This event has ended. Visit the official site or create your own event on Sched.
One Track
Lots of Flavor

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Track [clear filter]
Thursday, April 18


A good first impression can work wonders: creating AppSec training that developers ❤
Good vulnerability response practices are critical to software security. But good vulnerability response practices work even better on software built with security in mind.

At Segment, we use vulnerability report data and gamification to help our developers grow their security mindset. In this session, we’ll explain our two-tiered approach to both helping developers understand trends in our vulnerability reports. We take a two-tiered approach, first presenting vulnerability report and pentesting trends to help teach where vulnerabilities have been identified in the past, and then teaching our team how to hunt for and report security bugs they’ve found.

 We’ve found this approach really helpful to increasing security before release, almost eliminating one class of vulnerability reports. In this session, I’ll talk about the details of how we do this security training—see if you think this could help you!

avatar for Leif Dreizler

Leif Dreizler

Senior Application Security Engineer, Segment
Leif works on the AppSec team at Segment, partnering with engineers to continuously improve their security story and protect customer data. Leif got his start in the security industry at Redspin doing security consulting work, and was later an early employee at Bugcrowd. He was a... Read More →

Thursday April 18, 2019 1:00pm - 1:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Tips and tricks for effective vulnerability management
If you run a vulnerability response or bug bounty program (or both), there's a good chance you're experiencing substantial growth year over year.  In this talk, Pieter Ockers of Adobe's PSIRT will tell the story of how incremental steps to mature a vulnerability management framework can help decrease the average number of unresolved vulnerabilities, as well as reducing the average age of unresolved cases.
Pieter will share tips on:
  • Developing productive relationships with resource-constrained engineering teams
  • Leveraging vulnerability submission platforms to scale your team
  • Developing vulnerability taxonomies to consistently score risk
  • Implementing an escalation protocol to improve response outcomes
  • Selecting the right data for the executive audience
  • Applications of the 80/20 rule for vulnerability response


Pieter Ockers

PSIRT Manager, Adobe
Pieter Ockers is a Senior Security Program Manager and runs Adobe’s Product Security Incident Response Team (PSIRT). Based in San Francisco, Pieter is passionate about engaging with the security research community to build a stronger, more secure and resilient ecosystem.

Thursday April 18, 2019 1:30pm - 2:00pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Multi-party vulnerability response in/with OSS
The Microsoft Security Response Center leads vulnerability response and disclosure for all Microsoft’s products and services – including open source software that Microsoft maintains and products or services that consume OSS.  OSS security vulnerabilities usually affect multiple parties and in many cases it is necessary for these parties to come together to coordinate the disclosure to minimize the risk and disruption to end-users (this is usually known as multi-party coordinated disclosure).  This talk will present examples in multi-party coordination involving OSS, including coordination related to hardware (e.g., CVE-2018-8897), software (e.g. CVE-2019-5736) and standards/protocol weaknesses (e.g. CVE-2018-5391).  We will extract commonalities, challenges, and lessons learned across several scenarios and provide our recommendations on coordinated multi-party response for organizations that are building or improving their product security response programs.

avatar for Jorge Lopez

Jorge Lopez

Principal Security PM Manager, Microsoft
Jorge is a Principal Security PM Manager in the Vulnerability Response and Remediation team of Microsoft’s Security Response Center (MSRC). In this role, he leads a team responsible for intake, handling, and disclosure of security and privacy vulnerabilities in Microsoft’s products... Read More →

Thursday April 18, 2019 2:00pm - 2:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Bug bounty botox: how to spot good security DNA & prevention from cosmetic security
Bug bounties are beautiful, when done right. But what about bug bounties gone bad? Bug bounties have risen in popularity across the globe since the success of Hack the Pentagon, but we are rushing in to use it everywhere, even where sensitive assets are concerned. The allure of "thorough" security vulnerability testing at a fraction of the cost of traditional professional penetration testing seems too good to be true. It is. Like an oversubscribed cell phone provider boasting network speeds that local congestion can never meet, the bug bounty platforms brag sheer account numbers, even as only a tiny fraction of bug hunters have any real luck (or skills). There's a reason many top companies and governments manage their own triage & store their own bugs on premise, not in 5 year old startup cloud platforms triaged by contractors. Who has eyes on your bugs beside you? How can we use this new crowd-sourced security testing safely? Where are we inadvertently mishandling sensitive information in the execution of what in some cases is only superficial security performance art. All organizations need to understand why & how to manage particularly sensitive bugs more securely. What does your threat model & organizational maturity tell you about whether you can safely use a bug bounty, and against which targets? Learn to spot bug bounty Botox, & to go deeper into the tradeoffs of any given bug discovery method. Both sides of this bug gig economy can do better. Come find out how.

avatar for Katie Moussouris

Katie Moussouris

CEO, Luta Security
Ms. Moussouris recently testified as an expert on bug bounties & the labor market for security research for the US Senate, and has also been called upon for European Parliament hearings on dual-use technology. She was later invited by the US State Department to help renegotiate the... Read More →

Thursday April 18, 2019 3:00pm - 3:30pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Evolving beyond the vulnerability whack-a-mole game
With more than 197,000 known vulnerabilities published and over 22,000 new disclosures in 2018, organizations must make constant risk decisions. In fact, each day organizations have to ensure they are aware of approximately 60 new vulnerabilities, evaluate the potential impact to their organization’s products, and then determine if it warrants action. This task is daunting even to large, well staffed organizations and thus typically decisions are not made at all or delayed. While understanding vulnerability data, prioritizing and fixing issues remains extremely important. It is a must that organizations evolve beyond the Whack-a-Mole approach to vulnerability management in their products. To enable this, a move to a strategic approach is required that focuses on problem management and root cause analysis. Insights derived from vulnerability intelligence provide the capabilities for software risk ratings and answering important questions such as: Which vendors/products are the ones that are most likely to cause a data breach? Which vendors/products cost the most to maintain securely? Which vendors fix issues quickly in products rather than leave organization vulnerable? Which vendors/products are investing in secure coding? Are there products and component that should be removed from the organization?

avatar for Jake Kouns

Jake Kouns

CISO, Risk Based Security
Jake is the founder of RVAsec and the CISO for Risk Based Security that provides vulnerabilities and data breach intelligence. He previously oversaw the operations of the Open Sourced Vulnerability Database (OSVDB.org) and DataLossDB. Kouns has presented at many well-known security... Read More →

Thursday April 18, 2019 3:30pm - 4:00pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA