October 20 2022
Agenda
9:30 AM – 10:15 AM (PDT) Registration and Networking
Terrace Lounge
9:30 AM – 5:25 PM (PDT): Vendor Expo
Garden Terrace Room
10:15 AM – 10:25 AM (PDT): Welcome Address – Richard Greenberg
10:30 AM – 11:15 AM (PDT): Opening Keynote:
“Infosec is Sick“
11:20 AM – 11:40 AM (PDT): “Diversity, Equity and Inclusion (DEI) and the Importance of Social Capitalization in the InfoSec Community“
11:40 AM – 12:00 PM (PDT) Break – Vendor Expo
Garden Terrace Room
12:00 PM – 12:45 PM (PDT): “Finding your way in Container Security“
Ksenia Peguero – Sr. Manager, Research Engineering, Synopsys Software Integrity Group.
Club Room
12:00 PM – 12:45 PM (PDT): “WordPress: Hacking and Securing“
Sam Stepanyan – OWASP London Chapter Leader, Independent Application Security Consultant
12:45 PM – 2:00 PM (PDT) Lunch – Vendor Expo
Garden Terrace Room
2:00 PM – 2:20 PM (PDT):
“Back From The Future: Application Security Lessons From The Iconic 80s“
Club Room
2:00 PM – 2:20 PM (PDT): “The benefits of Shifting API and Application Security Left“
Garden Terrace Room
2:25 PM – 3:10 PM (PDT): “CovertOps on DevOps, why hackers are targeting developers and what you can do about it“
Micki Boland – Cybersecurity Evangelist Office of the CTO, Check Point Software Technologies Ltd
Club Room
2:25 PM – 3:10 PM (PDT): “Why All AppSec Products Suck“
3:10 PM – 3:30 PM (PDT) Break – Vendor Expo
Garden Terrace Room
3:30 PM – 4:15 PM (PDT):
Women in Security Panel: “Governing AppSec; Getting Security into Your SDLC”
Club Room
3:30 PM – 4:15 PM (PDT): “SBOMs. It’s the Least We Can Do“
John Dickson – Vice President of Security Solutions Architecture, Coalfire
Garden Terrace Room
4:20 PM – 5:05 PM (PDT): “A Fully Trained Jedi, You Are Not“
Adam Shostack – Leading Expert in Threat Modeling President, Shostack & Associates
Club Room
Bilyana Lilly, PhD, CISSP – Director of Security Intelligence and Geostrategy at the Krebs Stamos Group
5:05 PM – 5:25 PM (PDT) Break – Vendor Expo
Garden Terrace
5:25 PM – 6:10 PM (PDT): Closing Keynote : “The Case for Runtime Protection“
Jeff Williams
6:10 PM – 6:20 PM (PDT): Closing Remarks and Drawing, Haral Tsitsivas
6:20 PM – 8:30 PM (PDT): Happy Hour
Talk Descriptions:
Garden Terrace Room
10:30 AM – 11:15 AM (PDT)
Opening Keynote: “Infosec is Sick”
Infosec has a serious issue. It’s not doing what it purported to do. It’s not mitigating risk. Just ask the insurance industry – they’re losing an enormous amount on cyber insurance claims. RSnake is going to dig into what the issues are, why we don’t have the right tooling to mitigate risk correctly, why people seem to totally misunderstand how to measure it, how executives roll their eyes at the Infosec leadership, and how we could theoretically fix things.
Garden Terrace Room
11:20 AM – 11:40 AM (PDT)
“Diversity, Equity and Inclusion (DEI) and the Importance of Social Capitalization in the InfoSec Community”
This session takes a deeper dive into some of the DEI challenges that companies face and the role of civil societies in helping communities through this challenge.
Most workers seek to work for a company that values Diversity, Equity, and Inclusion (DEI). Minority and gender gaps are among some of the cybersecurity workforce’s most persistent challenges. Only 4% of cybersecurity workers self-identify as Hispanic, 9% as Black, and 24% as women. Los Angeles is also home to one of the largest number of women-owned businesses in the country. LA has also the largest Hispanic population in the United States.
We will take a deep dive into this topic.
Garden Terrace Room
12:00 PM – 12:45 PM (PDT)
“Finding your way in Container Security”
In the last few years, the popularity of DevSecOps and rich cloud services have been driving the adoption of containers in the software industry. Container architectures become increasingly complex, and organizations cannot escape using them. At the same time, attackers are finding new ways of exploiting containers and container architectures.
Are you still new to containerization and infrastructure as code? Do you feel that your knowledge of application security suddenly doesn’t apply to the way applications are built and deployed using containers? Do you get lost in the IaC and container terminology soup? If so, this talk will help clear things up and answer your questions.
We start with an introduction into container technologies, briefly go through the key terminology, explain the value that containers bring today, and why they are so popular. Then we will talk about the challenges that DevSecOps engineers have when using contains and the security aspects that they face. This presentation includes descriptions of common container threats and real-world examples of recent attacks. These threats will guide our discussion of the typical vulnerabilities and attack vectors. We will touch on well-known standards and resources for container security, such as OWASP Docker Top 10 project, Container Security Verification Standard, NIST Application Container Security Guide, and CIS Benchmarks. And we conclude with guidelines on how to secure containers and listing best practices that most organizations follow today.
Club Room
11:45 AM – 12:30 PM (PDT)
“Wordpress: Hacking and Securing”
WordPress is the world’s most popular Content Management System, which makes it a lucrative target for cyber criminals.
Thousands of WordPress-based websites get hacked daily and according to the GoDaddy report 90% of hacked websites
in 2019 were running WordPress CMS. In this talk you will learn about several vulnerabilities and methods used to
hack into WordPress websites (including live demo) and some of the mitigations and methods you can use to improve
the security of your WordPress websites.
Garden Terrace Room
2:00 PM – 2:20 PM (PDT)
“Back From The Future: Application Security Lessons From The Iconic 80s”
A DeLorean as a time machine. A treasure hunter chased by a rolling stone. A group of kids stuck together in detention on a Saturday. The Sausage King of Chicago. If you were around in the 80’s you will likely remember the first time you each of these great movie moments, and if you were not, you have likely seen them somewhere. In looking back at these iconic movies; they also hold some great hidden truths that are applicable to application security. Join us as we take a quick look at what we can learn about making applications security better these and borrow a few lessons to move security from mundane to marvelous.
Club Room
2:00 PM – 2:20 PM (PDT)
“The benefits of Shifting API and Application Security Left”
In this session Gadi Bashvitz, Bright Security’s CEO will discuss how leading global organizations such as Visa, Blackstone, RBC, Nielsen and AB-Inbev are shifting application security left and the benefits they are seeing from this shift. Areas of impact include earlier and faster remediation of vulnerabilities, reduced risk, improved development velocity and improved collaboration between AppSec and Engineering. Gadi will also share best practices on how this shift can be achieved.
Garden Terrace Room
2:25 PM – 3:10 PM (PDT)
“CovertOps on DevOps, why hackers are targeting developers and what you can do about it”
Developers and DevOps is integral part of software development lifecycle and hackers want into the software supply chain. Hackers want in and you are likely under covert operations, reconnaissance, surveillance and intelligence gathering by hackers as we speak.
Audience: all! CISO, CIO, CTO, developers, developer teams, DevOps management, cybersecurity teams, influencers or decision makers responsible for building security in the software development lifecycle.
Four key security areas for DevSecOps?
– security of the developer as super human
– security in the CI/CD pipeline
– security of the CI/CD pipeline
– security operation and automation
Club Room
2:25 PM – 3:10 PM (PDT)
“Why All AppSec Products Suck”
Dan Kuykendal has been building AppSec products for 20 years, and is ready to be candid about the problems with each of the major AppSec products and why they “suck” and there is no one-size fits most solution. By understanding the inherent limitations of each type of product, along with their strengths you will be better equipped to pick the solution(s) that will best help you improve your specific AppSec program. Will be covering details about SAST, DAST, IAST, SCA, WAF, NG-WAF/RASP and more.
Garden Terrace Room
3:30 APM – 4:15 PM (PDT)
Women in Security Panel:
“Governing AppSec; Getting Security into Your SDLC”
Moderator: Tanya Janca
Club Room
3:30 APM – 4:15 PM (PDT)
“SBOMs. It’s The Least We Can Do…”
SBOM’s and Software Supply Chain Security – Emerging Trends and How to Update Strategy to Address Software Risk.
Application security received renewed interested when last April the White House released its Executive Order beefing up cybersecurity and enhancing software supply chain security. One of the key elements of the Executive Order mandated that Federal agencies demand Software Build of Materials, or SBOMs, from software vendors. Will demanding SBOMs dramatically improve application security for agencies and will the EO have a broader impact on the commercial market? Aside from demanding SBOMs, what are other questions sophisticated organizations are asking of their suppliers to address software risk? What are the deeper security trends impacting organizations that buy and sell software and how can you adapt to meet these trends?
Learning Objectives
After completing this session, the attendee will:
– Understand software supply chain security trends impacting organizations
– Understand where SBOMs fit in the software security landscape and how organizations can do more to improve the security of applications
– How organizations are adapting software security requirements in a post-Log4J world
Notes
John Dickson is currently a member of the White House Committee for Open Source Security helping the US government and public entities implement Section 4 of the White House Executive Order.
Garden Terrace Room
4:20 PM – 5:05 PM (PDT)
“A Fully Trained Jedi, You Are Not”
As software organizations try to bring security earlier in the development processes, what can or should software or operations engineers know about security? Taking as given that we want them to build secure systems, that demands shared understanding of the security issues that might come up, and agreement on what that body of knowledge might entail. Without this knowledge, they’ll keep building insecure systems. With them, we can have fewer recurring problems that are trivially attackable.
Training everyone at a firm is expensive. Even if the training content is free, people’s time is not. If you have 1,000 people, one hour per person is half a person year (before any overhead). So there is enormous pressure to keep it quick, ensure it meets compliance standards like PCI, and … the actual knowledge we should be conveying is almost an afterthought. We need to design knowledge scaffolding and tiered approaches to learning, and this talk offers a structure and tools to get there.
We don’t need every developer to be a fully trained Jedi, and we don’t have time to train everyone to that level, or even as much as we train security champs. So what could we ask everyone to know, and how do we determine what meets that bar?
Club Room
4:20 PM – 5:05 PM (PDT)
“Russia’s Information Warfare and the U.S. 2022 Elections: The Evolution of Russia’s Playbook since the Start of the War in Ukraine”
While the U.S. news cycle is still dominated by war developments in Ukraine and their reverberations across the West, from the Nord Stream pipeline sabotages to missile defense deliveries, the U.S. midterm elections are on the horizon. The record shows that the Russian government has exploited previous elections to stoke social instability and spread conspiracy theories to further polarize an already divided U.S. population. Although Putin’s regime is doubling down on its woefully mismanaged Ukrainian invasion, FBI Director Christopher Wray’s recent statement on potential Russian state-sponsored interference in the U.S. midterm elections should be front and center – “the Russians can walk and chew gum.” This talk will focus on what types of Russian state-sponsored cyberattacks and disinformation operations the U.S. can expect around the 2022 elections and beyond.
Terrace Lounge Room
5:25 PM – 6:10 PM (PDT)
Closing Keynote: “The Case for Runtime Protection”
For 20 years, “AppSec” has been recommending all sorts of tools, training, activities, and standards you can use to secure your code. Unfortunately, and despite Herculean effort by smart and dedicated people…it doesn’t seem to be working. We have put an immense amount of effort into coercing developers to do better, but every possible metric shows that it hasn’t made a dent. In fact, maybe the only way to move the needle is by significantly raising the work factor for attackers. Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) did this for buffer overflows and radically changed the trajectory of kernel exploits.
In this talk, we are going to discuss how we can replicate this success with web app/API vulnerabilities. We’re going to explore how runtime protection inoculates applications against SQL injection, OGNL injection, unsafe deserialization, and many more entire classes of vulnerability. Runtime protection uses instrumentation to harden applications without having to change anything about the way you code, build, test, or deploy your applications. We’ll share the details of how runtime protection makes the OWASP Top Ten (and more) dramatically more difficult to exploit for hundreds of thousands of apps and APIs in large enterprises. We’ll dig into topics like accuracy, performance, and large scale deployment. But more importantly, we’ll talk about the benefits that runtime protection can have on your entire appsec program and even your security culture.