This event has ended. Visit the official site or create your own event on Sched.
One Track
Lots of Flavor

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Track [clear filter]
Thursday, April 18


Who wants a thousand free puppies? Managing open source software security in the enterprise
Open source software (OSS) is ubiquitous in the modern enterprise, enabling rapid solution development through re-use of ready-to-use components, written and maintained by outside developers. And while using OSS unquestionably brings benefits, security vulnerabilities discovered in those components can have devastating consequences. From Heartbleed to Eslint-scope, Apache Struts to Zip Slip, awareness of security risk in OSS has gained mindshare in developers and executives alike. The growing size and complexity of the OSS ecosystem bring some particular challenges: How can you ensure the OSS used to run your business is trustworthy? How can you mitigate security risk in a "run fast" DevOps environment without getting in the way? In this interactive session, we will describe lessons learned building an OSS security program at Microsoft, explore best practices, and discuss how to tailor those practices effectively within your organization. Specifically, we'll cover the following: - Building a comprehensive, accurate inventory of OSS components used. - Understanding the security posture of each identified OSS component. - Responding to security vulnerabilities in OSS. Open source software isn't like a free Mai Tai; it's like a free puppy.

avatar for Michael Scovetta

Michael Scovetta

Principal Security PM Manager, Microsoft
Michael Scovetta is a Principal Security PM Manager at Microsoft, leading a team researching emerging security threats and building technology solutions to mitigate them. Prior to joining Microsoft, Michael held security and software engineering roles at CBS, CA Technologies, Cigital... Read More →

Thursday April 18, 2019 9:00am - 9:30am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


SBoMs (software bill of materials) – the looming format skirmish
SBoMs – suddenly an item on every customer’s checklist. They all _KNOW_ they simply must have one to accompany their latest enterprise software purchase. But how many know what they are asking for? Is SBoM even a defined thing? It may be more likely that they think about SBoMs theoretically than practice. Many define SBoMs.

SBoMs are supposed to provide us information efficiently. But how is that information stored – how do we generate it, and how do end users consume it? Despite the fact that it’s 2019 – it seems the overwhelming choice remains CSV files managed by Excel. That doesn’t mean that there aren’t viable formats beyond unstructured CSV files. Indeed, there are a plethora of formats that are purpose-built for describing the third-party components composition of a software package. Indeed we’ve had Software Bill of Materials available in human and machine readable formats for decades now; even if few were using them.

In this talk we’ll cover the leading SBoM formats (SWID, SPDX, and CSV) as well as glancing back at some of the tools that used in days gone by. We’ll examine the landscape of SBoM hype and which way governments, industry, and standards orgs are headed. After all there is nothing worse than delivering an SBoM that no one can read. We’ll also answer questions like “Is this a zero sum game?” and “
Attendees will learn about tools to generate and read SBoMs in numerous formats. We’ll also explore avoiding format lock-in. Attendees will also take away an understanding of the landscape, and the strengths and weaknesses of the formats to be able to make informed decisions on the path to SBoM happiness.


David Nalley

Open Source Guy, BlackBerry
David Nalley is a recovering sysadmin who still feels phantom vibrations from decade plus absent pager. David is a former member of Apache Software Foundation’s Board of Directors and currently serves as the Vice-President of Infrastructure for the ASF. David helped build cloudy... Read More →

Thursday April 18, 2019 9:30am - 10:00am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


SDL at scale: growing security champions
If you’re tasked with securing a portfolio of applications it’s a practice in extremes. You’ve got a small team of security experts trying to help a multitude of developers, testers, and other engineers. You have to find a way to work with the team that’s been around forever doing Waterfall on one huge product, and at the same time you have to support all the microservices that the new Agile and DevOps teams are building. And to make things extra exciting, those agile teams are pushing to production anywhere from once a month to several times a day. Even if your security team is fully staffed, there still aren’t enough security experts to go around. Do you focus all your attention on the highly engaged team, the noisy and demanding team, or the team that never replies to your emails? They all need you. 

By partnering with your development organization to create a guild of Security Champions you can help them all. Establishing a Security Champion role on your development teams enables them to be more self-sufficient while maintaining and even improving their security posture. With careful selection and well-defined goals, you can train Security Champions that go beyond just interfacing with the security team but also handle a range of security activities completely within their teams, helping you scale your program.

This presentation will examine the value of the Security Champion role within the development team, which groups need to commit for the program to succeed, how to find good champions, and what benefits everyone involved can expect to gain. Based on lessons learned building a successful Security Champion program over the past 5 years, it will detail actionable steps you can take to bootstrap, monitor, and maintain a customized program that fosters these champions in your organization.

avatar for Ryan O' Boyle

Ryan O' Boyle

Manager, Product Security, Veracode
Ryan O'Boyle is the Manager of Product Security at Veracode. Prior to joining Veracode, he helped create the internal penetration testing team at Fidelity Investments. He has presented at conferences including AppSec USA & EU, BlackHat EU, and RSA Europe. Throughout his career, Ryan... Read More →

Thursday April 18, 2019 10:30am - 11:00am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


Upstreaming security to rails: a story about falling behind and catching back up again
Web frameworks have helped enable development that just would not be practical otherwise. While frameworks can introduce unseen attack surfaces, they can also solve problems including entire classes of vulnerabilities <caveat>when a supported version of the framework is used properly</caveat>.  GitHub is in the interesting position of employing members of the rails security group, core maintainers, and public bounty members. We have introduced features, applied secure defaults, and taken away many rough edges. This talk will explore examples of features that other frameworks can or should use, some of which came from GitHub. We will also explore the history of some of these features across other frameworks. 

It's no surprise that using out of date dependencies introduces many types of risk. It also makes it very hard to hire, retain, maintain, secure, or improve anything or anyone. Bleeding edge or die

avatar for Neil Matatall

Neil Matatall

Product Security Engineer, GitHub
Neil is a product security engineer at GitHub. He has mostly worked on web application security and is frequently involved in AppSec communities. Previously, Neil has been an engineer at Twitter, a W3C-webappsec group member, an OWASP Chapter leader, and has organized multiple conferences... Read More →

Thursday April 18, 2019 11:00am - 11:30am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA


JavaScript supply chain security
In an npm survey of over 33,000 worldwide developers, 99% of JavaScript developers confirm they use open source code, 83% express concern about whether the open source software they use is secure, and 58% believe that there aren’t satisfactory methods for evaluating whether code is safe.  npm is the worlds supplier of JavaScript, a very important piece of the dependency supply chain. In this talk Adam will discuss the current security state of the JavaScript ecosystem, what security challenges it faced and what npm has done and continues to do to make this supply chain more secure.

avatar for Adam Baldwin

Adam Baldwin

Sr. Product Manager, Supply Chain Security, GitHub
Adam Baldwin is a Senior Product Manager focused on supply chain security at GitHub. A security focused leader with over 25 years of experience, Adam has spent his career building companies, breaking into companies, managing teams, designing products, and talking about security non-stop. Previously... Read More →

Thursday April 18, 2019 11:30am - 12:00pm
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA
  • about Adam Baldwin is Director of Security at npm Inc., the company that powers the world’s JavaScript. An information security professional with over 24 years of experience, Adam has spent his career building companies, breaking into companies, managing teams, designing products, and talking about security non-stop. Previously, Adam founded ^Lift Security, a successful application security and penetration testing service company, and the Node Security Platform, an initiative to track vulnerabilities in the JavaScript ecosystem. The project evolved into a SaaS platform at the forefront of the continuous security movement. Both were acquired by npm, Inc. in early 2018.