All times are in Pacific Time(GMT -7)

Day 1 - August 09, 2019

The Abridged History of Application Security

Keynote 10:00 - 11:00 August 09, 2019

Jim Manico | Founder, Manicode Security

@manicode

Application Security began in the early 60's where plain text password storage, no password policy, poor access control and other massive security problems were the norm. This talk with review the history of application security to help illustrate not just how much application security has gotten be...

Continue reading...

Automate Pen-Testing in Dockerized CI/CD Environment

Talk 11:30 - 12:15 August 09, 2019

YanYan Wang

Speed is vital in startups, and fast moving CI/CD pipelines are the norm in startups. Dynamic application security testing (DAST) can take advantage of the speed, automate along the CI/CD pipelines, and enable developers to fix issues while vulnerabilities are in development phase. In order to be in...

Continue reading...

Crypto Failures- and how to avoid them

Talk 12:30 - 13:15 August 09, 2019

Guy Barnhart-Magen

Crypto used to mean cryptography - and in the realm of mathematics. Nowadays, everyone wants some crypto for their security schemes. But sometimes people forget is that crypto is hard - and trusting your own crypto is very risky if you don't actually have cryptographers in your team!

In this talk...

Continue reading...

Purple Team Strategies for Application Security

Talk 13:30 - 13:50 August 09, 2019

Joe Schottman

Purple Team testing, or the active collaboration of offensive and defensive staff during penetration tests, can help organizations address their most immediate security threats, increase the accuracy of testing, and create a feedback loop where both teams contribute to the success of the other. Typi...

Continue reading...

Vulnerabilities that Hide from Your Tools

Talk 14:00 - 14:45 August 09, 2019

Jillian Ratliff

Over the past few years, AppSec professionals have become increasingly reliant on automation. While it's fine to use tools to do the work that you just don't have the time for, there are many vulnerabilities that automated tools can't detect. In this talk, we'll discuss methodologies for finding tho...

Continue reading...

huskyCI: Finding Security Flaws in CI Before Deploying Them

Talk 15:00 - 15:45 August 09, 2019

Rafael Santos

Unfortunately, in large organizations, it becomes very challenging for the security team to review and track all the commits and deploys that occur in all the company's products. To circumvent this problem, I developed a tool in Go to automate security testing within the Continuous Integration pipel...

Continue reading...

How bad could it be? Inside Law Enforcement and Local.gov AppSec

Talk 16:00 - 16:45 August 09, 2019

Anthony Kava

There are over 17,000 police agencies and 38,000 local governments in the US. They all use software to track your taxes, handle 911 calls, and and store reports documenting the worst days of citizens' lives. AppSec is damn important, but most agencies are lucky to have an IT department, let alone an...

Continue reading...

Day 2 - August 10, 2019

Purple is the New Black- Modern Approaches to Application Security

Keynote 10:00 - 11:00 August 10, 2019

Tanya Janca | Senior Cloud Advocate, Microsoft

@shehackspurple

Gone are the days when breaches were rare and security could safely be put low on the priority list; product security is now a customer demand and cyber crime has reached epic proportions. Our idolization of hackers, penetration testing and ‘breaking’ has not resulted in secure software for our indu...

Continue reading...

PANEL "Let’s All Get Technical and Hunt Harder"

Talk 11:30 - 12:15 August 10, 2019

Alyssa Herrera, STÖK, Corben Leo, Chloé Messdaghi (Moderator)

Abstract: Every security tester has some sort of methodology and toolset they use. This ""secret sauce"" is the essence of good security research. This panel is about disclosing those secrets. We will talk through successful tools and techniques used, what we focus on, and why. Followed by topics s...

Continue reading...

0day Hunting and RCE Exploitation in Web Applications

Talk 12:30 - 13:15 August 10, 2019

Özkan M. Akkus

I will give brief and logical answers How to find Remote Command Execution vulnerability? and How to exploit discovered vulnerability with Metasploit? in web applications. In answering these questions, I will show you my special exploits, "Webmin Unauthenticated RCE" and "ManageEngine Unauthenticate...

Continue reading...

An Introduction To Application Security Threat Modeling

Talk 13:30 - 13:50 August 10, 2019

Jerry Gamblin

Threat modeling is something we instinctively already know how to do. If I asked you to help me threat model a camping trip to a park with bears, you could jump right in. You can do that even though you may have never been camping near bears. You are able to build a mental threat model: put up the f...

Continue reading...

WORKSHOP "The OWASP Top Ten for Developers- Secure Coding Seminar"

Workshop 14:00 - 18:00 August 10, 2019

Jim Manico

Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.

Laptop Requirements: This seminar will be mostly lecture and demonstration. A laptop is not required but might be useful to take notes.

Descript...

Continue reading...

Day 3 - August 11, 2019

Shifting the DevSecOps Culture, Taking away the sugar piece and giving the pile to ants

Talk 09:30 - 09:50 August 11, 2019

Vandana Verma Sehgal

We have been talking about the technical angle of DevSecOps. How do I go about building the DevSecOps culture in the organisation? So far Generally corporates are trying to have all three Plays and teams Dev, Sec and Ops team together. However, the Ideal DevSecOps idea is each individual should know...

Continue reading...

History of the worst Android app ever: mAadhaar

Talk 10:00 - 10:20 August 11, 2019

fs0c131y

Beginning of 2018, I analysed the official Android app of an Indian governmental program called Aadhaar. Aadhaar is a 12-digit unique identity number that can be obtained by residents of India, based on their biometric and demographic data. With 1.234 billion holders, Aadhaar is the biggest identifi...

Continue reading...

Exploiting and Securing iOS Apps using OWASP iGoat

Talk 10:30 - 10:50 August 11, 2019

Swaroop Yermalkar

Is your product or application has a mobile app? Do you use any of AWS services? Are your product security engineers working on mobile application security? Looking for information about the importance of mobile app security? If your answer is yes to any of these questions then this talk is for you!...

Continue reading...

WORKSHOP "Offensive Python: Custom Scripts for Pentests"

Talk 11:00 - 13:00 August 11, 2019

Fletcher Heisler

In this workshop, we'll write custom Python scripts to automate and augment penetration testing. Learn the basics of port scanning, crafting custom packets, and building your own exploits in Python.

We will work through examples using a Jupyter Notebook, which you can make a copy of to play around...

Continue reading...

WORKSHOP "Exploiting Bad Crypto Found in the Wild!"

Workshop 14:00 - 16:00 August 11, 2019

João Pena Gil

In this workshop you will learn to exploit a few examples of poorly implemented cryptography found in real-world penetration tests and reverse engineered into CTF-style challenges. The hand-picked exercises will take you on a trip from bad credential storage mechanisms that allow "hash" decryption t...

Continue reading...

Networking & Challenges

Workshop 16:00 - 17:00 August 11, 2019

Thanks to our Sponsors

Gold Sponsors


Silver Sponsors


Bronze Sponsors


Is your organization passionate about application security and want to sponsor?

Read on how to become a sponsor and checkout our available sponsorship opportunities.