Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Garden Terrace Room [clear filter]
Monday, January 25


Secure Coding Bootcamp for the Web

The major cause of web insecurity is the lack of secure software development practices. This highly intensive and interactive course provides essential application security training for web application, webservice and mobile software developers and architects. This class contains a combination of lecture, security testing demonstration and code review and includes the following modules.

Introduction to Application Security - HTTP Basics - SQL and other Injection - Authentication - OAuth Security - Access Control - Cross Site Request Forgery and Clickjacking - Advanced XSS Defense - Content Security Policy - HTTPS/TLS Best Practices - Webservice Security Overview - Mobile Security Overview

avatar for Jim Manico

Jim Manico

Manicode Security

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/advisor for Signal Sciences. Jim is a frequent speaker on secure software practices and... Read More →

Tuesday, January 26


To bounty, or not to bounty? Security@ insights from 500 organizations.

Security@ addresses across the internet are experiencing a surge in activity as organizations embrace collaboration with the security researcher community through vulnerability disclosure programs. In our journey to uncover the perfect approach, one thing became certain: every organization is wildly unique and there is no one size fits all answer. To understand what exactly contributes to a successful program, we've analyzed aggregate Security@ data from over 500 organizations and devised a weighted index across six dimensions:

* Researcher Breadth

* Researcher Depth

* Vulnerabilities Found

* Response Efficiency

* Reward Competitiveness

* Signal Ratio

The result is an advanced framework for quantifying impact and assessing the performance of these programs. Whether you already run an active bug bounty program or still have a security@ address that bounces, you can expect this talk to help you shed blind dogma and walk away armed with an analytical approach to running an effective Security@.

avatar for Alex Rice

Alex Rice

Alex Rice is a co-founder and the Chief Technology Officer at HackerOne, providing a platform that enables organizations to build strong relationships with a community of security experts. Alex is responsible for developing the HackerOne technology vision, driving engineering efforts... Read More →


Preventing Security Bugs through Software Design
Many common application-level security defects, such as SQL Injection and Cross-Site-Scripting (XSS), have proven difficult to eradicate in large-scale software development projects. 

In our view, the root cause for the prevalence of these classes of vulnerabilities is that underlying APIs and frameworks (such as, SQL query APIs, HTML templating systems, and Web Platform APIs) a-priori permit vulnerable application code to be written, thus placing the onus for avoiding vulnerabilities primarily on the developer. Since developers are human, and the APIs in question are often widely used in large applications, the presence of some number of mistakes and hence vulnerabilities is almost guaranteed. At the same time, it is unlikely that existing bugs in a large system can be exhaustively identified through testing, code review or static analysis.

In this talk, we propose to instead place the burden on API designers: Our goal is to design alternative APIs that are similarly expressive, but are also sufficiently constrained to make it essentially impossible to write vulnerable application code using the API. We describe designs for injection-proof SQL query APIs and XSS-proof HTML rendering APIs, combined with machine-checked coding guidelines ensuring their correct usage. These APIs have been successfully adopted in several flag-ship application development projects at Google, and have resulted in a drastic reduction in the number of bugs observed.

avatar for Christoph Kern

Christoph Kern

Software Engineer, Google
Christoph Kern is a software engineer in Google's Information Security Engineering team.  He leads a team focused on the prevention and mitigation of security vulnerabilities in Google's applications and services through framework, API, and platform design.Christoph is a founding... Read More →


Every site on the web should be HTTPS-enabled, but setting up HTTPS can be harder than we'd like: it's easy to misconfigure, and even when a site is HTTPS-enabled, it might not be working as effectively as it could be. In this talk, I'll explain the work that Chrome and other browser teams are doing to make high-quality HTTPS more widespread: developer tools to help debug problems, reporting mechanisms to roll out strong HTTPS safely, and more.

avatar for Emily Stark

Emily Stark

Software Engineer, Google
Emily is a software engineer on the Google Chrome security team, where she focuses on efforts to make TLS/SSL more usable and secure. Previously, she was a core developer at Meteor Development Group, where she worked on web framework security and internal infrastructure, and a graduate... Read More →


Software Security Metrics
More often than not, company executives ask the wrong questions about software security.  This session will discuss techniques for changing the conversation about software security in order to encourage executives to ask the right questions – and provide answers that show progress towards meaningful objectives.  Caroline will discuss a progression of software security capabilities and the metrics that correspond to different levels of maturity.  She’ll discuss an approach for developing key metrics for your unique software security program and walk through a detailed example.

avatar for Caroline Wong

Caroline Wong

Director of Strategic Security Initiatives, Cigital, Inc.
Caroline Wong, CISSP, is the Director of Strategic Security Initiatives at Cigital, the world's largest consulting firm specializing in software security.  Prior to this role, Caroline led a product management team at Symantec and security teams at Zynga and eBay.  Caroline is the... Read More →


Unlocking Threat Modeling
For the last 20 years, assessment of the security of proposed systems has been a standard. Indeed, NIST-14 (1996) states, "Security requirements should be developed at the same time system planners define the requirements of the system.” Yet, threat modeling remains something of a “black art”, understood solely by the innercognoscenti, “security architects”. Indeed, at most companies, threat models are regarded as highly classified, need-to-know materials. This secretive approach hasn’t served the industry, nor the 10’s of thousands of “systems” that get developed each year. Join author and Distinguished Engineer, Brook Schoenfield, for a participatory session unlocking the shrouded mysteries of threat modeling, revealing the inner secrets, initiating participants into the society of practitioners. We will grapple with thorny issues like assessing risk, decomposition of the architecture, and appropriate architectural views.


Brook Schoenfield

Intel Security

Wednesday, January 27


Benchmarking AppSec Across Industries
Every industry faces the challenge of securing software, so why do some industries “get it” while others struggle to manage the problem at scale? 

In this session, we will share data drawn from over 200,000 application assessments performed via Veracode’s cloud platform over an 18-month period. This is the largest data set of its kind, and it provides unique insight into the state of software security. Attendees can use this information to benchmark their AppSec program against peers, answering key questions such as:
  • Do I have more serious vulnerabilities than my peers?
  • What percentage of vulnerabilities do my peers remediate? 
  • How many of our applications should pass the OWASP Top 10 when initially assessed?
  • What are the most common vulnerabilities in our vertical?
  • How do coding vulnerabilities manifest across different programming languages?

avatar for Chris Eng

Chris Eng

Chris Eng has over 15 years of application security experience. As Vice President of Research at Veracode, he leads the team responsible for integrating security expertise into Veracode’s technology.  Throughout his career, he has led projects breaking, building, and defending... Read More →


5 Steps to Drive Enterprise Software Security
Organization are exposed to breaches and unnecessary risk because security is often a secondary concern during software requirements development. Many times organizational culture or politics can present more daunting challenges than purely technical issues when implementing a software security initiative. You can change the way your organization builds software by learning the principles, processes, and pitfalls of building a software security initiative in the enterprise. A five step disciplined approach of Characterizing the Landscape, Securing Champions, Defining Standards and Strategy, Executing the Initiative and Sustaining the Effort, tailored to your organization, will help ensure that your corporate-wide efforts to secure applications are as productive as possible.

avatar for John Dickson

John Dickson

Principal, Denim Group
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group... Read More →


PROJECTS: Whats Right, Whats Wrong, What Needs to Change
OWASP Webex, moderated by Tom Brennan, OWASP International Board Member


Fixing the Unfixable: Solving Pervasive Vulnerabilities with RASP
Some vulnerabilities are just unfixable. You can’t block them because there’s no clear pattern to the attack. You can’t fix the code because they’re buried in libraries and frameworks.  And you can’t live with them because they’re incredibly dangerous.  Java’s deserialization vulnerabilities are a perfect example where organizations are left with no good choices and a huge window of exposure.  In this talk, Jeff will explore the use of “runtime application self protection” (RASP) to fix this type of problem. Jeff will talk about various approaches to RASP, including dynamic software instrumentation.  He’ll also introduce a free and open source RASP agent designed to completely neuter deserialization attacks across the entire Java stack.  He’ll show you how RASP agents can enable quick and effective defenses across an entire application portfolio, and should be part of your application security strategy today.

avatar for Jeff Williams

Jeff Williams

CTO, Contrast Security
A pioneer in application security, Jeff Williams has more than 20 years of experience in software development and security. Jeff is the CTO and co-founder of Contrast Security, a revolutionary application security product that enhances software with the power to defend itself, check... Read More →


Video Game Security
This presentation will cover various topics involved with hacking video games. It will start off with how hacking video games can lead to a career in the security industry. It will then dive into various activities involved with hacking video games from higher level topics such as analyzing relevant business risks and threat modeling down to lower level things like how to change values in memory to gain unlimited ammo in a first-person shooter. Both client side attacks and network-based attacks will be discussed. Common attacks and corresponding protection mechanisms will be covered. Overall, this presentation will cover assessment topics and techniques relevant to assessing many types of software, both related to the video game industry as well as many other industries.

This presentation has a decent amount of higher level material aimed more at the business level audience members, but will also cover some lower level material that more technical people should enjoy.

avatar for Carter Jones

Carter Jones

Senior Security Consultant, Cigital
Carter Jones is a senior security consultant at Cigital, who has experience both as a consultant and a security researcher. He has worked with clients from a broad range of industries, both private and public sector. While he has experience performing a range of security assessment... Read More →