Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, January 25
 

8:00am

9:00am

Web Pentesting Using OWASP Tools

This training will teach students how to conduct website assessments using free and open source OWASP tools. Students will learn how to conduct web penetration tests using known methodologies such as the OWASP Testing Guide + PTES  and NIST SP800-115.


Using the various methodologies, tools such as OWASP’s OWTF, ASVS and OWASP ZAP will be used introduced in order to demonstrate the lifecycle of web hacking. These tools give you the opportunity to perform and automate stages of penetration testing from reconnaissance, vulnerability analysis, to dynamic application testing and remediation steps to vulnerabilities found.



Who Should Take This Course?

This course is designed to help web developers and security professionals understand how to pentest and secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security methodologies will benefit from this class.

 

What Should Students Bring?


Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space,and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed with Kali Linux (no version preference). If you want to get a head start, feel free to download and install OWASP ZAP and OWASP OWTF on the Kali Linux virtual machine.



Speakers
avatar for Aaron Guzman

Aaron Guzman

Principal Penetration Testing Consultant, Dell SecureWorks
Aaron is a Chapter leader for the Open Web Application Security Project (OWASP) Los Angeles, Research Director for Cloud Security Alliance SoCal and the President for the High Technology Crime Investigation Association of Southern California(HTCIA SoCal). Aaron’s interest and expertise lies in application security, mobile pentesting, web pentesting, IoT research and network penetration testing. Aaron has given talks at various meetups... Read More →


9:00am

Secure Coding Bootcamp for the Web

The major cause of web insecurity is the lack of secure software development practices. This highly intensive and interactive course provides essential application security training for web application, webservice and mobile software developers and architects. This class contains a combination of lecture, security testing demonstration and code review and includes the following modules.

Introduction to Application Security - HTTP Basics - SQL and other Injection - Authentication - OAuth Security - Access Control - Cross Site Request Forgery and Clickjacking - Advanced XSS Defense - Content Security Policy - HTTPS/TLS Best Practices - Webservice Security Overview - Mobile Security Overview



Speakers
avatar for Jim Manico

Jim Manico

Manicode Security

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/advisor for Signal Sciences. Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the... Read More →


9:00am

Attack Techniques and Hands-On CTF
A simulation of real-world ecommerce, HR, and banking websites, designed to encourage friendly competition with real-time scoring and reporting.  With guidance assets and vulnerabilities of varying difficulty, users can immediately be immersed in a “find the vulnerabilities” game where they quickly learn and apply hacking techniques in a safe environment — and all the while, learn how to keep your company’s data safe. This simulation is ideal for all skill levels, with Security Innovation staff on-hand and readily available to assist your team, and guide them through difficult challenges.

Speakers
avatar for Mick Ayzenberg

Mick Ayzenberg

Security Engineer, Security Innovation
Mick’s years of security industry experience have included consulting on dozens of mid-to-long term projects for well-known technology companies.  He has done extensive work in network protocol analysis, reversing, and fuzzing of both software applications and network communications. Mick’s broad spectrum of security skills, ranging from the network, transport, operating system, and application layers has equipped him well for... Read More →
avatar for Joe Basirico

Joe Basirico

VP of Services, Security Innovation
Joe is responsible for managing the professional services business at Security Innovation. He leverages his unique experience as a development lead, trainer, researcher, and security engineer to direct the security consulting team in the delivery of high-quality, impactful risk assessment and remediation solutions to the company’s customers. His ability to blend deep technical skills with risk-based business and compliance analysis are a... Read More →


9:00am

OWASP Top 10 – Exploitation and Effective Safeguards

About the course 

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security. This course aims at providing all web developers deep hands-on knowledge on the subject.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. Our experience is that participants who have had hands-on experience at exploiting vulnerabilities will always remember how to prevent them.

Who should take this course?

This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

The course will cover the following topics

1. OWASP Top 10 web application vulnerabilities:
    A1 - Injection Attacks
        Command Injection
        File Injection
        SQL Injection
    A2 - Broken Authentication and Session Management
    A3 - Cross-Site Scripting (XSS)
    A4 - Insecure Direct Object References
    A5 - Security Misconfiguration
    A6 - Sensitive Data Exposure
    A7 - Missing Function Level Access Control
    A8 - Cross-Site Request Forgery (CSRF)
    A9 - Using Known Vulnerable Components
    A10 - Unvalidated Redirects and Forwards
2. Proper Password Management
3. Secure Coding Best Practices
4. Effective Safeguards

Demos from the instructor

1.  SQL Injection Attack
2.  Cross-Site Scripting Attack
3.  Insecure Direct Object References
4.  Sensitive Data Exposure
5.  Cross-Site Request Forgery

Hands-on Exercises


1.  Session Initialization and Client-Side Validation       
      Part 1: Web Proxy and Session Initialization       
      Part 2: Client-Side Validation   
2.  Online Password Guessing Attack   
3.  Account Harvesting   
4.  Sniffing Encrypted Traffic   
5.  Launching Command Injection Attacks   
6.  Using a Web Application Vulnerability Scanner   
7.  Optional Exercise:
           Create SSL certificates

Requirements

Participants are asked to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a USB thumb drive containing two pre-configured virtual machines. 


Speakers
avatar for David Caissy

David Caissy

Security consultant, Albero Solutions Inc.
David Caissy, OSCP, GWAPT, GPEN, GSEC, CISSP, CEH has 16 years of experience as a security consultant and a web application architect. He has performed security audits, vulnerability assessments, web application penetration tests and has designed several secure systems. He has worked for banks, the Department of National Defense, various government agencies and private companies. He has been teaching information security in colleges and in many... Read More →


6:30pm

Riot Games Security Meetup

From David Rook - <drook@riotgames.com>

This is the formal invite to our meetup in January. I'll have a better idea of how many places we can open up via Eventbrite once people reply to this invite (by close of business 15th December).

I’m contacting you because we’d like to invite you to a security meetup we’re hosting in our Los Angeles office on Monday January 25th.  With so many awesome security people coming to Santa Monica for AppSec Cali we thought it would be a good time to arrange a meetup at our office. We'd love to share some of the cool things we've been working on, via talks from a few of our Rioters and hopefully play some awesome games as well. 

You are probably thinking, "who is Riot Games and why would I want to see their office?" 

Here at Riot, we have developed a game (League of Legends) that is being enjoyed by a global audience.

To provide some context, League of Legends currently:

The event will have two security talks from myself and two of my Riot colleagues. We hope these talks will provide useful insight into how we approach application security at Riot. Diarmaid McManus and I will talk about our application security culture, Riot application security data and some custom tools we’ve developed to help our engineers to produce secure code. The second talk will be delivered by a Riot software engineer and will focus on how he’s levelled up his application security knowledge. This will talk will focus on things he feels all engineers should know and when they should work with application security engineers.

Finally, it wouldn’t be a Riot Games event if it didn’t involve playing some games! If you’d like to stay around to play games with Rioters in our PC Bang and arcade. If you aren't a League player, don't worry we have board games and an arcade with some of everyone's favourite vintage games to play as well.

The event will start at 6:30pm and finish around 11pm. We will be moving to the PC Bang at 9:30pm to play games with anyone who’d like to join us. We will be providing food and drinks for all attendees.

If you are interested in popping in, please let me know by close of business Tuesday 15th December. I look forward to seeing you soon!

Dave Rook

 


Monday January 25, 2016 6:30pm - 10:00pm
Riot Games 12333 W Olympic Blvd, Los Angeles, CA 90064
 
Tuesday, January 26
 

7:45am

9:00am

Welcome Address and State of OWASP
Speakers
avatar for Paul Ritchie

Paul Ritchie

Executive Director, OWASP Foundation
avatar for Stuart Schwartz

Stuart Schwartz

Security Consultant, Symantec
OWASP LA chapter board member. | OWASP AppSecCali organizer.


9:15am

Opening Keynote - Marcus Ranum
Title - Starting a metrics program

Security practitioners constantly bemoan their difficulty in communicating effectively with business units or senior management. The key, of course, is using the right language - namely, metrics. In this presentation we'll outline a bunch of useful things you should know about setting up your own metrics process. 

Speakers
avatar for Marcus Ranum

Marcus Ranum

Chief Security Officer, Tenable Network Security
Marcus J. Ranum works for Tenable Security, Inc.and is a world-renowned expert on security system design and implementation. He has been involved in every level of the security industry from product coder to CEO of a successful start-up. He is an ISSA fellow and holds achievement and service awards from several industry groups. | | Twitter: @mjranum 



10:00am

10:30am

To bounty, or not to bounty? Security@ insights from 500 organizations.

Security@ addresses across the internet are experiencing a surge in activity as organizations embrace collaboration with the security researcher community through vulnerability disclosure programs. In our journey to uncover the perfect approach, one thing became certain: every organization is wildly unique and there is no one size fits all answer. To understand what exactly contributes to a successful program, we've analyzed aggregate Security@ data from over 500 organizations and devised a weighted index across six dimensions:


* Researcher Breadth

* Researcher Depth

* Vulnerabilities Found

* Response Efficiency

* Reward Competitiveness

* Signal Ratio


The result is an advanced framework for quantifying impact and assessing the performance of these programs. Whether you already run an active bug bounty program or still have a security@ address that bounces, you can expect this talk to help you shed blind dogma and walk away armed with an analytical approach to running an effective Security@.

Speakers
avatar for Alex Rice

Alex Rice

Alex Rice is a co-founder and the Chief Technology Officer at HackerOne, providing a platform that enables organizations to build strong relationships with a community of security experts. Alex is responsible for developing the HackerOne technology vision, driving engineering efforts and counseling customers as they build world-class security programs. In addition to his role at HackerOne, Alex also serves on the board for the Internet Bug... Read More →


10:30am

Software Security Initiative Capabilities - Where Do I Begin?
A software security initiative (SSI) often gets started via one of three common capabilities - penetration testing, code review, or some sort of secure design review (e.g., threat modeling). This talk will discuss the benefits and drawbacks of each capability and show how they fit as part of a mature SSI.

Speakers
avatar for Jim DelGrosso

Jim DelGrosso

Senior Principal Consultant, Cigital, Inc.
Jim DelGrosso, Principal Consultant, has been with Cigital since 2006. In addition to his overarching knowledge of software security, he specializes in Architecture Analysis, Threat Modeling and Secure Design. In fact, he was a catalyst for creating Cigital’s current Architecture Analysis practice. Jim is also the Executive Director for IEEE Computer Society Center for Secure Design (CSD). | | Are the threat modeling myths keeping you from... Read More →



10:30am

Connected Cars – What Could Possibly Go Wrong?

Millions of cars with tens of millions of lines of code are already on the road talking to servers and very soon, talking to each other. Clearly a lot can go wrong. Connectivity carries significant risks which must be addressed as soon as possible. This session will address the trade-off between safety, security and convenience as well as the steps that need be taken by the automotive manufacturers before we can trust our cars to let the transportation ecosystem deliver the promised benefits of connected services. 

Key Take-Aways: 

- Examples and a deeper appreciation of the security and privacy challenges of connected vehicular commerce 

- Insights into the growing role being played by the US government 

- Some comfort that many of the lessons learned in the traditional IT world are applicable to cars


Speakers
avatar for Ed Adams

Ed Adams

CEO, Security Innovation
Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. As CEO, Mr. Adams applies his security and business skills, as well as his pervasive industry experience in the software quality space, to direct application security experts to help organizations understand the risks in their software systems and develop programs to mitigate those... Read More →



10:30am

Taking AppSec to 11: AppSec Pipelines, DevOps and Making Things Better
How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in.

The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept which feels inevitable with more traditional AppSec program thinking. 

Speakers
avatar for Matt Tesauro

Matt Tesauro

Founder, Infinitiv
Matt has been involved in the information technology and application development for more than 15 years. He is currently the Senior Software Security Engineer at Pearson.  He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security.  Previously, he was the Senior Product Security Engineer at Rackspace. Prior to joining Rackspace, Matt... Read More →



11:30am

Preventing Security Bugs through Software Design
Many common application-level security defects, such as SQL Injection and Cross-Site-Scripting (XSS), have proven difficult to eradicate in large-scale software development projects. 

In our view, the root cause for the prevalence of these classes of vulnerabilities is that underlying APIs and frameworks (such as, SQL query APIs, HTML templating systems, and Web Platform APIs) a-priori permit vulnerable application code to be written, thus placing the onus for avoiding vulnerabilities primarily on the developer. Since developers are human, and the APIs in question are often widely used in large applications, the presence of some number of mistakes and hence vulnerabilities is almost guaranteed. At the same time, it is unlikely that existing bugs in a large system can be exhaustively identified through testing, code review or static analysis.

In this talk, we propose to instead place the burden on API designers: Our goal is to design alternative APIs that are similarly expressive, but are also sufficiently constrained to make it essentially impossible to write vulnerable application code using the API. We describe designs for injection-proof SQL query APIs and XSS-proof HTML rendering APIs, combined with machine-checked coding guidelines ensuring their correct usage. These APIs have been successfully adopted in several flag-ship application development projects at Google, and have resulted in a drastic reduction in the number of bugs observed.

Speakers
avatar for Christoph Kern

Christoph Kern

Software Engineer, Google
Christoph Kern is a software engineer in Google's Information Security Engineering team.  He leads a team focused on the prevention and mitigation of security vulnerabilities in Google's applications and services through framework, API, and platform design. | | Christoph is a founding contributor to the IEEE Computer Society Center for Secure Design (CSD[link: http://cybersecurity.ieee.org/center-for-secure-design.html]), and serves on... Read More →



11:30am

All You Need Is One - A ClickOnce Love Story

ClickOnce is a deployment solution that enables fast, easy delivery of packaged software.  It is commonly used by organizations to deploy both internal and production-grade software packages along with their respective updates.  By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions.

 

It also provides an excellent opportunity for malicious actors to establish a foothold in your network.

 

In this talk, I will discuss how I combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment.  By minimizing user interaction, we only require that the user is fooled for "one click" - after that, we already have a foothold in their environment and are ready to pivot and escalate further.


Speakers
avatar for Ryan Gandrud

Ryan Gandrud

Senior Security Consultant, NetSPI
Ryan is a senior security consultant with a B.S. in computer science from North Dakota State University.  He has worked in the Information Technology, Healthcare, Financial Services, and Information Security industries. Ryan's primary knowledge base includes network, web application, and thick application penetration testing with extensive knowledge in email phishing. Ryan has presented at multiple venues before including Bsides Las Vegas... Read More →



11:30am

Design Approaches for Security Automation
Many of the talks at security conferences these days involve the launch of a new security automation framework. Each of these tools have different goals and technologies that met their organizations needs. When it comes to your organization, how will you decide whether to build, buy, or borrow? Are there better criteria than just technology stack compatibility? What qualities make a good design for your environment? Where do you deploy? Which open-source tools work best? How do you ensure that your implementation will effectively enable teams versus creating more noise? This presentation will discuss criteria for designing and evaluating security automation tools for your organization.

Speakers
avatar for Peleus Uhley

Peleus Uhley

Lead Security Strategist, Adobe Systems, Inc.
Peleus Uhley has been a part of the security industry for more than 15 years. As the Lead Security Strategist at Adobe, he assists the company with proactive and reactive security. Prior to joining Adobe, Peleus was a senior developer at Anonymizer, and a security consultant for @stake and Symantec.


11:30am

AuthMatrix: Simplified Authorization Testing for Web Applications

While many threats to web applications such as SQLi and XSS can be mitigated through generic framework solutions, enforcing authorization remains a complex task for developers. Proper enforcement of access controls requires unique design considerations for each application and can be difficult to get right. Detecting vulnerabilities in authorization can be just as challenging, as these issues are generally difficult to map and test for. Due to the complexity in an application's architecture, pen-testers must frequently use their limited time and resources developing custom tools specific to a single application's authorization model.

 

In this presentation we take you through the process of designing a tool capable of simplifying this testing methodology to reduce the redundancy between testing unique targets. We will discuss some of the common authorization insecurity patterns seen in web applications and services, consider the common challenges faced by pen-testers when testing for these issues, and present effective methods for mapping the intricacies of these models. Additionally, we will introduce AuthMatrix, a new extension to the Burp Suite testing utility designed to simplify authorization test cases in a clear and reproducible manner.


Speakers
avatar for Mick Ayzenberg

Mick Ayzenberg

Security Engineer, Security Innovation
Mick’s years of security industry experience have included consulting on dozens of mid-to-long term projects for well-known technology companies.  He has done extensive work in network protocol analysis, reversing, and fuzzing of both software applications and network communications. Mick’s broad spectrum of security skills, ranging from the network, transport, operating system, and application layers has equipped him well for... Read More →



12:20pm

2:00pm

https://<every site here>
Every site on the web should be HTTPS-enabled, but setting up HTTPS can be harder than we'd like: it's easy to misconfigure, and even when a site is HTTPS-enabled, it might not be working as effectively as it could be. In this talk, I'll explain the work that Chrome and other browser teams are doing to make high-quality HTTPS more widespread: developer tools to help debug problems, reporting mechanisms to roll out strong HTTPS safely, and more.

Speakers
avatar for Emily Stark

Emily Stark

Software Engineer, Google
Emily is a software engineer on the Google Chrome security team, where she focuses on efforts to make TLS/SSL more usable and secure. Previously, she was a core developer at Meteor Development Group, where she worked on web framework security and internal infrastructure, and a graduate student researching client-side cryptography in web browsers. Emily has a master's degree from MIT and a bachelor's degree from Stanford, both in computer... Read More →



2:00pm

Attack tree vignettes for Containers as a Service applications and risk centric threat models
Speakers
avatar for Tony UcedaVélez

Tony UcedaVélez

CEO, VerSprite Security
Tony UcedaVélez is CEO at VerSprite, an Atlanta based security services firm assisting global multi-national corporations on various areas of cyber security, secure software development, threat modeling, application security, security governance, and security risk management. Tony has worked and led teams in the areas of application security, penetration testing, security architecture, and technical risk management for various... Read More →


2:00pm

Radio Hacking: Cars, Hardware, and more!
In this talk I'll introduce radio hacking, and take it a few levels into hacking real world devices like wirelessly controlled gates, garages, and cars. Many vehicles are now controlled from mobile devices over GSM and the web, while even more can be unlocked and ignitions started from wireless keyfobs over RF. All of these are subject to attack with low-cost tools (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy).

We'll investigate how these features work, and of course, how they can be exploited. I'll be going from start to finish on new tools and vulnerabilities in this area, such as key-space reduction attacks on fixed-codes, advanced "code grabbers" using RF attacks on encrypted and rolling codes, exploiting mobile devices and poor SSL implementations, and how to protect yourself against such issues.

By the end of this talk you’ll understand not only how vehicles and the wirelessly-controlled physical access protecting them can be exploited and secured, but also learn about various tools for hardware, car and RF research, as well as how to use and build your own inexpensive devices for such investigation!

Speakers
avatar for Samy Kamkar

Samy Kamkar

Samy Kamkar is an independent security researcher, best known for creating The MySpace worm, one of the fastest spreading viruses of all time. His open source software and research highlights the insecurities and privacy implications in every day technologies, from the Evercookie which produces virtually immutable respawning cookies, SkyJack, the drone that wirelessly hijacks other drones, and KeySweeper, a wireless keyboard sniffer camouflaged... Read More →



2:00pm

Integrating Mobile Devices into Your Penetration Testing Program
Though still an imperfect science in many ways, penetration testing is often our only way of assessing the effectiveness of our security programs against actual attackers. As mobile devices enter the enterprise en masse, much focus has been on securing them and limiting the risk of BYOD using EMM, MDM, MIM, pick your favorite security control acronym. While many shops are engaging in code review, static analysis, pentesting, etc. against custom mobile applications built in house, even enterprises with mature security programs are often ignoring mobile devices and the surrounding infrastructure in their security testing. It seems like common sense to provide adequate security testing for all devices on corporate networks, particularly when spending large chunks of budget on security controls around BYOD. If we have a DoS protection, we put it in front of staging and hit it with DoS attacks. If it falls down, the control is not providing return on investment. If we have a patch management practice we make sure there are no missing patches leading to compromise during our penetration tests, and if there are, we augment our security program accordingly. We need to be doing the same around mobile. How secure are these devices really against attack? If they are compromised what data on the device is in jeopardy? What other assets in the enterprise are now at risk of attack from the compromised mobile device? By using traditional penetration testing techniques augmented for the unique attack vectors for mobile devices we can assess these risks and get a clear picture of the risk of BYOD in the environment. In this talk we will discuss techniques along with live demonstration scenarios of penetration tests on mobile devices and the surrounding infrastructure. From mobile phishing to undermining security controls to using compromised mobile devices as pivot points, the mobile risk is real and we need to be simulating it in our security testing. We will discuss how these techniques can augment and extend penetration testing and how they can be seamlessly integrated into your existing security program.  

Speakers
avatar for Georgia Weidman

Georgia Weidman

Founder and CEO, Bulb Security and Shevirah Inc.
Georgia Weidman is a penetration tester, security researcher, and trainer. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She has provided training at conferences such as Blackhat USA, Brucon, and Security Zone to excellent reviews. Georgia founded Bulb Security LLC, a security consulting... Read More →



3:00pm

Software Security Metrics
More often than not, company executives ask the wrong questions about software security.  This session will discuss techniques for changing the conversation about software security in order to encourage executives to ask the right questions – and provide answers that show progress towards meaningful objectives.  Caroline will discuss a progression of software security capabilities and the metrics that correspond to different levels of maturity.  She’ll discuss an approach for developing key metrics for your unique software security program and walk through a detailed example.

Speakers
avatar for Caroline Wong

Caroline Wong

Director of Strategic Security Initiatives, Cigital, Inc.
Caroline Wong, CISSP, is the Director of Strategic Security Initiatives at Cigital, the world's largest consulting firm specializing in software security.  Prior to this role, Caroline led a product management team at Symantec and security teams at Zynga and eBay.  Caroline is the author of “Security Metrics: A Beginner’s Guide” and is well known as a thought leader on the topics of security strategy, operations, and... Read More →



3:00pm

Visualizing Security via LANGSEC
A web security model entirely predicated on applying pattern
matching is at best a zero-sum game. Probabilistically, pattern
matching (regular expressions) cannot prevent attacks generated by
tools such as fuzzers. This talk will explore language security
(LANGSEC) as an alternative methodology. This talk will lay the
foundation via informal and formal theory how lexers, tokenizers and
parsers work. We’ll move onto constructing an open source toolchain to
analyzing data and exploring interactive data visualizations. Along
the way, we’ll cover performance tradeoffs and discuss the challenges
of modern application security. By the end of this talk, you’ll know
more about implementing LANGSEC to help analyze and prevent specific
security attacks.

Speakers
avatar for Kunal Anand

Kunal Anand

Prevoty
A web security model entirely predicated on applying pattern matching is at best a zero-sum game. Probabilistically, pattern matching (regular expressions) cannot prevent attacks generated by tools such as fuzzers. This talk will explore language security (LANGSEC) as an alternative methodology. This talk will lay the foundation via informal and formal theory how lexers, tokenizers and parsers work. We’ll move onto constructing an open... Read More →


3:00pm

Hard to Port! - A Snapshot of the Vulnerability Landscape in 2015

We begin by taking a high level view of the vulnerability landscape over the past year, from anonymized data gathered from the edgescan vulnerability management SaaS. This data-set provides a snapshot of vulnerabilities in thousands of servers and web applications across the globe.

 

From this data, we provide our opinion and insight on why we think some of the trends are present and that traditional static approaches to dynamic problems, is producing diminishing results. We ask, what is the ultimate goal, application security or risk? Protecting applications or protecting businesses and data? We note the trend towards a continual approach to application security and see the benefits of ‘pushing left’.

Speakers
avatar for Rahim Jina

Rahim Jina

Director / Co-Founder, Edgescan
Rahim is a director and co-founder of edgescan™, a SaaS-based managed service based in Ireland. Rahim is responsible for operational excellence and has extensive experience delivering penetration testing services to a wide range of organizations globally across many industry verticals. Prior to this, Rahim was Head of Product & Operational Security for Fonality, a VOIP provider based in Los Angeles and was also a senior security... Read More →



3:00pm

Adaptive Testing Methodology: Crowdsourced Testing Methodology Customized to the Target Stack

Testing methodology is a sore subject for most pentesters. Everyone has their own way to do things, and 3 people testing the same thing often end up with different results—especially when constrained for time.

The ASTM project has two goals: 1) allow testers to consistently find the best vulnerabilities in the shortest amount of time, and 2) provide a framework for community improvement of the methodologies.

ASTM combines a time restraint with a quick technology detection step to build a customized testing methodology for that specific website given how much time you have to test it.


Speakers
avatar for Daniel Miessler

Daniel Miessler

Director of Client Advisory Services, IOActive
Daniel Miessler is a Director of Client Advisory Services with IOActive, based out of San Francisco, California. Daniel has 15 years of experience in information security with a focus on web, mobile, and IoT, and is a project leader for the OWASP IoT and OWASP Mobile Top Ten projects. In his spare time, he enjoys reading, writing, programming, and table tennis.



3:50pm

4:30pm

Unlocking Threat Modeling
For the last 20 years, assessment of the security of proposed systems has been a standard. Indeed, NIST-14 (1996) states, "Security requirements should be developed at the same time system planners define the requirements of the system.” Yet, threat modeling remains something of a “black art”, understood solely by the innercognoscenti, “security architects”. Indeed, at most companies, threat models are regarded as highly classified, need-to-know materials. This secretive approach hasn’t served the industry, nor the 10’s of thousands of “systems” that get developed each year. Join author and Distinguished Engineer, Brook Schoenfield, for a participatory session unlocking the shrouded mysteries of threat modeling, revealing the inner secrets, initiating participants into the society of practitioners. We will grapple with thorny issues like assessing risk, decomposition of the architecture, and appropriate architectural views.

Speakers
BS

Brook Schoenfield

Intel Security


4:30pm

Dissecting Bitcoin Security
Bitcoin is not only a currency. It's a system, a platform and an invention. Many human activities that previously required centralized institutions or organizations to function as authoritative or trusted points of control can now be decentralized. This has profound implications for security. To take full advantage of this new paradigm, traditional security concepts need to be redefined. 

This presentation will review and dissect some of bitcoin’s core components and their security controls. The speaker will analyze and explain the controls and how they could be repurposed in other domains.

Speakers
avatar for Cassio Goldschmidt

Cassio Goldschmidt

Cassio Goldschmidt, CBP, is a globally recognized information security leader, known for his contributions toOWASP, SAFECode, CWE/SANS Top 25 Most Dangerous Software Errors, along with contributing to the security education curriculum of numerous universities. Cassio was one of the three finalist in the (ISC)² ISLA Awards 2011 in the Information Security Practitioner category and endowed with the special Community Service Star award during... Read More →



4:30pm

Security Automation in the Agile SDLC - Real World Cases
How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments.

Speakers
avatar for Ofer Maor

Ofer Maor

Director of Security Strategy, Synopsys
Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product development.  As the founder and CTO of Seeker, Ofer pioneered IAST, the next generation of application security testing technology, currently used by some of the largest organizations in... Read More →



5:20pm

Closing remarks
Speakers
avatar for Stuart Schwartz

Stuart Schwartz

Security Consultant, Symantec
OWASP LA chapter board member. | OWASP AppSecCali organizer.


5:30pm

 
Wednesday, January 27
 

7:45am

9:00am

Welcome Address
Speakers
avatar for Stuart Schwartz

Stuart Schwartz

Security Consultant, Symantec
OWASP LA chapter board member. | OWASP AppSecCali organizer.


9:10am

Opening Keynote: Jeremiah Grossman
Title: 15 Years of Web Security: The Rebellious Teenage Years



Speakers
avatar for Jeremiah Grossman

Jeremiah Grossman

Founder, WhiteHat Security
Jeremiah Grossman is the founder of WhiteHat Security. Jeremiah possesses a unique combination of technology savvy, customer advocacy and personal passion for application security. A world-renowned web security expert, sought-after speaker and influential blogger, Jeremiah brings a literal lifetime of information security experience, both homegrown and from his days as Yahoo!’s information security engineer, to the role. The ultimate... Read More →



10:00am

10:30am

Benchmarking AppSec Across Industries
Every industry faces the challenge of securing software, so why do some industries “get it” while others struggle to manage the problem at scale? 

In this session, we will share data drawn from over 200,000 application assessments performed via Veracode’s cloud platform over an 18-month period. This is the largest data set of its kind, and it provides unique insight into the state of software security. Attendees can use this information to benchmark their AppSec program against peers, answering key questions such as:
  • Do I have more serious vulnerabilities than my peers?
  • What percentage of vulnerabilities do my peers remediate? 
  • How many of our applications should pass the OWASP Top 10 when initially assessed?
  • What are the most common vulnerabilities in our vertical?
  • How do coding vulnerabilities manifest across different programming languages?

Speakers
avatar for Chris Eng

Chris Eng

Veracode
Chris Eng has over 15 years of application security experience. As Vice President of Research at Veracode, he leads the team responsible for integrating security expertise into Veracode’s technology.  Throughout his career, he has led projects breaking, building, and defending web applications and commercial software for some of the world’s largest companies. | | Chris is a frequent speaker at premier industry... Read More →



10:30am

6 Myths of Threat Modeling
Are the threat modeling myths keeping you from initiating this key secure design activity? Join us to get the facts; find out how easy it is to get started. We will attempt to debunk 6 recurring myths. Hopefully you will agree with us once you have a few of the facts? We aim to place participants onto a path to successful threat modeling. Please join Jim DelGrosso and Brook Schoenfield as we squash misunderstandings and industry accepted disinformation.

Speakers
avatar for Jim DelGrosso

Jim DelGrosso

Senior Principal Consultant, Cigital, Inc.
Jim DelGrosso, Principal Consultant, has been with Cigital since 2006. In addition to his overarching knowledge of software security, he specializes in Architecture Analysis, Threat Modeling and Secure Design. In fact, he was a catalyst for creating Cigital’s current Architecture Analysis practice. Jim is also the Executive Director for IEEE Computer Society Center for Secure Design (CSD). | | Are the threat modeling myths keeping you from... Read More →
BS

Brook Schoenfield

Intel Security



10:30am

Advances in Secure Coding Frameworks

The Beatles once sang, "I've got to admit it's getting better, a little better all the time, because it can't get more worse" and that applies directly to the field application security. The successes in building security into common application development frameworks is remarkable and has, in some ways, made secure coding less of an effort to the developer. While much needs to be done in this area, there are many very positive examples of security characteristics built correctly into frameworks. This talk with bring the positive vibe to AppSec California and highlight that things really are getting better in AppSec - all time - if you look in the right places."

Speakers
avatar for Jim Manico

Jim Manico

Manicode Security

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/advisor for Signal Sciences. Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the... Read More →



10:30am

Ad Hoc Mutable Infrastructure for Security Management
Cloud service adoption is increasing across organizations, from startups to massive enterprises. Managing and auditing the security around cloud services is oftentimes difficult given the myriad of unknowns around connectivity and complexity. We’ve developed a completely mutable infrastructure for managing a traditionally critical piece of infrastructure, active directory identity management. This infrastructure eliminates many of the problems associated with traditional domain controller exploitation with ad hoc network routes, extremely restrictive access controls and the ability to destroy any complete domain controller compromise via automation technologies.

Speakers
avatar for Will Bengtson

Will Bengtson

Senior Security Program Manager, Nuna Health
Will Bengtson is the punisher of security at Nuna Health and has been blowing cyber criminals away for years.  His experience across industries in low level implementation, architecture risk analysis, red teaming, and penetration testing among others has allowed him to partner up with the dark knight in investigations in cloud security and automation.
avatar for Robert Wood

Robert Wood

Head of Security, Nuna Health
Robert Wood is the dark knight of security at Nuna Health and has been fighting cyber crime for years.  Robert has experience with threat modeling, red teaming, incident response, static analysis, and penetration testing. Having been engaged in these capacities across many industries and business types.



11:30am

5 Steps to Drive Enterprise Software Security
Organization are exposed to breaches and unnecessary risk because security is often a secondary concern during software requirements development. Many times organizational culture or politics can present more daunting challenges than purely technical issues when implementing a software security initiative. You can change the way your organization builds software by learning the principles, processes, and pitfalls of building a software security initiative in the enterprise. A five step disciplined approach of Characterizing the Landscape, Securing Champions, Defining Standards and Strategy, Executing the Initiative and Sustaining the Effort, tailored to your organization, will help ensure that your corporate-wide efforts to secure applications are as productive as possible.

Speakers
avatar for John Dickson

John Dickson

Principal, Denim Group
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO’s) of Fortune 500 companies and government organizations launch and expand their critical... Read More →



11:30am

Skillful, Scalefull Fullstack Security in a State of Constant Flux
In this talk Eoin shall discuss approaches to maintaining a secure full-stack posture at scale in a continuously changing environment. How it can be approached and the pitfalls to be aware of.

How accuracy of testing is not mutually exclusive to scale, depth and speed. The use of analytics in managing a continuous security environment. What items in the OWASP Top 10 can be tested for using automation and what still requires the human. How do we scale using human validation and intelligence.

Speakers
avatar for Eoin Keary

Eoin Keary

Founder/CTO, Edgescan
Eoin previously was on the international board member of OWASP (2009-2014), The Open Web Application Security Project. During his time in OWASP he has lead the OWASP Testing Guide and founded the Security Code Review Guide and also contributed to OWASP SAMM, was the original author of the CISO Survey and contributor to the OWASP Cheat Sheet Series.  | Eoin is a well-known technical leader in industry in the area of software security and... Read More →



11:30am

Panel: Women in Security
Diversity in teams produces better results; What are the challenges & barriers that might not be visible to the general population?  What are the factors that make women successful in Security Technology?  What can organizations, teams do to encourage and retain talent? What are the biggest industry challenges today?  We’ll have a lively discussion on challenges, and what actions can help today and tomorrow. 

Moderators
avatar for Lisa Napier

Lisa Napier

Sr. Product Security Program Manager, NetApp
Lisa Napier, Sr. Product Security Program Manager at NetApp currently leads the Product Security program for NetApp.  She previously led various Product Security initiatives including Secure Development Lifecycle at Cisco Systems, as well as organizing the internal Secure Development conference called SecCon for many years.  She was the first Security CCIE at Cisco, and one of the founding members of the Cisco PSIRT. 

Speakers
avatar for Wei Lin

Wei Lin

Senior Director, Symantec
Wei Lin, Senior Director, heads the E-Commerce Engineering organization at Symantec. | | Lin has led various engineering groups within Symantec, including the Security Technology Group and the Norton brand consumer product groups, played a key role in the success of both Consumer and Enterprise security products. | | Lin has been co-chair of various leadership committees for the Grace Hopper Conference planning. She was the General Co-Chair... Read More →
avatar for Emily Stark

Emily Stark

Software Engineer, Google
Emily is a software engineer on the Google Chrome security team, where she focuses on efforts to make TLS/SSL more usable and secure. Previously, she was a core developer at Meteor Development Group, where she worked on web framework security and internal infrastructure, and a graduate student researching client-side cryptography in web browsers. Emily has a master's degree from MIT and a bachelor's degree from Stanford, both in computer... Read More →
avatar for Caroline Wong

Caroline Wong

Director of Strategic Security Initiatives, Cigital, Inc.
Caroline Wong, CISSP, is the Director of Strategic Security Initiatives at Cigital, the world's largest consulting firm specializing in software security.  Prior to this role, Caroline led a product management team at Symantec and security teams at Zynga and eBay.  Caroline is the author of “Security Metrics: A Beginner’s Guide” and is well known as a thought leader on the topics of security strategy, operations, and... Read More →


11:30am

Making Security Agile
Many progressive IT organizations have already adopted agile methodologies and run in a CI/CD mode, while security processes and a level of security automation are still behind and can easily become a bottleneck if not changed.

We’ll show in our presentation how to convert the old approach to application security to a more progressive and a faster one. You will also learn how to extend a leverage of a small security team by utilizing QA regression unit tests for security processes. Achieving a greater level of productivity and security automation by utilizing open source and commercial tools will be also covered in our talk.

Speakers
avatar for Oleg Gryb

Oleg Gryb

Sr. Manager, Security Engineering, Samsung Strategy and Innovation Center
Oleg Gryb is Security Architect working in the application security domain at Samsung Electronics Innovation Center. He was previously Security Architect at Intuit, where he was creating architecture for mission critical financial and business applications. Gryb participates actively in creating open source software in a security, identity management and other domains. He has a lot of passion around embedding security to all SDLC stages, threat... Read More →
avatar for Sanjay Tambe

Sanjay Tambe

Security Architect, Samsung Strategy and Innovation Center
Sanjay Tambe is working as Security Architect at Samsung Strategy & Innovation Center.  He is working on security of cloud based SAMI Internet of Things (IoT) platform.  Previously he worked as Core Security Champion at Intuit, where he ensured security of applications such as Mint running in AWS cloud.  Prior to that he worked for Wells Fargo Bank as Security Specialist, VP where he ensured security of high volume customer... Read More →



12:20pm

PROJECTS: Whats Right, Whats Wrong, What Needs to Change
OWASP Webex, moderated by Tom Brennan, OWASP International Board Member

12:20pm

2:00pm

Fixing the Unfixable: Solving Pervasive Vulnerabilities with RASP
Some vulnerabilities are just unfixable. You can’t block them because there’s no clear pattern to the attack. You can’t fix the code because they’re buried in libraries and frameworks.  And you can’t live with them because they’re incredibly dangerous.  Java’s deserialization vulnerabilities are a perfect example where organizations are left with no good choices and a huge window of exposure.  In this talk, Jeff will explore the use of “runtime application self protection” (RASP) to fix this type of problem. Jeff will talk about various approaches to RASP, including dynamic software instrumentation.  He’ll also introduce a free and open source RASP agent designed to completely neuter deserialization attacks across the entire Java stack.  He’ll show you how RASP agents can enable quick and effective defenses across an entire application portfolio, and should be part of your application security strategy today.

Speakers
avatar for Jeff Williams

Jeff Williams

CTO, Contrast Security
A pioneer in application security, Jeff Williams has more than 20 years of experience in software development and security. Jeff is the CTO and co-founder of Contrast Security, a revolutionary application security product that enhances software with the power to defend itself, check itself for vulnerabilities, and join a security command and control infrastructure. Jeff also served as the Global Chairman of the OWASP Foundation for eight years... Read More →



2:00pm

Open Source Authentication Experiences Strong Growth
Hacking of websites and stolen passwords continue to plague people conducting business on the internet. Most enterprise networks, e-commerce sites and online communities require only a user name and static password for logon and access to personal and sensitive data. this may be convenient but it is not secure because online identity theft – phishing, keyboard logging, man-in-the-middle attacks and other methods – continue to grow at unsurpassed rates.

Strong authentication systems address the limitations of static passwords by incorporating an additional security credential, for example, a temporary one-time password (OTP), to protect network access and end-users’ digital identities. This adds an extra level of protection and makes it extremely difficult to access unauthorized information, networks or online accounts.

One-time passwords can be generated in several ways and each one has trade-offs in term of security, convenience, cost and accuracy. Simple methods such as transaction numbers lists and grid cards can provide a set of one-time passwords. These methods offer low investment costs but are slow, difficult to maintain, easy to replicate and share, and require the users to keep track of where they are in the list of passwords.

A more convenient way for users is to use an OTP token which is a hardware device capable of generating one-time passwords. Some of these devices are PIN-protected, offering an additional level of security. The user enters the one-time password with other identity credentials (typically user name and password) and an authentication server validates the logon request. Although this is a proven solution for enterprise applications, the deployment cost can make the solution expensive for consumer applications. Because the token must be using the same method as the server, a separate token is required for each server logon, so users need a separate token for each Web site or network they use.

The difficulty with these methods comes down to cost; while being more secure than simple passwords, the cost to financial institutions and enterprises are still very high and keep many small organizations from implementing them. 

The Initiative for Open Authentication was created to bring an open source approach to strong authentication. The organization has developed a number of algorithms which have been approved as standards by the IETF and are available for any organization to download. LSExperts has taken these algorithms and provide them freely on a server. This free download reduces the cost of authentication significantly and allows any organization to implement strong authentication. No longer do companies need to pay high amounts to authenticate their employees and customers. this is a revolutionary move in the authentication space and is receiving high level of acceptance in the marketplace.

Speakers
avatar for Donald Malloy

Donald Malloy

Business Development Director, North America, LSExperts



2:00pm

IoT Cornerstones of Security
As the ever-growing billions of internet-connected devices shape our lives, through things like smart homes, connected cars, and the Industrial Internet, these devices and services need security. However, the security they must have is radically different from the security needed in traditional information technology. In contrast, IoT devices can’t have security “bolted on” after the device reaches a customer. Instead, IoT devices must have security built in from the start. Unfortunately, this is harder than it sounds, and not much guidance exists on how to do it right.  We’ll present four simple cornerstones of security for IoT. We’ll describe how each of these must be adapted to work, both practically AND effectively, in the often (very) challenging environments of IoT and the Industrial Internet. We’ll describe how these cornerstones mitigate an extremely wide range of threats. We’ll present performance data on how newer implementations of newer algorithms now make legitimate security possible even in seriously constrained environments, such as 8-bit, 8 MHz micro-controllers with only 30kb flash, and battery-constrained devices that depend on energy harvesting.

Speakers
avatar for Brian Witten

Brian Witten

Sr. Director of Internet of Things, Symantec
Brian Witten is Senior Director of Internet of Things (IoT) at Symantec. Over the past few years, Brian has led engineering on Android, Symantec Endpoint Protection (SEP.cloud), and reputation-based security for enterprise, as well as encryption and identity technologies. Prior to that, Brian created Symantec Government Research Labs and Symantec Research Labs Europe, as well as several new technologies now used in Symantec’s enterprise and... Read More →



2:00pm

10 Years of Working with the Community
Dave Lenoe, Director of Secure Software Engineering, has been working in the security community for 10 years, focusing for the majority of his time, on response. As a veteran, Dave will talk about his perspective on the security landscape, reflect on the evolution of response and application security, and look at the way that we all interact with each other now versus a decade ago. He’ll also discuss what the future may bring.

Speakers
avatar for Dave Lenoe

Dave Lenoe

Adobe Systems, Inc.
David Lenoe is Director, Secure Software Engineering at Adobe. In his role, Lenoe manages the Product Security Incident Response Team (PSIRT) dedicated to responding to and communicating about security issues, as well as the Adobe Secure Software Engineering Team (ASSET) responsible for ensuring Adobe's products are designed, engineered and validated using security best practices. Lenoe is also responsible... Read More →


3:00pm

Video Game Security
This presentation will cover various topics involved with hacking video games. It will start off with how hacking video games can lead to a career in the security industry. It will then dive into various activities involved with hacking video games from higher level topics such as analyzing relevant business risks and threat modeling down to lower level things like how to change values in memory to gain unlimited ammo in a first-person shooter. Both client side attacks and network-based attacks will be discussed. Common attacks and corresponding protection mechanisms will be covered. Overall, this presentation will cover assessment topics and techniques relevant to assessing many types of software, both related to the video game industry as well as many other industries.

This presentation has a decent amount of higher level material aimed more at the business level audience members, but will also cover some lower level material that more technical people should enjoy.

Speakers
avatar for Carter Jones

Carter Jones

Senior Security Consultant, Cigital
Carter Jones is a senior security consultant at Cigital, who has experience both as a consultant and a security researcher. He has worked with clients from a broad range of industries, both private and public sector. While he has experience performing a range of security assessment activities (thick client, web app, network, and red teaming), he also enjoys assessing the security of video games. In his spare time, Mr. Jones plays video... Read More →




3:00pm

All our APIs are belong to us
Snapchat does not offer a public API to access its service. Motivated third parties have taken great lengths to reverse-engineer our protocol and build applications on top of it, which could put our users at greater risk of account compromise. In 2014, one such third party was breached and exposed some user data they’d collected from Snapchatters. Their breach reinforced our desire to continue to do more to protect our users from third-party abuse.

In this talk we cover a number of defenses we have put in place both client and server-side since then, in a long-running cat and mouse game with determined third parties. We’ll expand on what worked, what didn’t, and what we learned from our efforts -- which we believe are unique in the social networking space.

Speakers
avatar for Jad Boutros

Jad Boutros

Director of Information Security, Snapchat
Jad Boutros joined Snapchat in 2014, where he serves as director of information security. He is responsible for security, spam and abuse as well as privacy engineering. Prior to joining Snapchat, Jad worked at Google for over nine years and led the security efforts for Google+ since the project’s inception. Jad holds a bachelor’s degree in computer engineering from McGill University and a master’s degree in computer science... Read More →



3:00pm

Postcards from the Total Perspective Vortex
15 years in the product security group of a large corporation leaves one with deep appreciation and respect for the complexity of the universe.  Complexity rules everything around us -- technology, business ecosystem, corporate culture.  To succeed in our line of work one must be able to navigate this complexity, to pierce through the layers of abstraction, through the PowerPoint veils, through the air gaps, and to emerge undaunted by it and make progress in spite of it.

In this talk I will offer some glimpses of what I have seen in the Total Perspective Vortex over the last decade and a half, along with survival strategies and coping mechanisms.

Don't forget your towel.
Don't Panic.

Speakers
avatar for Alex Gantman

Alex Gantman

VP, Product Security, Qualcomm Technologies Inc.
Alex Gantman serves as Vice President of engineering for Qualcomm Technologies Inc. He is responsible for leading the Qualcomm Product Security Initiative. | | Alex joined Qualcomm in 1996 as a software engineering intern. From 1996 to 2001 he worked as a software engineer on a variety of product teams, until joining what was to become the nucleus of Qualcomm's Product Security Initiative. With academic background in applied cryptography and... Read More →


3:50pm

4:30pm

Closing Keynote: Jacob West
Title: Closing the Security Talent Gap

The talent gap in security is huge and growing. Tools compensate in some cases, but skilled people are critical to managing security risk. With nearly half of security roles vacant, organizations must develop talent inside and out. This session offers practical steps you can take today—ranging from adopt-a-professor to highlighting security in every job description—that will help close the gap.

Speakers
avatar for Jacob West

Jacob West

Chief Architect, Security Products, NetSuite
Jacob West is Chief Architect for Security Products at NetSuite. In his role, West leads research and development for technology to identify and mitigate security threats. Prior to this role, West served as CTO for Enterprise Security Products at HP where he founded and led HP Security Research, which drives innovation through research publications, threat briefings, and actionable security intelligence. | | A world-recognized expert, West... Read More →



5:20pm

Closing remarks and Raffle Drawing
Speakers
avatar for Stuart Schwartz

Stuart Schwartz

Security Consultant, Symantec
OWASP LA chapter board member. | OWASP AppSecCali organizer.


7:00pm

Brazilian jiu-jitsu (BJJ) Smackdown
Forget the golf course – security folks do Brazilian jiu-jitsu!

For whatever reason, there is a high proportion of infosec folks who train BJJ. The BJJ Smackdown is a chance for us to do what we love best – training jiu-jitsu – with our friends and peers in the industry when we get together at infosec and appsec security conferences like RSA and Blackhat. For the second year in a row OWASP AppSec California will offer its own Smackdown.

The event will take place at the academy of Shawn Williams, a 3rd degree black belt under the one and only Renzo Gracie. If you watch any IBJJF broadcasts, you’ll recognize Shawn as he’s one of the commentators! Shawn’s academy is holding open mat that evening and it’s close (~25 minutes) by Los Angeles standards.

If you’d like more information, please reach out to Caleb.

Wednesday January 27, 2016 7:00pm - 11:00pm
5 Star Martial Arts 4201 Wilshire Blvd. Ste 105 Los Angeles, CA 90010