October 20 2022

9:30 AM – 10:20 AM (PDT) Registration and Networking

9:30 AM – 5:25 PM (PDT): Vendor Expo

10:20 AM – 10:35 AM (PDT): Welcome Address – Richard Greenberg

10:40 AM – 11:25 AM (PDT): Opening Keynote: “Infosec is Sick“
Robert Hansen, CTO, Bit Discovery

11:25 AM – 11:45 AM (PDT) Break – Vendor Expo

11:45 AM – 12:30 PM (PDT): “WordPress: Hacking and Securing“

Sam Stepanyan – OWASP London Chapter Leader, Independent Application Security Consultant

12:30 PM – 2:00 PM (PDT) Lunch – Vendor Expo

2:00 PM – 2:20 PM (PDT): Diamond Sponsor Welcome

2:25 PM – 3:10 PM (PDT): “Why All AppSec Products Suck“

3:10 PM – 3:30 PM (PDT) Break – Vendor Expo

3:30 PM – 4:15 PM (PDT): “SBOMs. It’s the Least We Can Do“

John Dickson – Vice President of Security Solutions Architecture, Coalfire

4:20 PM – 5:05 PM (PDT): “Adding DAST to CI/CD, Without Losing Any Friends“

Tanya Janca – Founder & CEO at We Hack Purple Academy

5:05 PM – 5:25 PM (PDT) Break – Vendor Expo

5:25 PM – 6:10 PM (PDT): Closing Keynote : “The Case for Runtime Protection“
Jeff Williams

6:10 PM – 6:20 PM (PDT): Closing Remarks and Drawing, Haral Tsitsivas

6:20 PM – 8:30 PM (PDT): Happy Hour

Talk Descriptions:

Opening Keynote: “Infosec is Sick”

Robert Hansen

Infosec has a serious issue. It’s not doing what it purported to do. It’s not mitigating risk. Just ask the insurance industry – they’re losing an enormous amount on cyber insurance claims. RSnake is going to dig into what the issues are, why we don’t have the right tooling to mitigate risk correctly, why people seem to totally misunderstand how to measure it, how executives roll their eyes at the Infosec leadership, and how we could theoretically fix things.

“Finding your way in Container Security”

Ksenia Peguero

In the last few years, the popularity of DevSecOps and rich cloud services have been driving the adoption of containers in the software industry. Container architectures become increasingly complex, and organizations cannot escape using them. At the same time, attackers are finding new ways of exploiting containers and container architectures.
Are you still new to containerization and infrastructure as code? Do you feel that your knowledge of application security suddenly doesn’t apply to the way applications are built and deployed using containers? Do you get lost in the IaC and container terminology soup? If so, this talk will help clear things up and answer your questions.
We start with an introduction into container technologies, briefly go through the key terminology, explain the value that containers bring today, and why they are so popular. Then we will talk about the challenges that DevSecOps engineers have when using contains and the security aspects that they face. This presentation includes descriptions of common container threats and real-world examples of recent attacks. These threats will guide our discussion of the typical vulnerabilities and attack vectors. We will touch on well-known standards and resources for container security, such as OWASP Docker Top 10 project, Container Security Verification Standard, NIST Application Container Security Guide, and CIS Benchmarks. And we conclude with guidelines on how to secure containers and listing best practices that most organizations follow today.

“Wordpress: Hacking and Securing”

Sam Stepanyan

WordPress is the world’s most popular Content Management System, which makes it a lucrative target for cyber criminals.
Thousands of WordPress-based websites get hacked daily and according to the GoDaddy report 90% of hacked websites
in 2019 were running WordPress CMS. In this talk you will learn about several vulnerabilities and methods used to
hack into WordPress websites (including live demo) and some of the mitigations and methods you can use to improve
the security of your WordPress websites.

“CovertOps on DevOps, why hackers are targeting developers and what you can do about it”

Micki Boland

Developers and DevOps is integral part of software development lifecycle and hackers want into the software supply chain. Hackers want in and you are likely under covert operations, reconnaissance, surveillance and intelligence gathering by hackers as we speak.
Audience: all! CISO, CIO, CTO, developers, developer teams, DevOps management, cybersecurity teams, influencers or decision makers responsible for building security in the software development lifecycle.

Four key security areas for DevSecOps?
– security of the developer as super human
– security in the CI/CD pipeline
– security of the CI/CD pipeline
– security operation and automation

“Why All AppSec Products Suck”

Dan Kuykendall

Dan Kuykendal has been building AppSec products for 20 years, and is ready to be candid about the problems with each of the major AppSec products and why they “suck” and there is no one-size fits most solution. By understanding the inherent limitations of each type of product, along with their strengths you will be better equipped to pick the solution(s) that will best help you improve your specific AppSec program. Will be covering details about SAST, DAST, IAST, SCA, WAF, NG-WAF/RASP and more.

Women in Security Panel:
“Governing AppSec; Getting Security into Your SDLC”
Moderator: Tanya Janca

“SBOMs. It’s The Least We Can Do…”

John Dickson

SBOM’s and Software Supply Chain Security – Emerging Trends and How to Update Strategy to Address Software Risk.

Application security received renewed interested when last April the White House released its Executive Order beefing up cybersecurity and enhancing software supply chain security. One of the key elements of the Executive Order mandated that Federal agencies demand Software Build of Materials, or SBOMs, from software vendors. Will demanding SBOMs dramatically improve application security for agencies and will the EO have a broader impact on the commercial market? Aside from demanding SBOMs, what are other questions sophisticated organizations are asking of their suppliers to address software risk? What are the deeper security trends impacting organizations that buy and sell software and how can you adapt to meet these trends?

Learning Objectives
After completing this session, the attendee will:
– Understand software supply chain security trends impacting organizations
– Understand where SBOMs fit in the software security landscape and how organizations can do more to improve the security of applications
– How organizations are adapting software security requirements in a post-Log4J world

Notes
John Dickson is currently a member of the White House Committee for Open Source Security helping the US government and public entities implement Section 4 of the White House Executive Order.

“A Fully Trained Jedi, You Are Not”

Adam Shostack

As software organizations try to bring security earlier in the development processes, what can or should software or operations engineers know about security? Taking as given that we want them to build secure systems, that demands shared understanding of the security issues that might come up, and agreement on what that body of knowledge might entail. Without this knowledge, they’ll keep building insecure systems. With them, we can have fewer recurring problems that are trivially attackable.
Training everyone at a firm is expensive. Even if the training content is free, people’s time is not. If you have 1,000 people, one hour per person is half a person year (before any overhead). So there is enormous pressure to keep it quick, ensure it meets compliance standards like PCI, and … the actual knowledge we should be conveying is almost an afterthought. We need to design knowledge scaffolding and tiered approaches to learning, and this talk offers a structure and tools to get there.
We don’t need every developer to be a fully trained Jedi, and we don’t have time to train everyone to that level, or even as much as we train security champs. So what could we ask everyone to know, and how do we determine what meets that bar?

“Adding DAST to CI/CD, Without Losing Any Friends”

Tanya Janca

Everyone wants to put tests into the release pipeline, but no one wants to wait hours for them to finish. In this talk we will discuss multiple options for adding dynamic application security testing (DAST) to your CI/CD, in ways that won’t compromise speed or results, such as limiting scope, using HAR files, using test subsets, etc. We will also cover several other options for automation of finding vulnerabilities in your web apps and APIs, all at the speed of DevOps.

Closing Keynote: “The Case for Runtime Protection”

Jeff Williams

For 20 years, “AppSec” has been recommending all sorts of tools, training, activities, and standards you can use to secure your code. Unfortunately, and despite Herculean effort by smart and dedicated people…it doesn’t seem to be working. We have put an immense amount of effort into coercing developers to do better, but every possible metric shows that it hasn’t made a dent. In fact, maybe the only way to move the needle is by significantly raising the work factor for attackers. Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) did this for buffer overflows and radically changed the trajectory of kernel exploits.
In this talk, we are going to discuss how we can replicate this success with web app/API vulnerabilities. We’re going to explore how runtime protection inoculates applications against SQL injection, OGNL injection, unsafe deserialization, and many more entire classes of vulnerability. Runtime protection uses instrumentation to harden applications without having to change anything about the way you code, build, test, or deploy your applications. We’ll share the details of how runtime protection makes the OWASP Top Ten (and more) dramatically more difficult to exploit for hundreds of thousands of apps and APIs in large enterprises. We’ll dig into topics like accuracy, performance, and large scale deployment. But more importantly, we’ll talk about the benefits that runtime protection can have on your entire appsec program and even your security culture.