September 13 2023

9:00 AM – 5:40 PM: Vendor Expo

9:15 AM – 5:20 PM: Security Innovation CMD+CTRL Cyber Range
Want to tap into your inner evildoer and test your skills in hunting down web application vulnerabilities?

11:25 PM – 12:05 PM:
All About the Benjamins: Building a Business-Critical Bug Bounty Program

Sean Poris

12:10 PM – 12:50 PM:
Security, Velocity, Happiness: Finding Balance in Developer-First Security

Dan Shanahan

2:05 PM – 2:25 PM:
Attackers move at the speed of the cloud – how to arm yourself with data

Mike Smith

2:30 PM – 2:50 PM:
Reactive to Proactive: Building Secure Cloud Applications at Scale

2:55 PM – 3:35 PM:
Sifting for Botnets: Leveraging Log Enrichment and Honeypots for Targeted Malware Discovery

Allen West

3:55 PM – 4:35 PM:
The Do’s and Don’ts of Using SBOMs for Security

4:40 PM – 5:20 PM:
The Yin-Yang of ChatGPT and Copilot in Secure Coding

Kalyani Pawar

5:40 PM – 6:25 PM, Closing Keynote:
Artificial Intelligence (AI) – Threat, Opportunity, or Both?

Taiye Lambo

6:25 PM – 6:30 PM: Closing Remarks, Haral Tsitsivas

6:30 PM – 8:30 PM: Happy Hour and Raffle Drawing

Talk Descriptions:

Want to tap into your inner evildoer and test your skills in hunting down web application vulnerabilities?

If so, immerse yourself in the industry’s most authentic environment where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet. For each vulnerability you exploit, you are awarded points. Climb the interactive leaderboard as you vie for the top spot!

The CMD+CTRL Cyber Range is ideal for anyone interested in learning how web applications are attacked, furthering their cybersecurity acumen, or honing the skills needed to protect the enterprise. From curious bystanders to active practitioners to Risk and Security Executives, there’s something for everyone.

Opening Keynote: AI: Friend Or Foe?

Brook Schoenfield

Tech news is filled with opinion pieces foreshadowing existential dangers from super intelligent AI. At the same time, much security vendor marketing trumpets, “AI powered!” Can we divine any truth behind the opinions and the marketing? Is this what we day-to-day practitioners should worry about? Meanwhile, newsletters announce a deluge of Large Language Models (LLM) and associated tooling. Will this activity help? Hinder? Meh? Join Brook S.E. Schoenfield for a survey through today’s generative AI and Large Language Model scene through a practical AppSec focus. We’ll take a look at some good, potentially bad, and a few rather ugly realities.

Shift Smart – risk based approach on appsec

Francesco Cipollone

Shifting left had success, shifting right and adding context is hot as the number of vulnerabilities pre-flight in an SDLC is piling up. Find your path in this modern, challenging. The talk walks trough a new approach on risk base approach on vulnerabilities called shift smart.
We will explore the difference between a vulnerability base approach and resolution first vs a risk based approach and success from real case scenarios

Audience
* application security
* head of application security
* product security
* security engineers
* CISO
* GRC

Take away:
* Learning how to start measuring an application security program from risk approach
* Understand the concept of product
* Understand and apply how to involve the business
* Understand SSDLC and where to apply triage
* Understand and apply contextual elements to application security
* Understand which Threat feed is actually useful
* metrics for an application security program
* how to create a narrative around security with product security
* how to involve management/business on heartbeat of application security

All About the Benjamins: Building a Business-Critical Bug Bounty Program

Sean Poris

After seven years and millions of dollars in payouts, Yahoo’s bug bounty program faced a crossroads – internal partners demanded the program demonstrate its business value.
This talk will elucidate our hardest-fought lessons, the persuasive techniques that worked with our counterparts, as well as how we ensured funding and technical triage power for years to come.

Why All AppSec Products Suck

Dan Kuykendall

Dan Kuykendall has been an App Sec founder and leader for 25+ years! And now he is ready to break down the fundamental problems with all the current Application Security Product categories (SAST vs DAST vs IAST vs SCA vs WAF vs RASP vs Pen-Testing)

This talk will cover each category of App Sec products:
* SAST: Static Application Security Testing
* DAST: Dynamic Application Security Testing
* IAST: Interactive Application Security Testing
* SCA: Software Composition Analysis
* WAF: Web Application Firewall
* RASP: Runtime Application Self-Protection (Next-Gen WAF)
* Manual Pen-Testing of Applications

Security, Velocity, Happiness: Finding Balance in Developer-First Security

Dan Shanahan

The principles of shift-left security have been embraced with the noble goal of empowering developers to detect and address security vulnerabilities early in the development process. In this presentation, we will delve into the intricate interplay between security, development velocity, and developer happiness within the realm of application security.

We will critically examine the concept that developers should shoulder the entire responsibility for the security lifecycle of their applications, given the existing models of application security. Moreover, we will propose alternative approaches that strike a harmonious balance between security practices and development efficiency.

Join us as we explore cultural and programmatic strategies to foster an environment where developers can confidently build secure software without sacrificing speed or fulfillment. By embracing these approaches, organizations can pave the way for a thriving and secure software development process.

System Assurance with the IoT Security Testing Guide

Aaron Guzman

The OWASP IoT Security Testing Guide provides a comprehensive methodology for penetration tests in the IoT field offering flexibly to adapt innovations and developments on the IoT market while still ensuring comparability of test results. The guide provides an understanding of communication between manufacturers and operators of IoT devices as well as penetration testing teams that’s facilitated by establishing a common terminology.

This presentation will introduce the guide’s underlying models as the foundation to the methodology, present tools that can be used separately or in conjunction with each other, and an overview of the test case catalog spanning underlying processing units to user interfaces.

Attackers move at the speed of the cloud – how to arm yourself with data

Mike Smith

In this talk we will review some key findings from Orca’s security research pod released the report “2023 Honeypotting in the Cloud Report,‘’ and discuss some practices you can implement based on real world data. By the end of this talk you will be armed with real research data showing what types of assets are targeted by attackers, how quickly exposed data can be used against you, and what sources play a role in breaches. With this data in mind we will talk about some of the technical capabilities of CNAPP tools to expose any of these types of risk and convert your unknown unknown to knowns for a safer cloud adoption.

Open Source Developers Are Security’s New Front Line

Austin Steffes

Open source is crucial for software development, but not a silver bullet. Its potential is evident, yet poor management leads to errors.
A battlefield of attacks linked to OSS consumption has emerged. Years ago, enterprises faced Apache Struts vulnerability. Despite disclosure, some didn’t act, fueling widespread exploits. Hackers thrive when vulnerabilities are ignored.
Since the 2013 Struts issue, similar patterns emerged with Shellshock, Heartbleed, Equifax breach, Spring4shell, and Log4j.
Shift forward to today – and hackers are now creating their own opportunities to attack. This new method targets software supply chains, injecting malicious code via breached OSS project credentials. This code affects countless devs, aiding bad actors. Over 17 real-world examples of this attack pattern have been documented in the past 24 months.
It’s become clear that we are in the middle of a systematic attack on the social trust and infrastructure used to distribute open source. In just a few years, we’ve gone from attacks on pre-existing vulnerabilities occurring months after a disclosure down to two days – and now, we are at the point where attackers are directly hijacking publisher credentials and distributing malicious components.
In this session, Sonatype will address:
• Analyze, and detail, the events leading to today’s “all-out” attack on the OSS industry
• Define what the future of open source looks like in today’s new normal
• Outline how developers can step into the role of security, to protect themselves, and the millions of people depending on them

Reactive to Proactive: Building Secure Cloud Applications at Scale

John Heenan

At the speed and scale of modern cloud and DevOps environments, security needs to be proactive, not reactive. Defenders who are responding to vulnerabilities in their production environments will forever be playing “whack-a-mole” while trying to secure their environment.

In this talk, we’ll discuss using code security tools to take a proactive approach to cloud vulnerabilities and misconfigurations, and look at how organizations are streamlining their DevOps pipelines and building cloud apps that are “secure by default.”

An Overview of Software Security Best Practices

Richard Greenberg

Is your company integrating Information Security into the Software Development Life Cycle? Does your security team have a good working relationship with Application Development, the Project Management Office, and Operations? Are you following a basic framework and good standards for coding and at the various steps throughout the development process?
Join me as I share my 15 years as a CISO working with all of the above teams to help you understand the best practices to follow to ensure your software projects are done professionally and securely.

Sifting for Botnets: Leveraging Log Enrichment and Honeypots for Targeted Malware Discovery

Allen West

The ever-growing volume of malicious activity on the internet poses a challenge for researchers seeking to gain valuable insights into the threat landscape. Honeypots serve as an effective tool to attract unsolicited traffic, but the scale of incoming data can be overwhelming, making it difficult to prioritize which honeypots to create, which activities to investigate, and which payloads to analyze.

In this presentation, we will discuss how Akamai’s Security Intelligence Response Team has employed an innovative approach to address these challenges using a tool we built called Helios. Helios enables us to label HTTP requests by the targeted CVE and/or technology, additionally leading to increased awareness of non-CVE vulnerabilities being actively exploited. This approach has facilitated a more systematic process for prioritizing the development of new honeypots, which in turn has allowed us to observe more payloads.

By leveraging iterative rounds of enrichment and prioritization, our team has made targeted discoveries, such as the identification of several remote code execution (RCE) vulnerabilities without CVEs officially assigned to them, Go-based botnets, and new malware variants. We have also implemented automation techniques to prioritize interesting binaries, recreate command and control (C2) servers, and analyze attack traffic.

This case study presentation will demonstrate the importance of effective log analysis and the potential for significant findings to emerge from an initially unremarkable piece of data. This is exemplified by our discovery of HinataBot, a botnet written in Golang with the purpose of launching efficient DDoS attacks, which will be discussed as well. Attendees will gain insights into how log enrichment and prioritization can be employed to drive more targeted and efficient threat intelligence efforts.

Engaging and Motivating Your Security Champions

Dustin Lehr

We all know by now that having a successful Security Champion Program can skyrocket your ability to scale your appsec program by building security awareness into your culture. However, many programs still struggle with motivating their champions and employees to take action to protect their company. In this talk, Dustin Lehr will share the core drivers of human motivation and how to tap into them to increase engagement and participation through gamification, rewards, and incentives, providing a multitude of tips and tricks along the way.

The Do’s and Don’ts of Using SBOMs for Security

Cortez Frazier

The great tool in any risk professional’s tool belt will always be an accurate and up-to-date asset inventory, whether that be physical, or, in our case, digital assets. SBOMs (software bill of materials) hold significant promise as a means of providing this real-time inventory — but there are a number of potential roadblocks that can prevent organizations from realizing this potential.

In this talk, I’ll discuss important considerations for successfully leveraging first- and third-party SBOMs in your security program — as well as common mistakes organizations make that prevent them from doing so. Attendees will learn:

-Processes and workflows for generating SBOMs: When in the SDLC should you generate SBOMs? How often should they be updated? What SBOM formats are best for security?

-Strategies for getting SBOMs from third-party suppliers: What you should require suppliers to include in their SBOMs? How often should they be updated? How should they be transmitted? What formats should they be created in?

-How to integrate SBOM security insights into your security program: How do you consolidate data from first- and third-party SBOMs so you can effectively use it? What are ideal workflows for security and engineering teams to remediate issues that SBOMs surface? What’s the role of automation in making this possible?

Vulnerability Landscape 2023 – Time for Triaging

Rahim Jina

Vulnerability Management can be seen as one of the basic tenants of a security function in any organisation. While supposedly basic, given the ever increasing frequency of data breaches, managing vulnerabilities across an organisation is not straightforward. How organisations approach
vulnerability management and penetration testing in the past simply does not work with today’s technology stack and development methodologies.
Organisations face a minefield of vulnerabilities with limited resources, where does one even start!
We delve into risk prioritisation and spend time examining practical metrics of vulnerabilities, like exploitability. Sure it might be a ‘critical issue’ but is it being exploited in the wild or is it something that can wait. It’s time for triaging.
With over 8 years of aggregated real-world vulnerability data, we analyse the current landscape with excerpts from the annual Edgescan Vulnerability Statistics Report.

The Yin-Yang of ChatGPT and Copilot in Secure Coding

Kalyani Pawar

In this age of adversarial threat landscape, it is imperative to develop applications securely. This session aims to empower developers and security engineers using the combined power of AI-driven tools, ChatGPT and Copilot for secure development. The goal is to tackle the issue of security vulnerability backlogs and equip developers with strategies for self-sufficient, secure coding practices by leveraging these tools. We will explore how the Secure Development Life Cycle can be empowered by employing ChatGPT in threat modeling, risk prioritization, vulnerability identification, and remediation processes. Additionally, learn how Copilot can offer real-time secure coding suggestions and generate security-focused test cases.

By the conclusion of the session, attendees will acquire tactical insights on integrating ChatGPT and Copilot into their security measures, with an astute awareness of the risks of over-reliance, thereby promoting balanced, effective use of these tools.

Closing Keynote:
Artificial Intelligence (AI) – Threat, Opportunity, or Both?

Taiye Lambo

The increasing adoption of AI and related technologies globally provides a massive opportunity for humanity. However, as is the case with any disruptive technology, there are also threats that introduce significant risks. Effectively managing these inherent risks is key to leveraging AI in a balanced way.