Loading…
This event has ended. Visit the official site or create your own event on Sched.
One Track
Lots of Flavor

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, April 15
 

9:00am

Building Secure API's and Web Applications: Secure Coding with Aloha
Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.

Laptop Requirements: Any laptop that can run an udpated web browser and "Burp Community Edition".

Description: 
The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript and .NET programmers, but any software developer building web applications and webservices will benefit.

Day 1 of the course will focus on web application basics.

  • Introduction to Application Security
  • Introduction to Security Goals and Threats
  • HTTP Security Basics
  • CORS and HTML5 Considerations
  • XSS Defense
  • Content Security Policy
  • Intro to Angular.JS Security
  • Intro to React.JS Security
  • SQL and other Injection
  • Cross Site Request Forgery
  • File Upload and File IO Security
  • Deserialization Security
  • Input Validation Basics
  • OWASP Top Ten 2017
  • OWASP ASVS

Day 2 of the course will focus on API secure coding, Identity and other advanced topics.

  • Webservice, Microservice and REST Security
  • Authentication and Session Management
  • Access Control Design
  • OAuth Security
  • OpenID Connect Security
  • HTTPS/TLS Best Practices
  • 3rd Party Library Security Management
  • Application Layer Intrusion Detection
We end day 2 with a competitive hacking lab. It's a very fun and informative way to end the course.

Speakers
avatar for Jim Manico

Jim Manico

Trainer, Manicode Security LLC
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is an a investor/advisor for Signal Sciences and BitDiscovery. Jim is also a frequent speaker on secure software practices, is a member of the JavaOne rockstar... Read More →


Monday April 15, 2019 9:00am - 5:00pm
Nawiliwili Room

9:00am

Defending Modern DevOps Environments: A Hands-on Approach: Kubernetes and Docker Demystified
Student Requirements: Familiarity with at least one public cloud provider is recommend- ed. Students should also have basic Docker knowledge and experience launching and managing basic cloud instances. Basic command line and scripting skills are highly recommended.

Laptop Requirements: Any laptop with at least 2GB of free ram available that can run Docker, Minikube, and Virtualbox.

Description:
The Cloud as we know it is changing. Containers have taken the center stage as the preferred method of developing and deploying software into production. As security practitioners, we must adapt to the latest technologies or be left in the dust.

This technical 2-day course will focus on the ins and outs of building a modern cloud infrastructure capable of taking containers from a developer’s laptop to production, in a secure manner.

The hands-on portion of the course will rely heavily on Kubernetes for the deployment and orchestration of Docker containers. Each student will build a sandbox Kubernetes cluster from scratch using Google Container Engine (GKE) or locally using Minikube.

At the completion of this course, students will have an operational, version controlled, deployment pipeline capable of shipping a container to a Kubernetes cluster while performing a number of automated security checks along the way.

Some of the principals and techniques covered in this course include:
  • DevSecOps Principles
  • Kubernetes and Docker Security Controls
  • Third-Party Security Considerations
  • Identity and Access Management Secure Deployment Pipelines
  • Security Automation
  • Infrastructure as Code
  • Scaling Security Operations
  • Data Security and Encryption
  • Logging, Monitoring, and Alerting

Speakers
avatar for Jimmy Mesta

Jimmy Mesta

CTO, Manicode Security
Jimmy Mesta is an application security leader that has been involved in Information Security for nearly 10 years. He is the chapter leader of OWASP Santa Barbara and co-organizer of the AppSec California security conference. Jimmy has spent time on both the offense and defense side... Read More →


Monday April 15, 2019 9:00am - 5:00pm
Ha'iku Room

10:30am

Break
Snacks!

Monday April 15, 2019 10:30am - 10:45am
Courtyard

12:00pm

Lunch
Provided lunch!

Monday April 15, 2019 12:00pm - 1:00pm
Kukui's on Kalapaki Beach 3610 Rice St, Lihue, HI 96766

3:00pm

Break
Snacks!

Monday April 15, 2019 3:00pm - 3:15pm
Courtyard
 
Tuesday, April 16
 

9:00am

Building Secure API's and Web Applications: Secure Coding with Aloha
Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.

Laptop Requirements: Any laptop that can run an udpated web browser and "Burp Community Edition".

Description: 
The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript and .NET programmers, but any software developer building web applications and webservices will benefit.

Day 1 of the course will focus on web application basics.

  • Introduction to Application Security
  • Introduction to Security Goals and Threats
  • HTTP Security Basics
  • CORS and HTML5 Considerations
  • XSS Defense
  • Content Security Policy
  • Intro to Angular.JS Security
  • Intro to React.JS Security
  • SQL and other Injection
  • Cross Site Request Forgery
  • File Upload and File IO Security
  • Deserialization Security
  • Input Validation Basics
  • OWASP Top Ten 2017
  • OWASP ASVS
Day 2 of the course will focus on API secure coding, Identity and other advanced topics.

  • Webservice, Microservice and REST Security
  • Authentication and Session Management
  • Access Control Design
  • OAuth Security
  • OpenID Connect Security
  • HTTPS/TLS Best Practices
  • 3rd Party Library Security Management
  • Application Layer Intrusion Detection
We end day 2 with a competitive hacking lab. It's a very fun and informative way to end the course.

Speakers
avatar for Jim Manico

Jim Manico

Trainer, Manicode Security LLC
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is an a investor/advisor for Signal Sciences and BitDiscovery. Jim is also a frequent speaker on secure software practices, is a member of the JavaOne rockstar... Read More →


Tuesday April 16, 2019 9:00am - 5:00pm
Nawiliwili Room

9:00am

Defending Modern DevOps Environments: A Hands-on Approach: Kubernetes and Docker Demystified
Student Requirements: Familiarity with at least one public cloud provider is recommend- ed. Students should also have basic Docker knowledge and experience launching and managing basic cloud instances. Basic command line and scripting skills are highly recommended.

Laptop Requirements: Any laptop with at least 2GB of free ram available that can run Docker, Minikube, and Virtualbox.

Description:
The Cloud as we know it is changing. Containers have taken the center stage as the preferred method of developing and deploying software into production. As security practitioners, we must adapt to the latest technologies or be left in the dust.

This technical 2-day course will focus on the ins and outs of building a modern cloud infrastructure capable of taking containers from a developer’s laptop to production, in a secure manner.

The hands-on portion of the course will rely heavily on Kubernetes for the deployment and orchestration of Docker containers. Each student will build a sandbox Kubernetes cluster from scratch using Google Container Engine (GKE) or locally using Minikube.

At the completion of this course, students will have an operational, version controlled, deployment pipeline capable of shipping a container to a Kubernetes cluster while performing a number of automated security checks along the way.

Some of the principals and techniques covered in this course include:
  • DevSecOps Principles
  • Kubernetes and Docker Security Controls
  • Third-Party Security Considerations
  • Identity and Access Management Secure Deployment Pipelines
  • Security Automation
  • Infrastructure as Code
  • Scaling Security Operations
  • Data Security and Encryption
  • Logging, Monitoring, and Alerting

Speakers
avatar for Jimmy Mesta

Jimmy Mesta

CTO, Manicode Security
Jimmy Mesta is an application security leader that has been involved in Information Security for nearly 10 years. He is the chapter leader of OWASP Santa Barbara and co-organizer of the AppSec California security conference. Jimmy has spent time on both the offense and defense side... Read More →


Tuesday April 16, 2019 9:00am - 5:00pm
Ha'iku Room

10:30am

Break
Snacks!

Tuesday April 16, 2019 10:30am - 10:45am
Courtyard

12:00pm

Lunch
Provided lunch!

Tuesday April 16, 2019 12:00pm - 1:00pm

1:00pm

Speaker/Vendor early load in
Test out your presentation on our screen and audio. Set up your booth. Or just come and say hello!

Tuesday April 16, 2019 1:00pm - 6:00pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

3:00pm

Break
Snacks!

Tuesday April 16, 2019 3:00pm - 3:15pm
Courtyard

6:00pm

[Invite Only] Speaker, D&I, staff, sponsor dinner
RSVP required. Limited space, invitation only. 

Tuesday April 16, 2019 6:00pm - 8:00pm
Cafe portofino 3481 Ho'Olaulea Way, Lihue, HI 96766
 
Wednesday, April 17
 

8:30am

The seven habits of a highly effective DevSecOp
DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new a ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And really, what makes a good DevSecOp?


This talk highlights the seven habits that the high-performing DevSecOp of today (and tomorrow) should develop. Topics range from empathy to lean to system safety with the hope to uncover a new playbook for devs, ops and security to work together.


Speakers
avatar for James Wickett

James Wickett

Head of Research, Signal Sciences
James spends a lot of time at the intersection of the DevOps and Security communities. He works as Head of Research at Signal Sciences and is a supporter of the Rugged Software and DevSecOps movements. Seeing the gap in software testing, James founded an open source project, Gauntlt... Read More →



Wednesday April 17, 2019 8:30am - 9:15am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

8:30am

Day Care
Wednesday April 17, 2019 8:30am - 4:30pm
Kipu Room

9:15am

How not to use OAuth
OAuth is the most important framework for federated authorization on the web. It also serves as the foundation for federated authentication using OpenID Connect. While RFC6749 and RFC6819 give advice on securing OAuth deployments, many subtle and not-so-subtle ways to shoot yourself in the foot remain. One reason for this situation is that OAuth today is used in much more dynamic setups than originally anticipated. Another challenge is that OAuth today is used in high-stakes environments like financial APIs and strong identity proving.

To address these challenges, the IETF OAuth working group is working towards a new Security Best Current Practice (BCP) RFC that aims to weed out insecure implementation patterns based on lessons learned in practice and from formal security analyses of OAuth and OpenID Connect. The BCP gives concrete advice to defend against attacks discovered recently (like the AS mix-up attack) and deprecates less-secure grant types such as the Implicit Grant.

This talk will outline the challenges faced by OAuth in dynamic and high-stakes environments and go into the details of the MUSTs, MUST NOTs, and SHOULDs in the new Security BCP.


Speakers
avatar for Daniel Fett

Daniel Fett

Security Research, yes.com
Daniel Fett is a security researcher and security specialist at yes.com. Before that, he received a PhD in Computer Science from University of Stuttgart, Germany. During his research, he developed new methods to formally analyze the security of web applications and standards. He used these formal methods to find new attack vectors on OAuth, OpenID Conn... Read More →



Wednesday April 17, 2019 9:15am - 10:00am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

10:00am

Break
Wednesday April 17, 2019 10:00am - 10:20am
Courtyard

10:20am

The path to code provenance at uber
The landscape of Uber applications and services moves and evolves quickly. At
our scale, where a one-in-a-million ride happens 10 times every day and production code changes thousands of times a day, scaling security at the rate of business is critical.

Fundamentally we must assure, across our multitude of services and engineering teams, that all production code meets defined security requirements, including compliance obligations. An important piece of this is providing documented assurance that code is authored/reviewed/approved by the appropriate parties and that code running in production is one and the same.

We will share some specific examples and use cases from our Uber’s product security team that can be applied in other environments including:
- deploying hooks for developers to sign commits (and enforcement of signatures before building container images)
- making security a first-class citizen in our build pipelines to harden and sign builds (and integrations with our container orchestration framework to ensure that our build/image artifacts have been appropriately hardened and vetted to be run within our infrastructure)
- improvements to our container runtime security, in order to efficiently detect and block any unauthorized code (including runtime anomaly detection and a process for remediation of newly-blacklisted packages)
- deploying security policies around third-party dependencies (and how we hook into the SDLC in order to warn and enforce when something is out of policy compliance)

We'll talk through integration pain points, key takeaways, infrastructure-specific challenges we faced, surprising discoveries, and issues/questions we've tackled along the way.

Speakers
avatar for Matthew Finifter

Matthew Finifter

Security Engineer, Uber
Matthew Finifter is a security engineer on Uber's Application Security team. His recent work focuses on the design and implementation of application security automation and improvements within Uber's software development lifecycle. He received his PhD in Computer Science from UC Berkeley... Read More →
avatar for Tony Ngo

Tony Ngo

Security Engineer, Uber
Tony Ngo is a security engineer on Uber’s Application Security team.  He hasspent the last 12 years of his professional life doing defensive securityengineering ranging from designing/implementing obfuscation/anti-tamperingtools, to mucking with mobile security and most recently... Read More →
avatar for Debosmit (Debo) Ray

Debosmit (Debo) Ray

Software Engineer, Uber
Debosmit Ray (Debo) is a software engineer on Uber's Application Security team.His most recent work includes integrating security primitives into the CI/CDand container orchestration components of Uber's software development lifecycleand service-to-service authentication. He received... Read More →



Wednesday April 17, 2019 10:20am - 11:05am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

11:05am

Content Security Policy: A successful mess between hardening and mitigation
In this talk, we distill our multi-year experience fighting XSS at Google with nonce-based Content Security Policy (CSP), one of the most misunderstood and, arguably, most powerful web mitigation techniques.

We aim to provide a technical in-depth analysis of the effectiveness of different flavors of CSP for the many classes of XSS vulnerabilities, busting myths and common misunderstandings, and explore the often fuzzy boundaries between hardening and mitigation techniques. In a world where there are a dozen major root causes of XSS, each with its own, distinct, preventive measures, we define a threat model in which CSP can provide strong defense-in-depth guarantees and enforce best coding practices, leading to a real hardening effect.
We present advanced CSP kung-fu: setting more than one policy, pinning CSP to an origin with Origin-Policy manifests, and highlight special cases with Service Workers, Web Assembly and web modules.

Finally, we share for the first time data on real-world sensitive applications where exploitation of XSS vulnerabilities has been prevented on modern browsers by CSP.
After attending this talk you will finally understand CSP, knowing its strengths and limits while appreciating its complexity and multifaceted nature.

Speakers
avatar for Michele Spagnuolo

Michele Spagnuolo

Senior Information Security Engineer, Google
Senior Information Security Engineer at Google Switzerland, Michele is a security researcher focused on web application security, and the Rosetta Flash guy. He is also author of BitIodine, a tool for extracting intelligence from the Bitcoin network.
avatar for Lukas Weichselbaum

Lukas Weichselbaum

Staff Information Security Engineer, Google
Lukas Weichselbaum is a Staff Information Security Engineer at Google with 10+ years of industry experience who frequently speaks at international infosec and developer conferences. | | He's passionate about securing Web applications from common Web vulnerabilities and leads the... Read More →



Wednesday April 17, 2019 11:05am - 11:50am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

11:50am

Lunch
Wednesday April 17, 2019 11:50am - 1:00pm
Courtyard

1:00pm

Security learns to sprint: DevSecOps
This talk will explain what security teams needs to adjust in order to turn DevOps into
DevSecOps within their organizations. Several strategies are presented for weaving
security into each of the "Three Ways", with clear steps audience members can start
implementing immediately.

This talk will argue that DevOps could be the best thing to happen to application security
since OWASP, if developers and operations teams are enabled to make security a part of
their everyday work. With a ratio of 100/10/1 for Development, Operations, and Security,
security now needs to concentrate on creating tools, processes and opportunities for dev
and ops that result in more-secure products, instead of trying to do it all themselves like they
did in days past. We must build security into each of “The Three Ways”; automating and/or
improving efficiency of all security activities to ensure we don’t slow down developers,
speeding up feedback loops for security related activities so that we fix the bugs faster and
sooner, and providing continuous learning opportunities in relation to security, for both
teams. Security can no longer be a gate or stumbling block, and ‘adding security in’ can no
longer be used as a justification for project delays. If developers are sprinting, then we need
to sprint too. So put on your running shoes; it’s time for DevSecOps!


Speakers
avatar for Tanya Janca

Tanya Janca

Cloud Advocate, Microsoft
Tanya Janca is a senior cloud advocate for Microsoft, specializing in application and cloud security; evangelizing software security and advocating for developers and operations folks alike through public speaking, her open source project OWASP DevSlop, and various forms of teaching... Read More →



Wednesday April 17, 2019 1:00pm - 1:45pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

1:45pm

Trusted types & the end of DOM XSS
18 years have passed since Cross-Site Scripting (XSS) has been identified as a web vulnerability class. Since then, numerous efforts have been proposed to detect, fix or mitigate it. We've seen vulnerability scanners, fuzzers, static & dynamic code analyzers, taint tracking engines, linters, and finally XSS filters, WAFs and all various flavours of Content Security Policy.

Various libraries have been created to minimize or eliminate the risk of XSS: HTML sanitizers, templating libraries, sandboxing solutions - and yet XSS is still one of the most prevalent vulnerabilities plaguing web applications.

It seems like, while we have a pretty good grasp on how to address stored & reflected XSS, "solving" DOM XSS remains an open question. DOM XSS is caused by ever-growing complexity of client-side JavaScript code (see script gadgets), but most importantly - the lack of security in DOM API design.

But perhaps we have a chance this time? Trusted Types is a new browser API that
allows a web application to limit its interaction with the DOM, with the goal of obliterating
DOM XSS. Based on the battle-tested design that prevents XSS in most of the Google web applications, Trusted Types add the DOM XSS prevention API to the browsers. Trusted Types allow to isolate the application components that may potentially introduce DOM XSS into tiny, reviewable pieces, and guarantee that the rest of the code is DOM-XSS free. They can also leverage existing solutions like autoescaping templating libraries, or client-side sanitizers to use them as building blocks of a secure application.

Trusted Types have a working polyfill, an implementation in Chrome and integrate well with existing JS frameworks and libraries. Oddly similar to both XSS filters and CSP, they are also fundamentally different, and in our opinion have a reasonable chance of eliminating DOM XSS - once and for all.

Speakers
avatar for Krzysztof Kotowicz

Krzysztof Kotowicz

Information Security Engineer, Google
Krzysztof Kotowicz is an Information Security Engineer at Google and a panel member of Google's Vulnerability Rewards Program. He's a web security researcher specialized in JavaScript, browser extensions and client-side security. Author of multiple open-source pentesting tools, and... Read More →



Wednesday April 17, 2019 1:45pm - 2:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

2:30pm

Break
Wednesday April 17, 2019 2:30pm - 3:00pm
Courtyard

3:00pm

Bulletproof Shoes
Version control software has come a long way, and the barrier to creating an open source project has been lowered to a point of being negligible. Experienced and inexperienced developers alike use hosted version control systems, such as GitHub, to share their code with the world. This open sharing of ideas is beneficial, but does come with occasional risks - accidentally publishing credentials or sensitive data, to name one. This issue has become so prevalent that all major hosts have documentation on the removal of sensitive data, but it has also led to the creation of numerous tools which trawl repositories for such sensitive information (which, in the malicious case, is then stolen and abused).
These repository-scanning tools mean that time is of the essence. When a user accidentally publishes a credential, the damage an attacker can cause is limited only by the privilege of that credential. An AWS credential, once leaked, could allow an attacker to spin up EC2 instances for mining bitcoin. A Slack token could allow an attacker to access the information in a Slack workspace, or perform other malicious actions based on the scope of the token. Therefore, it’s important for us to stop the abuse of such tokens before they fall into the wrong hands. In this talk we will discuss our “token nuker” - the tool we use to search for accidentally published Slack tokens and revoke them before they can be abused. We will cover the history, evolution, and current state of our automation, in what we hope will serve to benefit other security teams and application developers.

Speakers
avatar for Fikrie Yunaz

Fikrie Yunaz

Product Security Engineer, Slack
Fikrie Yunaz is a Product Security Engineer at Slack. He is a security enthusiast and loves breaking web applications. He specializes in the areas of application security and security test automation. He was previously a Security Engineer at Oracle.
avatar for Nikki Brandt

Nikki Brandt

Product Security Engineer, Slack
Nikki Brandt is a Product Security Engineer at Slack, where she currently leads the security review process and performs internal security assessments of the platform. Before joining Slack, Nikki was a senior security consultant at Matasano Security and NCC Group, and a security engineer... Read More →



Wednesday April 17, 2019 3:00pm - 3:45pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

3:45pm

Trust & Safety Engineering @ GitHub
GitHub is the #1 open source platform in the world, with over 30 million users working in over 100 million repositories. How do we protect our users from harassment while encouraging happy, healthy communities at such a large scale? In this session, I'll introduce the concept of Trust & Safety work in online platforms, talk a bit about different models used to tackle this problem, and then walk through some engineering challenges and trade-offs faced at GitHub.

Learning objective: User safety and privacy, just like security, needs to be built into the platform from the ground up. It is the job of every engineer writing user-facing code to understand and use these best practices.

Speakers
avatar for Lexi Galantino

Lexi Galantino

Community & Safety Engineer, GitHub



Wednesday April 17, 2019 3:45pm - 4:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

4:30pm

Reception
Join us for the sunset after day one. Refreshments and hors d'ouvres will be served.

Wednesday April 17, 2019 4:30pm - 5:30pm
Courtyard
 
Thursday, April 18
 

8:30am

Shifting Product Security from Forceful to Resourceful
This presentation will open the very first Product Security Operations Forum by reflecting on the unique challenges faced by Product Security organizations within modern software companies including the incredible impact that the community has on the industry.
 
Additionally, we will give an overview of the regulatory climate that is driving attack surface reduction and resulting in consumer demand for higher quality risk management within the software supply chain.

Speakers
avatar for Christine Gadsby

Christine Gadsby

Head of Product Security Operations, BlackBerry
Christine Gadsby is the Head of Product Security Operations Team. This highly respected team is responsible for building and maintaining BlackBerry Secure software. Gadsby played a critical role in creating BlackBerry’s 30-day Android patching strategy, Customer Advisory program... Read More →


Thursday April 18, 2019 8:30am - 9:00am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

8:30am

Day Care
Thursday April 18, 2019 8:30am - 4:30pm
Kipu Room

9:00am

Who wants a thousand free puppies? Managing open source software security in the enterprise
Open source software (OSS) is ubiquitous in the modern enterprise, enabling rapid solution development through re-use of ready-to-use components, written and maintained by outside developers. And while using OSS unquestionably brings benefits, security vulnerabilities discovered in those components can have devastating consequences. From Heartbleed to Eslint-scope, Apache Struts to Zip Slip, awareness of security risk in OSS has gained mindshare in developers and executives alike. The growing size and complexity of the OSS ecosystem bring some particular challenges: How can you ensure the OSS used to run your business is trustworthy? How can you mitigate security risk in a "run fast" DevOps environment without getting in the way? In this interactive session, we will describe lessons learned building an OSS security program at Microsoft, explore best practices, and discuss how to tailor those practices effectively within your organization. Specifically, we'll cover the following: - Building a comprehensive, accurate inventory of OSS components used. - Understanding the security posture of each identified OSS component. - Responding to security vulnerabilities in OSS. Open source software isn't like a free Mai Tai; it's like a free puppy.

Speakers
avatar for Michael Scovetta

Michael Scovetta

Principal Security PM Manager, Microsoft
Michael Scovetta is a Principal Security PM Manager at Microsoft, leading a team researching emerging security threats and building technology solutions to mitigate them. Prior to joining Microsoft, Michael held security and software engineering roles at CBS, CA Technologies, Cigital... Read More →



Thursday April 18, 2019 9:00am - 9:30am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

9:30am

SBoMs (software bill of materials) – the looming format skirmish
SBoMs – suddenly an item on every customer’s checklist. They all _KNOW_ they simply must have one to accompany their latest enterprise software purchase. But how many know what they are asking for? Is SBoM even a defined thing? It may be more likely that they think about SBoMs theoretically than practice. Many define SBoMs.

SBoMs are supposed to provide us information efficiently. But how is that information stored – how do we generate it, and how do end users consume it? Despite the fact that it’s 2019 – it seems the overwhelming choice remains CSV files managed by Excel. That doesn’t mean that there aren’t viable formats beyond unstructured CSV files. Indeed, there are a plethora of formats that are purpose-built for describing the third-party components composition of a software package. Indeed we’ve had Software Bill of Materials available in human and machine readable formats for decades now; even if few were using them.

In this talk we’ll cover the leading SBoM formats (SWID, SPDX, and CSV) as well as glancing back at some of the tools that used in days gone by. We’ll examine the landscape of SBoM hype and which way governments, industry, and standards orgs are headed. After all there is nothing worse than delivering an SBoM that no one can read. We’ll also answer questions like “Is this a zero sum game?” and “
Attendees will learn about tools to generate and read SBoMs in numerous formats. We’ll also explore avoiding format lock-in. Attendees will also take away an understanding of the landscape, and the strengths and weaknesses of the formats to be able to make informed decisions on the path to SBoM happiness.


Speakers
DN

David Nalley

Open Source Guy, BlackBerry
David Nalley is a recovering sysadmin who still feels phantom vibrations from decade plus absent pager. David is a former member of Apache Software Foundation’s Board of Directors and currently serves as the Vice-President of Infrastructure for the ASF. David helped build cloudy... Read More →


Thursday April 18, 2019 9:30am - 10:00am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

10:00am

Break
Thursday April 18, 2019 10:00am - 10:30am
Courtyard

10:30am

SDL at scale: growing security champions
If you’re tasked with securing a portfolio of applications it’s a practice in extremes. You’ve got a small team of security experts trying to help a multitude of developers, testers, and other engineers. You have to find a way to work with the team that’s been around forever doing Waterfall on one huge product, and at the same time you have to support all the microservices that the new Agile and DevOps teams are building. And to make things extra exciting, those agile teams are pushing to production anywhere from once a month to several times a day. Even if your security team is fully staffed, there still aren’t enough security experts to go around. Do you focus all your attention on the highly engaged team, the noisy and demanding team, or the team that never replies to your emails? They all need you. 

By partnering with your development organization to create a guild of Security Champions you can help them all. Establishing a Security Champion role on your development teams enables them to be more self-sufficient while maintaining and even improving their security posture. With careful selection and well-defined goals, you can train Security Champions that go beyond just interfacing with the security team but also handle a range of security activities completely within their teams, helping you scale your program.

This presentation will examine the value of the Security Champion role within the development team, which groups need to commit for the program to succeed, how to find good champions, and what benefits everyone involved can expect to gain. Based on lessons learned building a successful Security Champion program over the past 5 years, it will detail actionable steps you can take to bootstrap, monitor, and maintain a customized program that fosters these champions in your organization.

Speakers
avatar for Ryan O' Boyle

Ryan O' Boyle

Manager, Product Security, Veracode
Ryan O'Boyle is the Manager of Product Security at Veracode. Prior to joining Veracode, he helped create the internal penetration testing team at Fidelity Investments. He has presented at conferences including AppSec USA & EU, BlackHat EU, and RSA Europe. Throughout his career, Ryan... Read More →


Thursday April 18, 2019 10:30am - 11:00am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

11:00am

Upstreaming security to rails: a story about falling behind and catching back up again
Web frameworks have helped enable development that just would not be practical otherwise. While frameworks can introduce unseen attack surfaces, they can also solve problems including entire classes of vulnerabilities <caveat>when a supported version of the framework is used properly</caveat>.  GitHub is in the interesting position of employing members of the rails security group, core maintainers, and public bounty members. We have introduced features, applied secure defaults, and taken away many rough edges. This talk will explore examples of features that other frameworks can or should use, some of which came from GitHub. We will also explore the history of some of these features across other frameworks. 

It's no surprise that using out of date dependencies introduces many types of risk. It also makes it very hard to hire, retain, maintain, secure, or improve anything or anyone. Bleeding edge or die

Speakers
avatar for Neil Matatall

Neil Matatall

Product Security Engineer, GitHub
Neil is a product security engineer at GitHub. He has mostly worked on web application security and is frequently involved in AppSec communities. Previously, Neil has been an engineer at Twitter, a W3C-webappsec group member, an OWASP Chapter leader, and has organized multiple conferences... Read More →



Thursday April 18, 2019 11:00am - 11:30am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

11:30am

JavaScript supply chain security
In an npm survey of over 33,000 worldwide developers, 99% of JavaScript developers confirm they use open source code, 83% express concern about whether the open source software they use is secure, and 58% believe that there aren’t satisfactory methods for evaluating whether code is safe.  npm is the worlds supplier of JavaScript, a very important piece of the dependency supply chain. In this talk Adam will discuss the current security state of the JavaScript ecosystem, what security challenges it faced and what npm has done and continues to do to make this supply chain more secure.

Speakers
avatar for Adam Baldwin

Adam Baldwin

VP of Security, npm
Adam Baldwin is VP of Security at npm Inc., the company that powers the world’s JavaScript. An information security professional with over 24 years of experience, Adam has spent his career building companies, breaking into companies, managing teams, designing products, and talking... Read More →



Thursday April 18, 2019 11:30am - 12:00pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA
  • about Adam Baldwin is Director of Security at npm Inc., the company that powers the world’s JavaScript. An information security professional with over 24 years of experience, Adam has spent his career building companies, breaking into companies, managing teams, designing products, and talking about security non-stop. Previously, Adam founded ^Lift Security, a successful application security and penetration testing service company, and the Node Security Platform, an initiative to track vulnerabilities in the JavaScript ecosystem. The project evolved into a SaaS platform at the forefront of the continuous security movement. Both were acquired by npm, Inc. in early 2018.

12:00pm

Lunch
Thursday April 18, 2019 12:00pm - 1:00pm
Courtyard

1:00pm

A good first impression can work wonders: creating AppSec training that developers ❤
Good vulnerability response practices are critical to software security. But good vulnerability response practices work even better on software built with security in mind.

At Segment, we use vulnerability report data and gamification to help our developers grow their security mindset. In this session, we’ll explain our two-tiered approach to both helping developers understand trends in our vulnerability reports. We take a two-tiered approach, first presenting vulnerability report and pentesting trends to help teach where vulnerabilities have been identified in the past, and then teaching our team how to hunt for and report security bugs they’ve found.

 We’ve found this approach really helpful to increasing security before release, almost eliminating one class of vulnerability reports. In this session, I’ll talk about the details of how we do this security training—see if you think this could help you!

Speakers
avatar for Leif Dreizler

Leif Dreizler

Senior Application Security Engineer, Segment
Leif works on the AppSec team at Segment, partnering with engineers to continuously improve their security story and protect customer data. Leif got his start in the security industry at Redspin doing security consulting work, and was later an early employee at Bugcrowd. He was a... Read More →



Thursday April 18, 2019 1:00pm - 1:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

1:30pm

Tips and tricks for effective vulnerability management
If you run a vulnerability response or bug bounty program (or both), there's a good chance you're experiencing substantial growth year over year.  In this talk, Pieter Ockers of Adobe's PSIRT will tell the story of how incremental steps to mature a vulnerability management framework can help decrease the average number of unresolved vulnerabilities, as well as reducing the average age of unresolved cases.
 
Pieter will share tips on:
  • Developing productive relationships with resource-constrained engineering teams
  • Leveraging vulnerability submission platforms to scale your team
  • Developing vulnerability taxonomies to consistently score risk
  • Implementing an escalation protocol to improve response outcomes
  • Selecting the right data for the executive audience
  • Applications of the 80/20 rule for vulnerability response


Speakers
PO

Pieter Ockers

PSIRT Manager, Adobe
Pieter Ockers is a Senior Security Program Manager and runs Adobe’s Product Security Incident Response Team (PSIRT). Based in San Francisco, Pieter is passionate about engaging with the security research community to build a stronger, more secure and resilient ecosystem.


Thursday April 18, 2019 1:30pm - 2:00pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

2:00pm

Multi-party vulnerability response in/with OSS
The Microsoft Security Response Center leads vulnerability response and disclosure for all Microsoft’s products and services – including open source software that Microsoft maintains and products or services that consume OSS.  OSS security vulnerabilities usually affect multiple parties and in many cases it is necessary for these parties to come together to coordinate the disclosure to minimize the risk and disruption to end-users (this is usually known as multi-party coordinated disclosure).  This talk will present examples in multi-party coordination involving OSS, including coordination related to hardware (e.g., CVE-2018-8897), software (e.g. CVE-2019-5736) and standards/protocol weaknesses (e.g. CVE-2018-5391).  We will extract commonalities, challenges, and lessons learned across several scenarios and provide our recommendations on coordinated multi-party response for organizations that are building or improving their product security response programs.

Speakers
avatar for Jorge Lopez

Jorge Lopez

Principal Security PM Manager, Microsoft
Jorge is a Principal Security PM Manager in the Vulnerability Response and Remediation team of Microsoft’s Security Response Center (MSRC). In this role, he leads a team responsible for intake, handling, and disclosure of security and privacy vulnerabilities in Microsoft’s products... Read More →


Thursday April 18, 2019 2:00pm - 2:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

2:30pm

Break
Thursday April 18, 2019 2:30pm - 3:00pm
Courtyard

3:00pm

Bug bounty botox: how to spot good security DNA & prevention from cosmetic security
Bug bounties are beautiful, when done right. But what about bug bounties gone bad? Bug bounties have risen in popularity across the globe since the success of Hack the Pentagon, but we are rushing in to use it everywhere, even where sensitive assets are concerned. The allure of "thorough" security vulnerability testing at a fraction of the cost of traditional professional penetration testing seems too good to be true. It is. Like an oversubscribed cell phone provider boasting network speeds that local congestion can never meet, the bug bounty platforms brag sheer account numbers, even as only a tiny fraction of bug hunters have any real luck (or skills). There's a reason many top companies and governments manage their own triage & store their own bugs on premise, not in 5 year old startup cloud platforms triaged by contractors. Who has eyes on your bugs beside you? How can we use this new crowd-sourced security testing safely? Where are we inadvertently mishandling sensitive information in the execution of what in some cases is only superficial security performance art. All organizations need to understand why & how to manage particularly sensitive bugs more securely. What does your threat model & organizational maturity tell you about whether you can safely use a bug bounty, and against which targets? Learn to spot bug bounty Botox, & to go deeper into the tradeoffs of any given bug discovery method. Both sides of this bug gig economy can do better. Come find out how.

Speakers
avatar for Katie Moussouris

Katie Moussouris

CEO, Luta Security
Ms. Moussouris recently testified as an expert on bug bounties & the labor market for security research for the US Senate, and has also been called upon for European Parliament hearings on dual-use technology. She was later invited by the US State Department to help renegotiate the... Read More →


Thursday April 18, 2019 3:00pm - 3:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

3:30pm

Evolving beyond the vulnerability whack-a-mole game
With more than 197,000 known vulnerabilities published and over 22,000 new disclosures in 2018, organizations must make constant risk decisions. In fact, each day organizations have to ensure they are aware of approximately 60 new vulnerabilities, evaluate the potential impact to their organization’s products, and then determine if it warrants action. This task is daunting even to large, well staffed organizations and thus typically decisions are not made at all or delayed. While understanding vulnerability data, prioritizing and fixing issues remains extremely important. It is a must that organizations evolve beyond the Whack-a-Mole approach to vulnerability management in their products. To enable this, a move to a strategic approach is required that focuses on problem management and root cause analysis. Insights derived from vulnerability intelligence provide the capabilities for software risk ratings and answering important questions such as: Which vendors/products are the ones that are most likely to cause a data breach? Which vendors/products cost the most to maintain securely? Which vendors fix issues quickly in products rather than leave organization vulnerable? Which vendors/products are investing in secure coding? Are there products and component that should be removed from the organization?

Speakers
avatar for Jake Kouns

Jake Kouns

CISO, Risk Based Security
Jake is the founder of RVAsec and the CISO for Risk Based Security that provides vulnerabilities and data breach intelligence. He previously oversaw the operations of the Open Sourced Vulnerability Database (OSVDB.org) and DataLossDB. Kouns has presented at many well-known security... Read More →


Thursday April 18, 2019 3:30pm - 4:00pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

4:00pm

Visibility & Control: Addressing supply chain challenges to trustworthy software-enabled things
Software is playing a pivotal role in most enterprises, whether they realize it or not, and with the advent of Industrial Internet of Things
(IoT) and other cyber/physical systems across our society and critical infrastructure and our collective love affair with automation, optimization, and “smart” devices that role is only going to increase. 
This talk addresses the myriad of issues that underlie unsafe, insecure, and unreliable software and provides the insights of the Industrial Internet Consortium and other government and industry efforts on how to conquer them and pave the way to a marketplace of trustworthy software-enabled connected things.

As the experience of several sectors has shown, the dependence on connected software needs to be met with a strong understanding of the risks to the overall trustworthiness of our software-based capabilities that we, our enterprises, and our world utilize. In many of these new connected systems issues of safety, reliability, and resilience rival or dominate concerns for security and privacy, the long-time focus of many in the IT world. Without a scalable and efficient method for managing these risks so our enterprises can continue to benefit from these advancements that powers our military, commercial industries, cities, and homes to new levels of efficiency, versatility, and cost effectiveness we face the potential for harm, death, and destructiveness.

In such a marketplace, creating, exchanging, and integrating components that are trustworthy as well as entering into value-chain relationships with trustworthy partners and service suppliers will be common if we can provide a method for explicitly defining what is meant by the word trustworthy. The approach being pursued by these groups, leveraging Structured Assurance Cases, Software Bill of Materials and secure development practices, is to explicitly identify the detailed requirements “about what we need to know about something for it to be worthy of our trust” and to do that in a way that we can convey that basis of trust to others that: can scale; is consistent within different workflows; is flexible to differing sets of hazards and environments; and is applicable to all sectors, domains, and industries. We will also consider the challenges of brownfield/greenfield in considering trustworthiness in legacy and new systems.



Speakers
avatar for Bob Martin

Bob Martin

Senior Principal Engineer, MITRE
Robert A. Martin, Senior Principal Engineer of the MITRE Corporation and member of the Industrial Internet Consortium Steering Committee has dedicated his career to working on solving some of the world’s most difficult problems in systems and software engineering – including cybersecurity... Read More →



Thursday April 18, 2019 4:00pm - 4:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

5:00pm

Luau Event - Smith's Kauai Garden Luau
Transportation will be arranged from the hotel. If you indicated you were bringing guests when you registered, we have space. If not, come see one of us.

https://www.smithskauai.com/garden-luau/

Aloha! Over 50 years ago, Grandpa started our family business in this sacred Wailua River Valley. We created our tropical paradise to celebrate the Hawaiian spirit of aloha that he loved and lived by. Today, four generations of my family continue to honor that tradition with the most famous of Hawaiian celebrations, the luau. Come share the traditions of our island home and become part of our ‘ohana.

Of course, the heart of any luau is the pa‘ina, the feast, and we’ll make sure you don’t go hungry. Kalua pig roasted in the earthen imu oven. Cousin Gary’s secret recipe for teriyaki beef. Ono mahimahi and tasty chicken adobo. Our family bowl of poi (which Grandma insistsyou try). We’ll even get some of you up on stage to try some hula moves as dinner winds down.

Food may be the heart of a luau, but music is the soul. Our Hawaiian ancestors preserved their history by passing down songs and chants called mele. At our luau, we celebrate these traditions, as well as the songs and dances from other cultures that live in our tropical paradise. The lyrical sway of the Hawaiian hula, the colorful precision of the Tahitian drum dances and the fiery emotion of the Samoan fire knife dance all speak deeply of the people who have come to call Hawaii home. We proudly share this rhythm of aloha with you.

Thursday April 18, 2019 5:00pm - 9:30pm
Smith’s Luau 3-5971 Kuhio Hwy, Kapaa, HI 96746
 
Friday, April 19
 

8:30am

Have you adapted your AppSec?
In the ever-evolving, fast-paced development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories, stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. David will talk through the various solutions using his experiences to help build security into the development process.

Speakers
avatar for David Lindner

David Lindner

Director, Application Security, Contrast Security
David is an experienced Application Security Professional with over 18 years of experience in the computer security industry. During this time, David has worked within multiple disciplines in the security field, from application development, network architecture design and support... Read More →



Friday April 19, 2019 8:30am - 9:15am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

8:30am

Day Care
Friday April 19, 2019 8:30am - 1:30pm
Kipu Room

9:15am

The truth about cookies, tokens and APIs
With the rise of Single Page Applications, we also see a paradigm shift in session management techniques. Instead of using server-side cookie-based sessions, many developers are shifting towards client-side state mechanisms, using JWT tokens an custom HTTP headers. There’s plenty of conflicting advice out there, discussing cookie security issues, Cross-Site Request Forgery, and XSS. So how can you make a sensible choice, and how will that impact the security of your application?

This talk will guide you in this choice. We dive into the technicalities behind these technologies, and the actual security impact of your choices. We’ll look at compatibility with current web security mechanisms. You will learn how to assess your past choices, and how to substantiate future decisions. 

Speakers
avatar for Philippe De Ryck

Philippe De Ryck

Founder, Pragmatic Web Security
Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security... Read More →



Friday April 19, 2019 9:15am - 10:00am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

10:00am

Break
Friday April 19, 2019 10:00am - 10:30am
Courtyard

10:30am

notok: creation and challenges in mental health and app development
Friday April 19, 2019 10:30am - 11:15am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

11:15am

Hana hou panel
A recap of the conference discussing the prime topics with some of our speakers.

Speakers
avatar for Jeremiah Grossman

Jeremiah Grossman

CEO, Bitdiscovery
Jeremiah Grossman's career spans a literal lifetime of approximately 20 years in information security, during which he has become one of the industry's biggest names. In that time, he has been publicly thanked by Microsoft, Mozilla, Google, Facebook, a variety of Fortune 500 companies... Read More →


Friday April 19, 2019 11:15am - 12:00pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

12:00pm

Lunch
Friday April 19, 2019 12:00pm - 1:00pm
Courtyard

1:00pm

Free workshop: Identifying abuse vectors in web applications
Vulnerabilities that put data or finances at risk are any developer's worst nightmare. But abuse vectors that lead to customers being harassed, doxxed, traumatized, or threatened are just as important to a community's experience—and are often neglected.

This workshop will introduce programmers of all skill levels to common ways that web applications can be exploited to harm others and some options for addressing them. We'll look at examples of software from pop culture with abuse vectors and collaborate on possible solutions.




Speakers
avatar for Terian Koscik

Terian Koscik

Software Engineer, GitHub


Friday April 19, 2019 1:00pm - 4:00pm
Kipu Room

1:00pm

Collaborative capture the flag
Participate in a collaborative, non-competitive capture the flag event where you can apply what you've learned in a fun and casual environment. Hints will be provided, answers will be supplied. Join a team or do it alone. It's up to you!

Speakers
avatar for Matt Langlois

Matt Langlois

Product Security Engineer, GitHub
Matt is a junior product security engineer at GitHub. Over the course of his University career he developed a passion for cyber security. Matt has gained a plethora of AppSec knowledge participating in bug bounty programs and CTFs. He previously organized monthly DefCon 613 meetups... Read More →


Friday April 19, 2019 1:00pm - 5:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

1:00pm

Job Fair
Companies like Slack, Uber, Google, and more will be actively recruiting at the event. Bring your resumes and be ready to chat but please, do not "dress for success."

Friday April 19, 2019 1:00pm - 5:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA