All times are in Pacific Time(GMT -7)
Day 1 - August 09, 2019
The Abridged History of Application Security
Keynote
10:00
-
11:00
August 09, 2019
Jim Manico
|
Founder, Manicode Security
Jim Manico | Founder, Manicode Security
Application Security began in the early 60's where plain text password storage, no password policy, poor access control and other massive security problems were the norm. This talk with review the history of application security to help illustrate not just how much application security has gotten be...
Continue reading...Automate Pen-Testing in Dockerized CI/CD Environment
Talk
11:30
-
12:15
August 09, 2019
YanYan Wang
YanYan Wang
Speed is vital in startups, and fast moving CI/CD pipelines are the norm in startups. Dynamic application security testing (DAST) can take advantage of the speed, automate along the CI/CD pipelines, and enable developers to fix issues while vulnerabilities are in development phase. In order to be in...
Continue reading...Crypto Failures- and how to avoid them
Talk
12:30
-
13:15
August 09, 2019
Guy Barnhart-Magen
Guy Barnhart-Magen
Crypto used to mean cryptography - and in the realm of mathematics. Nowadays, everyone wants some crypto for their security schemes. But sometimes people forget is that crypto is hard - and trusting your own crypto is very risky if you don't actually have cryptographers in your team!
In this talk...
Continue reading...Purple Team Strategies for Application Security
Talk
13:30
-
13:50
August 09, 2019
Joe Schottman
Joe Schottman
Purple Team testing, or the active collaboration of offensive and defensive staff during penetration tests, can help organizations address their most immediate security threats, increase the accuracy of testing, and create a feedback loop where both teams contribute to the success of the other. Typi...
Continue reading...Vulnerabilities that Hide from Your Tools
Talk
14:00
-
14:45
August 09, 2019
Jillian Ratliff
Jillian Ratliff
Over the past few years, AppSec professionals have become increasingly reliant on automation. While it's fine to use tools to do the work that you just don't have the time for, there are many vulnerabilities that automated tools can't detect. In this talk, we'll discuss methodologies for finding tho...
Continue reading...huskyCI: Finding Security Flaws in CI Before Deploying Them
Talk
15:00
-
15:45
August 09, 2019
Rafael Santos
Rafael Santos
Unfortunately, in large organizations, it becomes very challenging for the security team to review and track all the commits and deploys that occur in all the company's products. To circumvent this problem, I developed a tool in Go to automate security testing within the Continuous Integration pipel...
Continue reading...How bad could it be? Inside Law Enforcement and Local.gov AppSec
Talk
16:00
-
16:45
August 09, 2019
Anthony Kava
Anthony Kava
There are over 17,000 police agencies and 38,000 local governments in the US. They all use software to track your taxes, handle 911 calls, and and store reports documenting the worst days of citizens' lives. AppSec is damn important, but most agencies are lucky to have an IT department, let alone an...
Continue reading...Day 2 - August 10, 2019
Purple is the New Black- Modern Approaches to Application Security
Keynote
10:00
-
11:00
August 10, 2019
Tanya Janca
|
Senior Cloud Advocate, Microsoft
Tanya Janca | Senior Cloud Advocate, Microsoft
Gone are the days when breaches were rare and security could safely be put low on the priority list; product security is now a customer demand and cyber crime has reached epic proportions. Our idolization of hackers, penetration testing and ‘breaking’ has not resulted in secure software for our indu...
Continue reading...PANEL "Let’s All Get Technical and Hunt Harder"
Talk
11:30
-
12:15
August 10, 2019
Alyssa Herrera, STÖK, Corben Leo, Chloé Messdaghi (Moderator)
Alyssa Herrera, STÖK, Corben Leo, Chloé Messdaghi (Moderator)
Abstract: Every security tester has some sort of methodology and toolset they use. This ""secret sauce"" is the essence of good security research. This panel is about disclosing those secrets. We will talk through successful tools and techniques used, what we focus on, and why. Followed by topics s...
Continue reading...0day Hunting and RCE Exploitation in Web Applications
Talk
12:30
-
13:15
August 10, 2019
Özkan M. Akkus
Özkan M. Akkus
I will give brief and logical answers How to find Remote Command Execution vulnerability? and How to exploit discovered vulnerability with Metasploit? in web applications. In answering these questions, I will show you my special exploits, "Webmin Unauthenticated RCE" and "ManageEngine Unauthenticate...
Continue reading...An Introduction To Application Security Threat Modeling
Talk
13:30
-
13:50
August 10, 2019
Jerry Gamblin
Jerry Gamblin
Threat modeling is something we instinctively already know how to do. If I asked you to help me threat model a camping trip to a park with bears, you could jump right in. You can do that even though you may have never been camping near bears. You are able to build a mental threat model: put up the f...
Continue reading...WORKSHOP "The OWASP Top Ten for Developers- Secure Coding Seminar"
Workshop
14:00
-
18:00
August 10, 2019
Jim Manico
Jim Manico
Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.
Laptop Requirements: This seminar will be mostly lecture and demonstration. A laptop is not required but might be useful to take notes.
Descript...
Continue reading...Day 3 - August 11, 2019
Shifting the DevSecOps Culture, Taking away the sugar piece and giving the pile to ants
Talk
09:30
-
09:50
August 11, 2019
Vandana Verma Sehgal
Vandana Verma Sehgal
We have been talking about the technical angle of DevSecOps. How do I go about building the DevSecOps culture in the organisation? So far Generally corporates are trying to have all three Plays and teams Dev, Sec and Ops team together. However, the Ideal DevSecOps idea is each individual should know...
Continue reading...History of the worst Android app ever: mAadhaar
Talk
10:00
-
10:20
August 11, 2019
fs0c131y
fs0c131y
Beginning of 2018, I analysed the official Android app of an Indian governmental program called Aadhaar. Aadhaar is a 12-digit unique identity number that can be obtained by residents of India, based on their biometric and demographic data. With 1.234 billion holders, Aadhaar is the biggest identifi...
Continue reading...Exploiting and Securing iOS Apps using OWASP iGoat
Talk
10:30
-
10:50
August 11, 2019
Swaroop Yermalkar
Swaroop Yermalkar
Is your product or application has a mobile app? Do you use any of AWS services? Are your product security engineers working on mobile application security? Looking for information about the importance of mobile app security? If your answer is yes to any of these questions then this talk is for you!...
Continue reading...WORKSHOP "Offensive Python: Custom Scripts for Pentests"
Talk
11:00
-
13:00
August 11, 2019
Fletcher Heisler
Fletcher Heisler
In this workshop, we'll write custom Python scripts to automate and augment penetration testing. Learn the basics of port scanning, crafting custom packets, and building your own exploits in Python.
We will work through examples using a Jupyter Notebook, which you can make a copy of to play around...
Continue reading...WORKSHOP "Exploiting Bad Crypto Found in the Wild!"
Workshop
14:00
-
16:00
August 11, 2019
João Pena Gil
João Pena Gil
In this workshop you will learn to exploit a few examples of poorly implemented cryptography found in real-world penetration tests and reverse engineered into CTF-style challenges. The hand-picked exercises will take you on a trip from bad credential storage mechanisms that allow "hash" decryption t...
Continue reading...