Loading…

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Marion Davies Guest House [clear filter]
Monday, January 25
 

9:00am

Attack Techniques and Hands-On CTF
A simulation of real-world ecommerce, HR, and banking websites, designed to encourage friendly competition with real-time scoring and reporting.  With guidance assets and vulnerabilities of varying difficulty, users can immediately be immersed in a “find the vulnerabilities” game where they quickly learn and apply hacking techniques in a safe environment — and all the while, learn how to keep your company’s data safe. This simulation is ideal for all skill levels, with Security Innovation staff on-hand and readily available to assist your team, and guide them through difficult challenges.

Speakers
avatar for Mick Ayzenberg

Mick Ayzenberg

Security Engineer, Security Innovation
Mick’s years of security industry experience have included consulting on dozens of mid-to-long term projects for well-known technology companies.  He has done extensive work in network protocol analysis, reversing, and fuzzing of both software applications and network communications... Read More →
avatar for Joe Basirico

Joe Basirico

VP of Services, Security Innovation
Joe is responsible for managing the professional services business at Security Innovation. He leverages his unique experience as a development lead, trainer, researcher, and security engineer to direct the security consulting team in the delivery of high-quality, impactful risk assessment... Read More →


 
Tuesday, January 26
 

10:30am

Software Security Initiative Capabilities - Where Do I Begin?
A software security initiative (SSI) often gets started via one of three common capabilities - penetration testing, code review, or some sort of secure design review (e.g., threat modeling). This talk will discuss the benefits and drawbacks of each capability and show how they fit as part of a mature SSI.

Speakers
avatar for Jim DelGrosso

Jim DelGrosso

Senior Principal Consultant, Cigital, Inc.
Jim DelGrosso, Principal Consultant, has been with Cigital since 2006. In addition to his overarching knowledge of software security, he specializes in Architecture Analysis, Threat Modeling and Secure Design. In fact, he was a catalyst for creating Cigital’s current Architecture... Read More →



11:30am

All You Need Is One - A ClickOnce Love Story

ClickOnce is a deployment solution that enables fast, easy delivery of packaged software.  It is commonly used by organizations to deploy both internal and production-grade software packages along with their respective updates.  By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions.

 

It also provides an excellent opportunity for malicious actors to establish a foothold in your network.

 

In this talk, I will discuss how I combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment.  By minimizing user interaction, we only require that the user is fooled for "one click" - after that, we already have a foothold in their environment and are ready to pivot and escalate further.


Speakers
avatar for Ryan Gandrud

Ryan Gandrud

Senior Security Consultant, NetSPI
Ryan is a senior security consultant with a B.S. in computer science from North Dakota State University.  He has worked in the Information Technology, Healthcare, Financial Services, and Information Security industries. Ryan's primary knowledge base includes network, web application... Read More →



2:00pm

Attack tree vignettes for Containers as a Service applications and risk centric threat models
Speakers
avatar for Tony UcedaVélez

Tony UcedaVélez

CEO, VerSprite Security
Tony UcedaVélez is CEO at VerSprite, an Atlanta based security services firm assisting global multi-national corporations on various areas of cyber security, secure software development, threat modeling, application security, security governance, and security risk management. Tony... Read More →


3:00pm

Visualizing Security via LANGSEC
A web security model entirely predicated on applying pattern
matching is at best a zero-sum game. Probabilistically, pattern
matching (regular expressions) cannot prevent attacks generated by
tools such as fuzzers. This talk will explore language security
(LANGSEC) as an alternative methodology. This talk will lay the
foundation via informal and formal theory how lexers, tokenizers and
parsers work. We’ll move onto constructing an open source toolchain to
analyzing data and exploring interactive data visualizations. Along
the way, we’ll cover performance tradeoffs and discuss the challenges
of modern application security. By the end of this talk, you’ll know
more about implementing LANGSEC to help analyze and prevent specific
security attacks.

Speakers
avatar for Kunal Anand

Kunal Anand

Prevoty
A web security model entirely predicated on applying pattern matching is at best a zero-sum game. Probabilistically, pattern matching (regular expressions) cannot prevent attacks generated by tools such as fuzzers. This talk will explore language security (LANGSEC) as an alternative... Read More →


5:30pm

 
Wednesday, January 27
 

10:30am

6 Myths of Threat Modeling
Are the threat modeling myths keeping you from initiating this key secure design activity? Join us to get the facts; find out how easy it is to get started. We will attempt to debunk 6 recurring myths. Hopefully you will agree with us once you have a few of the facts? We aim to place participants onto a path to successful threat modeling. Please join Jim DelGrosso and Brook Schoenfield as we squash misunderstandings and industry accepted disinformation.

Speakers
avatar for Jim DelGrosso

Jim DelGrosso

Senior Principal Consultant, Cigital, Inc.
Jim DelGrosso, Principal Consultant, has been with Cigital since 2006. In addition to his overarching knowledge of software security, he specializes in Architecture Analysis, Threat Modeling and Secure Design. In fact, he was a catalyst for creating Cigital’s current Architecture... Read More →
BS

Brook Schoenfield

Intel Security



11:30am

Skillful, Scalefull Fullstack Security in a State of Constant Flux
In this talk Eoin shall discuss approaches to maintaining a secure full-stack posture at scale in a continuously changing environment. How it can be approached and the pitfalls to be aware of.

How accuracy of testing is not mutually exclusive to scale, depth and speed. The use of analytics in managing a continuous security environment. What items in the OWASP Top 10 can be tested for using automation and what still requires the human. How do we scale using human validation and intelligence.

Speakers
avatar for Eoin Keary

Eoin Keary

Founder/CTO, Edgescan
Eoin previously was on the international board member of OWASP (2009-2014), The Open Web Application Security Project. During his time in OWASP he has lead the OWASP Testing Guide and founded the Security Code Review Guide and also contributed to OWASP SAMM, was the original author... Read More →



2:00pm

Open Source Authentication Experiences Strong Growth
Hacking of websites and stolen passwords continue to plague people conducting business on the internet. Most enterprise networks, e-commerce sites and online communities require only a user name and static password for logon and access to personal and sensitive data. this may be convenient but it is not secure because online identity theft – phishing, keyboard logging, man-in-the-middle attacks and other methods – continue to grow at unsurpassed rates.

Strong authentication systems address the limitations of static passwords by incorporating an additional security credential, for example, a temporary one-time password (OTP), to protect network access and end-users’ digital identities. This adds an extra level of protection and makes it extremely difficult to access unauthorized information, networks or online accounts.

One-time passwords can be generated in several ways and each one has trade-offs in term of security, convenience, cost and accuracy. Simple methods such as transaction numbers lists and grid cards can provide a set of one-time passwords. These methods offer low investment costs but are slow, difficult to maintain, easy to replicate and share, and require the users to keep track of where they are in the list of passwords.

A more convenient way for users is to use an OTP token which is a hardware device capable of generating one-time passwords. Some of these devices are PIN-protected, offering an additional level of security. The user enters the one-time password with other identity credentials (typically user name and password) and an authentication server validates the logon request. Although this is a proven solution for enterprise applications, the deployment cost can make the solution expensive for consumer applications. Because the token must be using the same method as the server, a separate token is required for each server logon, so users need a separate token for each Web site or network they use.

The difficulty with these methods comes down to cost; while being more secure than simple passwords, the cost to financial institutions and enterprises are still very high and keep many small organizations from implementing them. 

The Initiative for Open Authentication was created to bring an open source approach to strong authentication. The organization has developed a number of algorithms which have been approved as standards by the IETF and are available for any organization to download. LSExperts has taken these algorithms and provide them freely on a server. This free download reduces the cost of authentication significantly and allows any organization to implement strong authentication. No longer do companies need to pay high amounts to authenticate their employees and customers. this is a revolutionary move in the authentication space and is receiving high level of acceptance in the marketplace.

Speakers
avatar for Donald Malloy

Donald Malloy

Business Development Director, North America, LSExperts