Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Sand and Sea Room [clear filter]
Tuesday, January 26


Welcome Address and State of OWASP
avatar for Paul Ritchie

Paul Ritchie

Executive Director, OWASP Foundation
avatar for Stuart Schwartz

Stuart Schwartz

Senior Application Security Engineer, City National Bank
OWASP LA chapter board member.OWASP AppSecCali organizer.


Opening Keynote - Marcus Ranum
Title - Starting a metrics program

Security practitioners constantly bemoan their difficulty in communicating effectively with business units or senior management. The key, of course, is using the right language - namely, metrics. In this presentation we'll outline a bunch of useful things you should know about setting up your own metrics process. 

avatar for Marcus Ranum

Marcus Ranum

Chief Security Officer, Tenable Network Security
Marcus J. Ranum works for Tenable Security, Inc.and is a world-renowned expert on security system design and implementation. He has been involved in every level of the security industry from product coder to CEO of a successful start-up. He is an ISSA fellow and holds achievement... Read More →


Connected Cars – What Could Possibly Go Wrong?

Millions of cars with tens of millions of lines of code are already on the road talking to servers and very soon, talking to each other. Clearly a lot can go wrong. Connectivity carries significant risks which must be addressed as soon as possible. This session will address the trade-off between safety, security and convenience as well as the steps that need be taken by the automotive manufacturers before we can trust our cars to let the transportation ecosystem deliver the promised benefits of connected services. 

Key Take-Aways: 

- Examples and a deeper appreciation of the security and privacy challenges of connected vehicular commerce 

- Insights into the growing role being played by the US government 

- Some comfort that many of the lessons learned in the traditional IT world are applicable to cars

avatar for Ed Adams

Ed Adams

CEO, Security Innovation
Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. As CEO, Mr. Adams applies his security and business skills, as well as his pervasive industry experience in the software... Read More →


Design Approaches for Security Automation
Many of the talks at security conferences these days involve the launch of a new security automation framework. Each of these tools have different goals and technologies that met their organizations needs. When it comes to your organization, how will you decide whether to build, buy, or borrow? Are there better criteria than just technology stack compatibility? What qualities make a good design for your environment? Where do you deploy? Which open-source tools work best? How do you ensure that your implementation will effectively enable teams versus creating more noise? This presentation will discuss criteria for designing and evaluating security automation tools for your organization.

avatar for Peleus Uhley

Peleus Uhley

Lead Security Strategist, Adobe Systems, Inc.
Peleus Uhley has been a part of the security industry for more than 15 years. As the Lead Security Strategist at Adobe, he assists the company with proactive and reactive security. Prior to joining Adobe, Peleus was a senior developer at Anonymizer, and a security consultant for @stake... Read More →


Radio Hacking: Cars, Hardware, and more!
In this talk I'll introduce radio hacking, and take it a few levels into hacking real world devices like wirelessly controlled gates, garages, and cars. Many vehicles are now controlled from mobile devices over GSM and the web, while even more can be unlocked and ignitions started from wireless keyfobs over RF. All of these are subject to attack with low-cost tools (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy).

We'll investigate how these features work, and of course, how they can be exploited. I'll be going from start to finish on new tools and vulnerabilities in this area, such as key-space reduction attacks on fixed-codes, advanced "code grabbers" using RF attacks on encrypted and rolling codes, exploiting mobile devices and poor SSL implementations, and how to protect yourself against such issues.

By the end of this talk you’ll understand not only how vehicles and the wirelessly-controlled physical access protecting them can be exploited and secured, but also learn about various tools for hardware, car and RF research, as well as how to use and build your own inexpensive devices for such investigation!

avatar for Samy Kamkar

Samy Kamkar

Samy Kamkar is an independent security researcher, best known for creating The MySpace worm, one of the fastest spreading viruses of all time. His open source software and research highlights the insecurities and privacy implications in every day technologies, from the Evercookie... Read More →


Hard to Port! - A Snapshot of the Vulnerability Landscape in 2015

We begin by taking a high level view of the vulnerability landscape over the past year, from anonymized data gathered from the edgescan vulnerability management SaaS. This data-set provides a snapshot of vulnerabilities in thousands of servers and web applications across the globe.


From this data, we provide our opinion and insight on why we think some of the trends are present and that traditional static approaches to dynamic problems, is producing diminishing results. We ask, what is the ultimate goal, application security or risk? Protecting applications or protecting businesses and data? We note the trend towards a continual approach to application security and see the benefits of ‘pushing left’.

avatar for Rahim Jina

Rahim Jina

Director / Co-Founder, Edgescan
Rahim is a director and co-founder of edgescan™, a SaaS-based managed service based in Ireland. Rahim is responsible for operational excellence and has extensive experience delivering penetration testing services to a wide range of organizations globally across many industry verticals. Prior... Read More →


Dissecting Bitcoin Security
Bitcoin is not only a currency. It's a system, a platform and an invention. Many human activities that previously required centralized institutions or organizations to function as authoritative or trusted points of control can now be decentralized. This has profound implications for security. To take full advantage of this new paradigm, traditional security concepts need to be redefined. 

This presentation will review and dissect some of bitcoin’s core components and their security controls. The speaker will analyze and explain the controls and how they could be repurposed in other domains.

avatar for Cassio Goldschmidt

Cassio Goldschmidt

Cassio Goldschmidt, CBP, is a globally recognized information security leader, known for his contributions toOWASP, SAFECode, CWE/SANS Top 25 Most Dangerous Software Errors, along with contributing to the security education curriculum of numerous universities. Cassio was one of the... Read More →


Closing remarks
avatar for Stuart Schwartz

Stuart Schwartz

Senior Application Security Engineer, City National Bank
OWASP LA chapter board member.OWASP AppSecCali organizer.

Wednesday, January 27


Welcome Address
avatar for Stuart Schwartz

Stuart Schwartz

Senior Application Security Engineer, City National Bank
OWASP LA chapter board member.OWASP AppSecCali organizer.


Opening Keynote: Jeremiah Grossman
Title: 15 Years of Web Security: The Rebellious Teenage Years

avatar for Jeremiah Grossman

Jeremiah Grossman

Founder, WhiteHat Security
Jeremiah Grossman is the founder of WhiteHat Security. Jeremiah possesses a unique combination of technology savvy, customer advocacy and personal passion for application security. A world-renowned web security expert, sought-after speaker and influential blogger, Jeremiah brings... Read More →


Advances in Secure Coding Frameworks

The Beatles once sang, "I've got to admit it's getting better, a little better all the time, because it can't get more worse" and that applies directly to the field application security. The successes in building security into common application development frameworks is remarkable and has, in some ways, made secure coding less of an effort to the developer. While much needs to be done in this area, there are many very positive examples of security characteristics built correctly into frameworks. This talk with bring the positive vibe to AppSec California and highlight that things really are getting better in AppSec - all time - if you look in the right places."

avatar for Jim Manico

Jim Manico

Manicode Security

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/advisor for Signal Sciences. Jim is a frequent speaker on secure software practices and... Read More →


Panel: Women in Security
Diversity in teams produces better results; What are the challenges & barriers that might not be visible to the general population?  What are the factors that make women successful in Security Technology?  What can organizations, teams do to encourage and retain talent? What are the biggest industry challenges today?  We’ll have a lively discussion on challenges, and what actions can help today and tomorrow. 

avatar for Lisa Napier

Lisa Napier

Sr. Product Security Program Manager, NetApp
Lisa Napier, Sr. Product Security Program Manager at NetApp currently leads the Product Security program for NetApp.  She previously led various Product Security initiatives including Secure Development Lifecycle at Cisco Systems, as well as organizing the internal Secure Development... Read More →

avatar for Wei Lin

Wei Lin

Senior Director, Symantec
Wei Lin, Senior Director, heads the E-Commerce Engineering organization at Symantec.Lin has led various engineering groups within Symantec, including the Security Technology Group and the Norton brand consumer product groups, played a key role in the success of both Consumer and Enterprise... Read More →
avatar for Emily Stark

Emily Stark

Software Engineer, Google
Emily is a software engineer on the Google Chrome security team, where she focuses on efforts to make TLS/SSL more usable and secure. Previously, she was a core developer at Meteor Development Group, where she worked on web framework security and internal infrastructure, and a graduate... Read More →
avatar for Caroline Wong

Caroline Wong

Director of Strategic Security Initiatives, Cigital, Inc.
Caroline Wong, CISSP, is the Director of Strategic Security Initiatives at Cigital, the world's largest consulting firm specializing in software security.  Prior to this role, Caroline led a product management team at Symantec and security teams at Zynga and eBay.  Caroline is the... Read More →


IoT Cornerstones of Security
As the ever-growing billions of internet-connected devices shape our lives, through things like smart homes, connected cars, and the Industrial Internet, these devices and services need security. However, the security they must have is radically different from the security needed in traditional information technology. In contrast, IoT devices can’t have security “bolted on” after the device reaches a customer. Instead, IoT devices must have security built in from the start. Unfortunately, this is harder than it sounds, and not much guidance exists on how to do it right.  We’ll present four simple cornerstones of security for IoT. We’ll describe how each of these must be adapted to work, both practically AND effectively, in the often (very) challenging environments of IoT and the Industrial Internet. We’ll describe how these cornerstones mitigate an extremely wide range of threats. We’ll present performance data on how newer implementations of newer algorithms now make legitimate security possible even in seriously constrained environments, such as 8-bit, 8 MHz micro-controllers with only 30kb flash, and battery-constrained devices that depend on energy harvesting.

avatar for Brian Witten

Brian Witten

Sr. Director of Internet of Things, Symantec
Brian Witten is Senior Director of Internet of Things (IoT) at Symantec. Over the past few years, Brian has led engineering on Android, Symantec Endpoint Protection (SEP.cloud), and reputation-based security for enterprise, as well as encryption and identity technologies. Prior to... Read More →


All our APIs are belong to us
Snapchat does not offer a public API to access its service. Motivated third parties have taken great lengths to reverse-engineer our protocol and build applications on top of it, which could put our users at greater risk of account compromise. In 2014, one such third party was breached and exposed some user data they’d collected from Snapchatters. Their breach reinforced our desire to continue to do more to protect our users from third-party abuse.

In this talk we cover a number of defenses we have put in place both client and server-side since then, in a long-running cat and mouse game with determined third parties. We’ll expand on what worked, what didn’t, and what we learned from our efforts -- which we believe are unique in the social networking space.

avatar for Jad Boutros

Jad Boutros

Director of Information Security, Snapchat
Jad Boutros joined Snapchat in 2014, where he serves as director of information security. He is responsible for security, spam and abuse as well as privacy engineering. Prior to joining Snapchat, Jad worked at Google for over nine years and led the security efforts for Google+ since... Read More →


Closing Keynote: Jacob West
Title: Closing the Security Talent Gap

The talent gap in security is huge and growing. Tools compensate in some cases, but skilled people are critical to managing security risk. With nearly half of security roles vacant, organizations must develop talent inside and out. This session offers practical steps you can take today—ranging from adopt-a-professor to highlighting security in every job description—that will help close the gap.

avatar for Jacob West

Jacob West

Chief Architect, Security Products, NetSuite
Jacob West is Chief Architect for Security Products at NetSuite. In his role, West leads research and development for technology to identify and mitigate security threats. Prior to this role, West served as CTO for Enterprise Security Products at HP where he founded and led HP Security... Read More →


Closing remarks and Raffle Drawing
avatar for Stuart Schwartz

Stuart Schwartz

Senior Application Security Engineer, City National Bank
OWASP LA chapter board member.OWASP AppSecCali organizer.