many top companies and governments manage their own triage & store their own bugs on premise, not in 5 year old startup cloud platforms triaged by contractors. Who has eyes on your bugs beside you? How can we use this new crowd-sourced security testing safely? Where are we inadvertently mishandling sensitive information in the execution of what in some cases is only superficial security performance art. All organizations need to understand why & how to manage particularly sensitive bugs more securely. What does your threat model & organizational maturity tell you about whether you can safely use a bug bounty, and against which targets? Learn to spot bug bounty Botox, & to go deeper into the tradeoffs of any given bug discovery method. Both sides of this bug gig economy can do better. Come find out how.

Speakers

Katie Moussouris

CEO, Luta Security

Ms. Moussouris recently testified as an expert on bug bounties & the labor market for security research for the US Senate, and has also been called upon for European Parliament hearings on dual-use technology. She was later invited by the US State Department to help renegotiate the... Read More →

Thursday April 18, 2019 3:00pm - 3:30pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, Operational Security

3:30pm HST

Evolving beyond the vulnerability whack-a-mole game

With more than 197,000 known vulnerabilities published and over 22,000 new disclosures in 2018, organizations must make constant risk decisions. In fact, each day organizations have to ensure they are aware of approximately 60 new vulnerabilities, evaluate the potential impact to their organization’s products, and then determine if it warrants action. This task is daunting even to large, well staffed organizations and thus typically decisions are not made at all or delayed. While understanding vulnerability data, prioritizing and fixing issues remains extremely important. It is a must that organizations evolve beyond the Whack-a-Mole approach to vulnerability management in their products. To enable this, a move to a strategic approach is required that focuses on problem management and root cause analysis. Insights derived from vulnerability intelligence provide the capabilities for software risk ratings and answering important questions such as: Which vendors/products are the ones that are most likely to cause a data breach? Which vendors/products cost the most to maintain securely? Which vendors fix issues quickly in products rather than leave organization vulnerable? Which vendors/products are investing in secure coding? Are there products and component that should be removed from the organization?

Speakers

Jake Kouns

RVAsec

Jake is the founder of RVAsec and was previously the CEO for Risk Based Security that provides vulnerabilities and data breach intelligence. He previously oversaw the operations of the Open Sourced Vulnerability Database (OSVDB.org) and DataLossDB. Kouns has presented at many well-known... Read More →

Thursday April 18, 2019 3:30pm - 4:00pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, Operational Security

4:00pm HST

Visibility & Control: Addressing supply chain challenges to trustworthy software-enabled things

Software is playing a pivotal role in most enterprises, whether they realize it or not, and with the advent of Industrial Internet of Things
(IoT) and other cyber/physical systems across our society and critical infrastructure and our collective love affair with automation, optimization, and “smart” devices that role is only going to increase.
This talk addresses the myriad of issues that underlie unsafe, insecure, and unreliable software and provides the insights of the Industrial Internet Consortium and other government and industry efforts on how to conquer them and pave the way to a marketplace of trustworthy software-enabled connected things.

As the experience of several sectors has shown, the dependence on connected software needs to be met with a strong understanding of the risks to the overall trustworthiness of our software-based capabilities that we, our enterprises, and our world utilize. In many of these new connected systems issues of safety, reliability, and resilience rival or dominate concerns for security and privacy, the long-time focus of many in the IT world. Without a scalable and efficient method for managing these risks so our enterprises can continue to benefit from these advancements that powers our military, commercial industries, cities, and homes to new levels of efficiency, versatility, and cost effectiveness we face the potential for harm, death, and destructiveness.

In such a marketplace, creating, exchanging, and integrating components that are trustworthy as well as entering into value-chain relationships with trustworthy partners and service suppliers will be common if we can provide a method for explicitly defining what is meant by the word trustworthy. The approach being pursued by these groups, leveraging Structured Assurance Cases, Software Bill of Materials and secure development practices, is to explicitly identify the detailed requirements “about what we need to know about something for it to be worthy of our trust” and to do that in a way that we can convey that basis of trust to others that: can scale; is consistent within different workflows; is flexible to differing sets of hazards and environments; and is applicable to all sectors, domains, and industries. We will also consider the challenges of brownfield/greenfield in considering trustworthiness in legacy and new systems.

Speakers

Robert (Bob) Martin

Senior Principal Engineer, MITRE Corporation

Robert (Bob) Martin is a Senior Principal Engineer at the MITRE Corporation and has dedicated his career to solving some of the world’s most difficult problems in systems and software engineering. His work focuses on the interplay of risk management, cyber security, and quality... Read More →

Visibility and Control pdf

Thursday April 18, 2019 4:00pm - 4:30pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track

5:00pm HST

Luau Event - Smith's Kauai Garden Luau

Transportation will be arranged from the hotel. If you indicated you were bringing guests when you registered, we have space. If not, come see one of us.

https://www.smithskauai.com/garden-luau/

Aloha! Over 50 years ago, Grandpa started our family business in this sacred Wailua River Valley. We created our tropical paradise to celebrate the Hawaiian spirit of aloha that he loved and lived by. Today, four generations of my family continue to honor that tradition with the most famous of Hawaiian celebrations, the luau. Come share the traditions of our island home and become part of our ‘ohana.

Of course, the heart of any luau is the pa‘ina, the feast, and we’ll make sure you don’t go hungry. Kalua pig roasted in the earthen imu oven. Cousin Gary’s secret recipe for teriyaki beef. Ono mahimahi and tasty chicken adobo. Our family bowl of poi (which Grandma insistsyou try). We’ll even get some of you up on stage to try some hula moves as dinner winds down.

Food may be the heart of a luau, but music is the soul. Our Hawaiian ancestors preserved their history by passing down songs and chants called mele. At our luau, we celebrate these traditions, as well as the songs and dances from other cultures that live in our tropical paradise. The lyrical sway of the Hawaiian hula, the colorful precision of the Tahitian drum dances and the fiery emotion of the Samoan fire knife dance all speak deeply of the people who have come to call Hawaii home. We proudly share this rhythm of aloha with you.

Thursday April 18, 2019 5:00pm - 9:30pm HST
Smith’s Luau 3-5971 Kuhio Hwy, Kapaa, HI 96746

social

8:30am HST

Have you adapted your AppSec?

In the ever-evolving, fast-paced development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories, stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. David will talk through the various solutions using his experiences to help build security into the development process.

Speakers

David Lindner

CISO, Contrast Security

David is an experienced Application Security Professional with over 18 years of experience in the computer security industry. During this time, David has worked within multiple disciplines in the security field, from application development, network architecture design and support... Read More →

HaveYouAdaptedYourAppSec pdf

Friday April 19, 2019 8:30am - 9:15am HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track

8:30am HST

Day Care

Friday April 19, 2019 8:30am - 1:30pm HST
Kipu Room

Day care

9:15am HST

The truth about cookies, tokens and APIs

With the rise of Single Page Applications, we also see a paradigm shift in session management techniques. Instead of using server-side cookie-based sessions, many developers are shifting towards client-side state mechanisms, using JWT tokens an custom HTTP headers. There’s plenty of conflicting advice out there, discussing cookie security issues, Cross-Site Request Forgery, and XSS. So how can you make a sensible choice, and how will that impact the security of your application?

This talk will guide you in this choice. We dive into the technicalities behind these technologies, and the actual security impact of your choices. We’ll look at compatibility with current web security mechanisms. You will learn how to assess your past choices, and how to substantiate future decisions.

Speakers

Philippe De Ryck

Founder, Pragmatic Web Security

Philippe De Ryck helps developers protect companies through better web security. As the founder of Pragmatic Web Security, he travels the world to train developers on web security and security engineering. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional... Read More →

truthcookiestokensapis pdf

Friday April 19, 2019 9:15am - 10:00am HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track

10:00am HST

Break

Friday April 19, 2019 10:00am - 10:30am HST
Courtyard

social

10:30am HST

notok: creation and challenges in mental health and app development

Friday April 19, 2019 10:30am - 11:15am HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track

11:15am HST

Hana hou panel

A recap of the conference discussing the prime topics with some of our speakers.

Speakers

Jeremiah Grossman

CEO, Bitdiscovery

Jeremiah Grossman's career spans a literal lifetime of approximately 20 years in information security, during which he has become one of the industry's biggest names. In that time, he has been publicly thanked by Microsoft, Mozilla, Google, Facebook, a variety of Fortune 500 companies... Read More →

Friday April 19, 2019 11:15am - 12:00pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Keynote

12:00pm HST

Lunch

Friday April 19, 2019 12:00pm - 1:00pm HST
Courtyard

social

1:00pm HST

Free workshop: Identifying abuse vectors in web applications

Vulnerabilities that put data or finances at risk are any developer's worst nightmare. But abuse vectors that lead to customers being harassed, doxxed, traumatized, or threatened are just as important to a community's experience—and are often neglected.

This workshop will introduce programmers of all skill levels to common ways that web applications can be exploited to harm others and some options for addressing them. We'll look at examples of software from pop culture with abuse vectors and collaborate on possible solutions.

Speakers

Terian Koscik

Software Engineer, GitHub

Friday April 19, 2019 1:00pm - 4:00pm HST
Kipu Room

Training

1:00pm HST

Collaborative capture the flag

Participate in a collaborative, non-competitive capture the flag event where you can apply what you've learned in a fun and casual environment. Hints will be provided, answers will be supplied. Join a team or do it alone. It's up to you!

Speakers

Matt Langlois

Product Security Engineer, GitHub

Matt is a junior product security engineer at GitHub. Over the course of his University career he developed a passion for cyber security. Matt has gained a plethora of AppSec knowledge participating in bug bounty programs and CTFs. He previously organized monthly DefCon 613 meetups... Read More →

Friday April 19, 2019 1:00pm - 5:30pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, CTF

1:00pm HST

Job Fair

Companies like Slack, Uber, Google, and more will be actively recruiting at the event. Bring your resumes and be ready to chat but please, do not "dress for success."

Friday April 19, 2019 1:00pm - 5:30pm HST
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Track, CTF