This event has ended. Visit the official site or create your own event on Sched.
One Track
Lots of Flavor

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Track [clear filter]
Wednesday, April 17


How not to use OAuth
OAuth is the most important framework for federated authorization on the web. It also serves as the foundation for federated authentication using OpenID Connect. While RFC6749 and RFC6819 give advice on securing OAuth deployments, many subtle and not-so-subtle ways to shoot yourself in the foot remain. One reason for this situation is that OAuth today is used in much more dynamic setups than originally anticipated. Another challenge is that OAuth today is used in high-stakes environments like financial APIs and strong identity proving.

To address these challenges, the IETF OAuth working group is working towards a new Security Best Current Practice (BCP) RFC that aims to weed out insecure implementation patterns based on lessons learned in practice and from formal security analyses of OAuth and OpenID Connect. The BCP gives concrete advice to defend against attacks discovered recently (like the AS mix-up attack) and deprecates less-secure grant types such as the Implicit Grant.

This talk will outline the challenges faced by OAuth in dynamic and high-stakes environments and go into the details of the MUSTs, MUST NOTs, and SHOULDs in the new Security BCP.

avatar for Daniel Fett

Daniel Fett

Security Research, yes.com
Daniel Fett is a security researcher and security specialist at yes.com. Before that, he received a PhD in Computer Science from University of Stuttgart, Germany. During his research, he developed new methods to formally analyze the security of web applications and standards. He used these formal methods to find new attack vectors on OAuth, OpenID Conn... Read More →

Wednesday April 17, 2019 9:15am - 10:00am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


The path to code provenance at uber
The landscape of Uber applications and services moves and evolves quickly. At
our scale, where a one-in-a-million ride happens 10 times every day and production code changes thousands of times a day, scaling security at the rate of business is critical.

Fundamentally we must assure, across our multitude of services and engineering teams, that all production code meets defined security requirements, including compliance obligations. An important piece of this is providing documented assurance that code is authored/reviewed/approved by the appropriate parties and that code running in production is one and the same.

We will share some specific examples and use cases from our Uber’s product security team that can be applied in other environments including:
- deploying hooks for developers to sign commits (and enforcement of signatures before building container images)
- making security a first-class citizen in our build pipelines to harden and sign builds (and integrations with our container orchestration framework to ensure that our build/image artifacts have been appropriately hardened and vetted to be run within our infrastructure)
- improvements to our container runtime security, in order to efficiently detect and block any unauthorized code (including runtime anomaly detection and a process for remediation of newly-blacklisted packages)
- deploying security policies around third-party dependencies (and how we hook into the SDLC in order to warn and enforce when something is out of policy compliance)

We'll talk through integration pain points, key takeaways, infrastructure-specific challenges we faced, surprising discoveries, and issues/questions we've tackled along the way.

avatar for Matthew Finifter

Matthew Finifter

Security Engineer, Uber
Matthew Finifter is a security engineer on Uber's Application Security team. His recent work focuses on the design and implementation of application security automation and improvements within Uber's software development lifecycle. He received his PhD in Computer Science from UC Berkeley... Read More →
avatar for Tony Ngo

Tony Ngo

Security Engineer, Uber
Tony Ngo is a security engineer on Uber’s Application Security team.  He hasspent the last 12 years of his professional life doing defensive securityengineering ranging from designing/implementing obfuscation/anti-tamperingtools, to mucking with mobile security and most recently... Read More →
avatar for Debosmit (Debo) Ray

Debosmit (Debo) Ray

Software Engineer, Uber Technologies, Inc.
Debosmit Ray (Debo) is an engineer on Uber's Product Security team. His most recent work includes extending Uber's data stores to have encryption support, integrating security primitives into various components of Uber's SDLC, infrastructure security and anomaly detection. He received... Read More →

Wednesday April 17, 2019 10:20am - 11:05am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Content Security Policy: A successful mess between hardening and mitigation
In this talk, we distill our multi-year experience fighting XSS at Google with nonce-based Content Security Policy (CSP), one of the most misunderstood and, arguably, most powerful web mitigation techniques.

We aim to provide a technical in-depth analysis of the effectiveness of different flavors of CSP for the many classes of XSS vulnerabilities, busting myths and common misunderstandings, and explore the often fuzzy boundaries between hardening and mitigation techniques. In a world where there are a dozen major root causes of XSS, each with its own, distinct, preventive measures, we define a threat model in which CSP can provide strong defense-in-depth guarantees and enforce best coding practices, leading to a real hardening effect.
We present advanced CSP kung-fu: setting more than one policy, pinning CSP to an origin with Origin-Policy manifests, and highlight special cases with Service Workers, Web Assembly and web modules.

Finally, we share for the first time data on real-world sensitive applications where exploitation of XSS vulnerabilities has been prevented on modern browsers by CSP.
After attending this talk you will finally understand CSP, knowing its strengths and limits while appreciating its complexity and multifaceted nature.

avatar for Michele Spagnuolo

Michele Spagnuolo

Senior Information Security Engineer, Google
Senior Information Security Engineer at Google Switzerland, Michele is a security researcher focused on web application security, and the Rosetta Flash guy. He is also author of BitIodine, a tool for extracting intelligence from the Bitcoin network.
avatar for Lukas Weichselbaum

Lukas Weichselbaum

Staff Information Security Engineer, Google
Lukas Weichselbaum is a Staff Information Security Engineer at Google with 10+ years of industry experience who frequently speaks at international infosec and developer conferences.He's passionate about securing Web applications from common Web vulnerabilities and leads the Google-wide... Read More →

Wednesday April 17, 2019 11:05am - 11:50am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Security learns to sprint: DevSecOps
This talk will explain what security teams needs to adjust in order to turn DevOps into
DevSecOps within their organizations. Several strategies are presented for weaving
security into each of the "Three Ways", with clear steps audience members can start
implementing immediately.

This talk will argue that DevOps could be the best thing to happen to application security
since OWASP, if developers and operations teams are enabled to make security a part of
their everyday work. With a ratio of 100/10/1 for Development, Operations, and Security,
security now needs to concentrate on creating tools, processes and opportunities for dev
and ops that result in more-secure products, instead of trying to do it all themselves like they
did in days past. We must build security into each of “The Three Ways”; automating and/or
improving efficiency of all security activities to ensure we don’t slow down developers,
speeding up feedback loops for security related activities so that we fix the bugs faster and
sooner, and providing continuous learning opportunities in relation to security, for both
teams. Security can no longer be a gate or stumbling block, and ‘adding security in’ can no
longer be used as a justification for project delays. If developers are sprinting, then we need
to sprint too. So put on your running shoes; it’s time for DevSecOps!

avatar for Tanya Janca

Tanya Janca

CEO and Founder, We Hack Purple
Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and weekly podcast that revolves around creating secure software. Tanya has been coding and... Read More →

Wednesday April 17, 2019 1:00pm - 1:45pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Trusted types & the end of DOM XSS
18 years have passed since Cross-Site Scripting (XSS) has been identified as a web vulnerability class. Since then, numerous efforts have been proposed to detect, fix or mitigate it. We've seen vulnerability scanners, fuzzers, static & dynamic code analyzers, taint tracking engines, linters, and finally XSS filters, WAFs and all various flavours of Content Security Policy.

Various libraries have been created to minimize or eliminate the risk of XSS: HTML sanitizers, templating libraries, sandboxing solutions - and yet XSS is still one of the most prevalent vulnerabilities plaguing web applications.

It seems like, while we have a pretty good grasp on how to address stored & reflected XSS, "solving" DOM XSS remains an open question. DOM XSS is caused by ever-growing complexity of client-side JavaScript code (see script gadgets), but most importantly - the lack of security in DOM API design.

But perhaps we have a chance this time? Trusted Types is a new browser API that
allows a web application to limit its interaction with the DOM, with the goal of obliterating
DOM XSS. Based on the battle-tested design that prevents XSS in most of the Google web applications, Trusted Types add the DOM XSS prevention API to the browsers. Trusted Types allow to isolate the application components that may potentially introduce DOM XSS into tiny, reviewable pieces, and guarantee that the rest of the code is DOM-XSS free. They can also leverage existing solutions like autoescaping templating libraries, or client-side sanitizers to use them as building blocks of a secure application.

Trusted Types have a working polyfill, an implementation in Chrome and integrate well with existing JS frameworks and libraries. Oddly similar to both XSS filters and CSP, they are also fundamentally different, and in our opinion have a reasonable chance of eliminating DOM XSS - once and for all.

avatar for Krzysztof Kotowicz

Krzysztof Kotowicz

Software Engineer, Google LLC
Krzysztof Kotowicz is a web security researcher specialising in discovery and exploitation of client-side vulnerabilities, and a software engineer in the Information Security Engineering team at Google. Speaker at various security conferences (ACM CCS 2017, Black Hat USA 2017, Owasp... Read More →

Wednesday April 17, 2019 1:45pm - 2:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Bulletproof Shoes
Version control software has come a long way, and the barrier to creating an open source project has been lowered to a point of being negligible. Experienced and inexperienced developers alike use hosted version control systems, such as GitHub, to share their code with the world. This open sharing of ideas is beneficial, but does come with occasional risks - accidentally publishing credentials or sensitive data, to name one. This issue has become so prevalent that all major hosts have documentation on the removal of sensitive data, but it has also led to the creation of numerous tools which trawl repositories for such sensitive information (which, in the malicious case, is then stolen and abused).
These repository-scanning tools mean that time is of the essence. When a user accidentally publishes a credential, the damage an attacker can cause is limited only by the privilege of that credential. An AWS credential, once leaked, could allow an attacker to spin up EC2 instances for mining bitcoin. A Slack token could allow an attacker to access the information in a Slack workspace, or perform other malicious actions based on the scope of the token. Therefore, it’s important for us to stop the abuse of such tokens before they fall into the wrong hands. In this talk we will discuss our “token nuker” - the tool we use to search for accidentally published Slack tokens and revoke them before they can be abused. We will cover the history, evolution, and current state of our automation, in what we hope will serve to benefit other security teams and application developers.

avatar for Fikrie Yunaz

Fikrie Yunaz

Product Security Engineer, Slack
Fikrie Yunaz is a Product Security Engineer at Slack. He is a security enthusiast and loves breaking web applications. He specializes in the areas of application security and security test automation. He was previously a Security Engineer at Oracle.
avatar for Nikki Brandt

Nikki Brandt

Staff Security Engineer, Slack
Nikki Brandt is a Staff Tech Lead/Manager on the Product Security team at Slack, where she currently leads the Product Security team and drives the security review process. Before joining Slack, Nikki was a senior security consultant at NCC Group (via Matasano), and a security engineer... Read More →

Wednesday April 17, 2019 3:00pm - 3:45pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Trust & Safety Engineering @ GitHub
GitHub is the #1 open source platform in the world, with over 30 million users working in over 100 million repositories. How do we protect our users from harassment while encouraging happy, healthy communities at such a large scale? In this session, I'll introduce the concept of Trust & Safety work in online platforms, talk a bit about different models used to tackle this problem, and then walk through some engineering challenges and trade-offs faced at GitHub.

Learning objective: User safety and privacy, just like security, needs to be built into the platform from the ground up. It is the job of every engineer writing user-facing code to understand and use these best practices.

avatar for Lexi Galantino

Lexi Galantino

Community & Safety Engineer, GitHub

Wednesday April 17, 2019 3:45pm - 4:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA
Thursday, April 18


Who wants a thousand free puppies? Managing open source software security in the enterprise
Open source software (OSS) is ubiquitous in the modern enterprise, enabling rapid solution development through re-use of ready-to-use components, written and maintained by outside developers. And while using OSS unquestionably brings benefits, security vulnerabilities discovered in those components can have devastating consequences. From Heartbleed to Eslint-scope, Apache Struts to Zip Slip, awareness of security risk in OSS has gained mindshare in developers and executives alike. The growing size and complexity of the OSS ecosystem bring some particular challenges: How can you ensure the OSS used to run your business is trustworthy? How can you mitigate security risk in a "run fast" DevOps environment without getting in the way? In this interactive session, we will describe lessons learned building an OSS security program at Microsoft, explore best practices, and discuss how to tailor those practices effectively within your organization. Specifically, we'll cover the following: - Building a comprehensive, accurate inventory of OSS components used. - Understanding the security posture of each identified OSS component. - Responding to security vulnerabilities in OSS. Open source software isn't like a free Mai Tai; it's like a free puppy.

avatar for Michael Scovetta

Michael Scovetta

Principal Security PM Manager, Microsoft
Michael Scovetta is a Principal Security PM Manager at Microsoft, leading a team researching emerging security threats and building technology solutions to mitigate them. Prior to joining Microsoft, Michael held security and software engineering roles at CBS, CA Technologies, Cigital... Read More →

Thursday April 18, 2019 9:00am - 9:30am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


SBoMs (software bill of materials) – the looming format skirmish
SBoMs – suddenly an item on every customer’s checklist. They all _KNOW_ they simply must have one to accompany their latest enterprise software purchase. But how many know what they are asking for? Is SBoM even a defined thing? It may be more likely that they think about SBoMs theoretically than practice. Many define SBoMs.

SBoMs are supposed to provide us information efficiently. But how is that information stored – how do we generate it, and how do end users consume it? Despite the fact that it’s 2019 – it seems the overwhelming choice remains CSV files managed by Excel. That doesn’t mean that there aren’t viable formats beyond unstructured CSV files. Indeed, there are a plethora of formats that are purpose-built for describing the third-party components composition of a software package. Indeed we’ve had Software Bill of Materials available in human and machine readable formats for decades now; even if few were using them.

In this talk we’ll cover the leading SBoM formats (SWID, SPDX, and CSV) as well as glancing back at some of the tools that used in days gone by. We’ll examine the landscape of SBoM hype and which way governments, industry, and standards orgs are headed. After all there is nothing worse than delivering an SBoM that no one can read. We’ll also answer questions like “Is this a zero sum game?” and “
Attendees will learn about tools to generate and read SBoMs in numerous formats. We’ll also explore avoiding format lock-in. Attendees will also take away an understanding of the landscape, and the strengths and weaknesses of the formats to be able to make informed decisions on the path to SBoM happiness.


David Nalley

Open Source Guy, BlackBerry
David Nalley is a recovering sysadmin who still feels phantom vibrations from decade plus absent pager. David is a former member of Apache Software Foundation’s Board of Directors and currently serves as the Vice-President of Infrastructure for the ASF. David helped build cloudy... Read More →

Thursday April 18, 2019 9:30am - 10:00am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


SDL at scale: growing security champions
If you’re tasked with securing a portfolio of applications it’s a practice in extremes. You’ve got a small team of security experts trying to help a multitude of developers, testers, and other engineers. You have to find a way to work with the team that’s been around forever doing Waterfall on one huge product, and at the same time you have to support all the microservices that the new Agile and DevOps teams are building. And to make things extra exciting, those agile teams are pushing to production anywhere from once a month to several times a day. Even if your security team is fully staffed, there still aren’t enough security experts to go around. Do you focus all your attention on the highly engaged team, the noisy and demanding team, or the team that never replies to your emails? They all need you. 

By partnering with your development organization to create a guild of Security Champions you can help them all. Establishing a Security Champion role on your development teams enables them to be more self-sufficient while maintaining and even improving their security posture. With careful selection and well-defined goals, you can train Security Champions that go beyond just interfacing with the security team but also handle a range of security activities completely within their teams, helping you scale your program.

This presentation will examine the value of the Security Champion role within the development team, which groups need to commit for the program to succeed, how to find good champions, and what benefits everyone involved can expect to gain. Based on lessons learned building a successful Security Champion program over the past 5 years, it will detail actionable steps you can take to bootstrap, monitor, and maintain a customized program that fosters these champions in your organization.

avatar for Ryan O' Boyle

Ryan O' Boyle

Manager, Product Security, Veracode
Ryan O'Boyle is the Manager of Product Security at Veracode. Prior to joining Veracode, he helped create the internal penetration testing team at Fidelity Investments. He has presented at conferences including AppSec USA & EU, BlackHat EU, and RSA Europe. Throughout his career, Ryan... Read More →

Thursday April 18, 2019 10:30am - 11:00am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Upstreaming security to rails: a story about falling behind and catching back up again
Web frameworks have helped enable development that just would not be practical otherwise. While frameworks can introduce unseen attack surfaces, they can also solve problems including entire classes of vulnerabilities <caveat>when a supported version of the framework is used properly</caveat>.  GitHub is in the interesting position of employing members of the rails security group, core maintainers, and public bounty members. We have introduced features, applied secure defaults, and taken away many rough edges. This talk will explore examples of features that other frameworks can or should use, some of which came from GitHub. We will also explore the history of some of these features across other frameworks. 

It's no surprise that using out of date dependencies introduces many types of risk. It also makes it very hard to hire, retain, maintain, secure, or improve anything or anyone. Bleeding edge or die

avatar for Neil Matatall

Neil Matatall

Product Security Engineer, GitHub
Neil is a product security engineer at GitHub. He has mostly worked on web application security and is frequently involved in AppSec communities. Previously, Neil has been an engineer at Twitter, a W3C-webappsec group member, an OWASP Chapter leader, and has organized multiple conferences... Read More →

Thursday April 18, 2019 11:00am - 11:30am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


JavaScript supply chain security
In an npm survey of over 33,000 worldwide developers, 99% of JavaScript developers confirm they use open source code, 83% express concern about whether the open source software they use is secure, and 58% believe that there aren’t satisfactory methods for evaluating whether code is safe.  npm is the worlds supplier of JavaScript, a very important piece of the dependency supply chain. In this talk Adam will discuss the current security state of the JavaScript ecosystem, what security challenges it faced and what npm has done and continues to do to make this supply chain more secure.

avatar for Adam Baldwin

Adam Baldwin

Sr. Product Manager, Supply Chain Security, GitHub
Adam Baldwin is a Senior Product Manager focused on supply chain security at GitHub. A security focused leader with over 25 years of experience, Adam has spent his career building companies, breaking into companies, managing teams, designing products, and talking about security non-stop. Previously... Read More →

Thursday April 18, 2019 11:30am - 12:00pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA
  • about Adam Baldwin is Director of Security at npm Inc., the company that powers the world’s JavaScript. An information security professional with over 24 years of experience, Adam has spent his career building companies, breaking into companies, managing teams, designing products, and talking about security non-stop. Previously, Adam founded ^Lift Security, a successful application security and penetration testing service company, and the Node Security Platform, an initiative to track vulnerabilities in the JavaScript ecosystem. The project evolved into a SaaS platform at the forefront of the continuous security movement. Both were acquired by npm, Inc. in early 2018.


A good first impression can work wonders: creating AppSec training that developers ❤
Good vulnerability response practices are critical to software security. But good vulnerability response practices work even better on software built with security in mind.

At Segment, we use vulnerability report data and gamification to help our developers grow their security mindset. In this session, we’ll explain our two-tiered approach to both helping developers understand trends in our vulnerability reports. We take a two-tiered approach, first presenting vulnerability report and pentesting trends to help teach where vulnerabilities have been identified in the past, and then teaching our team how to hunt for and report security bugs they’ve found.

 We’ve found this approach really helpful to increasing security before release, almost eliminating one class of vulnerability reports. In this session, I’ll talk about the details of how we do this security training—see if you think this could help you!

avatar for Leif Dreizler

Leif Dreizler

Senior Application Security Engineer, Segment
Leif works on the AppSec team at Segment, partnering with engineers to continuously improve their security story and protect customer data. Leif got his start in the security industry at Redspin doing security consulting work, and was later an early employee at Bugcrowd. He was a... Read More →

Thursday April 18, 2019 1:00pm - 1:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Tips and tricks for effective vulnerability management
If you run a vulnerability response or bug bounty program (or both), there's a good chance you're experiencing substantial growth year over year.  In this talk, Pieter Ockers of Adobe's PSIRT will tell the story of how incremental steps to mature a vulnerability management framework can help decrease the average number of unresolved vulnerabilities, as well as reducing the average age of unresolved cases.
Pieter will share tips on:
  • Developing productive relationships with resource-constrained engineering teams
  • Leveraging vulnerability submission platforms to scale your team
  • Developing vulnerability taxonomies to consistently score risk
  • Implementing an escalation protocol to improve response outcomes
  • Selecting the right data for the executive audience
  • Applications of the 80/20 rule for vulnerability response


Pieter Ockers

PSIRT Manager, Adobe
Pieter Ockers is a Senior Security Program Manager and runs Adobe’s Product Security Incident Response Team (PSIRT). Based in San Francisco, Pieter is passionate about engaging with the security research community to build a stronger, more secure and resilient ecosystem.

Thursday April 18, 2019 1:30pm - 2:00pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Multi-party vulnerability response in/with OSS
The Microsoft Security Response Center leads vulnerability response and disclosure for all Microsoft’s products and services – including open source software that Microsoft maintains and products or services that consume OSS.  OSS security vulnerabilities usually affect multiple parties and in many cases it is necessary for these parties to come together to coordinate the disclosure to minimize the risk and disruption to end-users (this is usually known as multi-party coordinated disclosure).  This talk will present examples in multi-party coordination involving OSS, including coordination related to hardware (e.g., CVE-2018-8897), software (e.g. CVE-2019-5736) and standards/protocol weaknesses (e.g. CVE-2018-5391).  We will extract commonalities, challenges, and lessons learned across several scenarios and provide our recommendations on coordinated multi-party response for organizations that are building or improving their product security response programs.

avatar for Jorge Lopez

Jorge Lopez

Principal Security PM Manager, Microsoft
Jorge is a Principal Security PM Manager in the Vulnerability Response and Remediation team of Microsoft’s Security Response Center (MSRC). In this role, he leads a team responsible for intake, handling, and disclosure of security and privacy vulnerabilities in Microsoft’s products... Read More →

Thursday April 18, 2019 2:00pm - 2:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Bug bounty botox: how to spot good security DNA & prevention from cosmetic security
Bug bounties are beautiful, when done right. But what about bug bounties gone bad? Bug bounties have risen in popularity across the globe since the success of Hack the Pentagon, but we are rushing in to use it everywhere, even where sensitive assets are concerned. The allure of "thorough" security vulnerability testing at a fraction of the cost of traditional professional penetration testing seems too good to be true. It is. Like an oversubscribed cell phone provider boasting network speeds that local congestion can never meet, the bug bounty platforms brag sheer account numbers, even as only a tiny fraction of bug hunters have any real luck (or skills). There's a reason many top companies and governments manage their own triage & store their own bugs on premise, not in 5 year old startup cloud platforms triaged by contractors. Who has eyes on your bugs beside you? How can we use this new crowd-sourced security testing safely? Where are we inadvertently mishandling sensitive information in the execution of what in some cases is only superficial security performance art. All organizations need to understand why & how to manage particularly sensitive bugs more securely. What does your threat model & organizational maturity tell you about whether you can safely use a bug bounty, and against which targets? Learn to spot bug bounty Botox, & to go deeper into the tradeoffs of any given bug discovery method. Both sides of this bug gig economy can do better. Come find out how.

avatar for Katie Moussouris

Katie Moussouris

CEO, Luta Security
Ms. Moussouris recently testified as an expert on bug bounties & the labor market for security research for the US Senate, and has also been called upon for European Parliament hearings on dual-use technology. She was later invited by the US State Department to help renegotiate the... Read More →

Thursday April 18, 2019 3:00pm - 3:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Evolving beyond the vulnerability whack-a-mole game
With more than 197,000 known vulnerabilities published and over 22,000 new disclosures in 2018, organizations must make constant risk decisions. In fact, each day organizations have to ensure they are aware of approximately 60 new vulnerabilities, evaluate the potential impact to their organization’s products, and then determine if it warrants action. This task is daunting even to large, well staffed organizations and thus typically decisions are not made at all or delayed. While understanding vulnerability data, prioritizing and fixing issues remains extremely important. It is a must that organizations evolve beyond the Whack-a-Mole approach to vulnerability management in their products. To enable this, a move to a strategic approach is required that focuses on problem management and root cause analysis. Insights derived from vulnerability intelligence provide the capabilities for software risk ratings and answering important questions such as: Which vendors/products are the ones that are most likely to cause a data breach? Which vendors/products cost the most to maintain securely? Which vendors fix issues quickly in products rather than leave organization vulnerable? Which vendors/products are investing in secure coding? Are there products and component that should be removed from the organization?

avatar for Jake Kouns

Jake Kouns

CISO, Risk Based Security
Jake is the founder of RVAsec and the CISO for Risk Based Security that provides vulnerabilities and data breach intelligence. He previously oversaw the operations of the Open Sourced Vulnerability Database (OSVDB.org) and DataLossDB. Kouns has presented at many well-known security... Read More →

Thursday April 18, 2019 3:30pm - 4:00pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Visibility & Control: Addressing supply chain challenges to trustworthy software-enabled things
Software is playing a pivotal role in most enterprises, whether they realize it or not, and with the advent of Industrial Internet of Things
(IoT) and other cyber/physical systems across our society and critical infrastructure and our collective love affair with automation, optimization, and “smart” devices that role is only going to increase. 
This talk addresses the myriad of issues that underlie unsafe, insecure, and unreliable software and provides the insights of the Industrial Internet Consortium and other government and industry efforts on how to conquer them and pave the way to a marketplace of trustworthy software-enabled connected things.

As the experience of several sectors has shown, the dependence on connected software needs to be met with a strong understanding of the risks to the overall trustworthiness of our software-based capabilities that we, our enterprises, and our world utilize. In many of these new connected systems issues of safety, reliability, and resilience rival or dominate concerns for security and privacy, the long-time focus of many in the IT world. Without a scalable and efficient method for managing these risks so our enterprises can continue to benefit from these advancements that powers our military, commercial industries, cities, and homes to new levels of efficiency, versatility, and cost effectiveness we face the potential for harm, death, and destructiveness.

In such a marketplace, creating, exchanging, and integrating components that are trustworthy as well as entering into value-chain relationships with trustworthy partners and service suppliers will be common if we can provide a method for explicitly defining what is meant by the word trustworthy. The approach being pursued by these groups, leveraging Structured Assurance Cases, Software Bill of Materials and secure development practices, is to explicitly identify the detailed requirements “about what we need to know about something for it to be worthy of our trust” and to do that in a way that we can convey that basis of trust to others that: can scale; is consistent within different workflows; is flexible to differing sets of hazards and environments; and is applicable to all sectors, domains, and industries. We will also consider the challenges of brownfield/greenfield in considering trustworthiness in legacy and new systems.

avatar for Robert Martin

Robert Martin

Senior Principal Engineer, The MITRE Corporation
Robert A. Martin, Senior Principal Engineer of the MITRE Corporation and member of the Industrial Internet Consortium Steering Committee has dedicated his career to working on solving some of the world’s most difficult problems in systems and software engineering – including cybersecurity... Read More →

Thursday April 18, 2019 4:00pm - 4:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA
Friday, April 19


Have you adapted your AppSec?
In the ever-evolving, fast-paced development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories, stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. David will talk through the various solutions using his experiences to help build security into the development process.

avatar for David Lindner

David Lindner

Director, Application Security, Contrast Security
David is an experienced Application Security Professional with over 18 years of experience in the computer security industry. During this time, David has worked within multiple disciplines in the security field, from application development, network architecture design and support... Read More →

Friday April 19, 2019 8:30am - 9:15am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


The truth about cookies, tokens and APIs
With the rise of Single Page Applications, we also see a paradigm shift in session management techniques. Instead of using server-side cookie-based sessions, many developers are shifting towards client-side state mechanisms, using JWT tokens an custom HTTP headers. There’s plenty of conflicting advice out there, discussing cookie security issues, Cross-Site Request Forgery, and XSS. So how can you make a sensible choice, and how will that impact the security of your application?

This talk will guide you in this choice. We dive into the technicalities behind these technologies, and the actual security impact of your choices. We’ll look at compatibility with current web security mechanisms. You will learn how to assess your past choices, and how to substantiate future decisions. 

avatar for Philippe De Ryck

Philippe De Ryck

Founder, Pragmatic Web Security
Philippe De Ryck helps developers protect companies through better web security. As the founder of Pragmatic Web Security, he travels the world to train developers on web security and security engineering. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional... Read More →

Friday April 19, 2019 9:15am - 10:00am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


notok: creation and challenges in mental health and app development
Friday April 19, 2019 10:30am - 11:15am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Collaborative capture the flag
Participate in a collaborative, non-competitive capture the flag event where you can apply what you've learned in a fun and casual environment. Hints will be provided, answers will be supplied. Join a team or do it alone. It's up to you!

avatar for Matt Langlois

Matt Langlois

Product Security Engineer, GitHub
Matt is a junior product security engineer at GitHub. Over the course of his University career he developed a passion for cyber security. Matt has gained a plethora of AppSec knowledge participating in bug bounty programs and CTFs. He previously organized monthly DefCon 613 meetups... Read More →

Friday April 19, 2019 1:00pm - 5:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Job Fair
Companies like Slack, Uber, Google, and more will be actively recruiting at the event. Bring your resumes and be ready to chat but please, do not "dress for success."

Friday April 19, 2019 1:00pm - 5:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA