October 20 2022

9:30 AM – 10:15 AM (PDT) Registration and Networking

9:30 AM – 5:25 PM (PDT): Vendor Expo

11:40 AM – 12:00 PM (PDT) Break – Vendor Expo

12:00 PM – 12:45 PM (PDT): “WordPress: Hacking and Securing“

Sam Stepanyan – OWASP London Chapter Leader, Independent Application Security Consultant

12:45 PM – 2:00 PM (PDT) Lunch – Vendor Expo

2:00 PM – 2:20 PM (PDT): “The benefits of Shifting API and Application Security Left“

2:25 PM – 3:10 PM (PDT): “Why All AppSec Products Suck“

3:10 PM – 3:30 PM (PDT) Break – Vendor Expo

3:30 PM – 4:15 PM (PDT): “SBOMs. It’s the Least We Can Do“

John Dickson – Vice President of Security Solutions Architecture, Coalfire

4:20 PM – 5:05 PM (PDT): “Russia’s Information Warfare and the U.S. 2022 Elections: The Evolution of Russia’s Playbook since the Start of the War in Ukraine“

Bilyana Lilly, PhD, CISSP – Director of Security Intelligence and Geostrategy at the Krebs Stamos Group

5:05 PM – 5:25 PM (PDT) Break – Vendor Expo

6:20 PM – 8:30 PM (PDT): Happy Hour

Talk Descriptions:

Opening Keynote: “Infosec is Sick”

Robert Hansen

Infosec has a serious issue. It’s not doing what it purported to do. It’s not mitigating risk. Just ask the insurance industry – they’re losing an enormous amount on cyber insurance claims. RSnake is going to dig into what the issues are, why we don’t have the right tooling to mitigate risk correctly, why people seem to totally misunderstand how to measure it, how executives roll their eyes at the Infosec leadership, and how we could theoretically fix things.

“Diversity, Equity and Inclusion (DEI) and the Importance of Social Capitalization in the InfoSec Community”

Adriana Sanford

This session takes a deeper dive into some of the DEI challenges that companies face and the role of civil societies in helping communities through this challenge.
Most workers seek to work for a company that values Diversity, Equity, and Inclusion (DEI). Minority and gender gaps are among some of the cybersecurity workforce’s most persistent challenges. Only 4% of cybersecurity workers self-identify as Hispanic, 9% as Black, and 24% as women. Los Angeles is also home to one of the largest number of women-owned businesses in the country. LA has also the largest Hispanic population in the United States.
We will take a deep dive into this topic.

“Finding your way in Container Security”

Ksenia Peguero

In the last few years, the popularity of DevSecOps and rich cloud services have been driving the adoption of containers in the software industry. Container architectures become increasingly complex, and organizations cannot escape using them. At the same time, attackers are finding new ways of exploiting containers and container architectures.
Are you still new to containerization and infrastructure as code? Do you feel that your knowledge of application security suddenly doesn’t apply to the way applications are built and deployed using containers? Do you get lost in the IaC and container terminology soup? If so, this talk will help clear things up and answer your questions.
We start with an introduction into container technologies, briefly go through the key terminology, explain the value that containers bring today, and why they are so popular. Then we will talk about the challenges that DevSecOps engineers have when using contains and the security aspects that they face. This presentation includes descriptions of common container threats and real-world examples of recent attacks. These threats will guide our discussion of the typical vulnerabilities and attack vectors. We will touch on well-known standards and resources for container security, such as OWASP Docker Top 10 project, Container Security Verification Standard, NIST Application Container Security Guide, and CIS Benchmarks. And we conclude with guidelines on how to secure containers and listing best practices that most organizations follow today.

“Wordpress: Hacking and Securing”

Sam Stepanyan

WordPress is the world’s most popular Content Management System, which makes it a lucrative target for cyber criminals.
Thousands of WordPress-based websites get hacked daily and according to the GoDaddy report 90% of hacked websites
in 2019 were running WordPress CMS. In this talk you will learn about several vulnerabilities and methods used to
hack into WordPress websites (including live demo) and some of the mitigations and methods you can use to improve
the security of your WordPress websites.

“Back From The Future: Application Security Lessons From The Iconic 80s”

Robert Cuddy

A DeLorean as a time machine. A treasure hunter chased by a rolling stone. A group of kids stuck together in detention on a Saturday. The Sausage King of Chicago. If you were around in the 80’s you will likely remember the first time you each of these great movie moments, and if you were not, you have likely seen them somewhere. In looking back at these iconic movies; they also hold some great hidden truths that are applicable to application security. Join us as we take a quick look at what we can learn about making applications security better these and borrow a few lessons to move security from mundane to marvelous.

“The benefits of Shifting API and Application Security Left”

Gadi Bashvitz

In this session Gadi Bashvitz, Bright Security’s CEO will discuss how leading global organizations such as Visa, Blackstone, RBC, Nielsen and AB-Inbev are shifting application security left and the benefits they are seeing from this shift. Areas of impact include earlier and faster remediation of vulnerabilities, reduced risk, improved development velocity and improved collaboration between AppSec and Engineering. Gadi will also share best practices on how this shift can be achieved.

“CovertOps on DevOps, why hackers are targeting developers and what you can do about it”

Micki Boland

Developers and DevOps is integral part of software development lifecycle and hackers want into the software supply chain. Hackers want in and you are likely under covert operations, reconnaissance, surveillance and intelligence gathering by hackers as we speak.
Audience: all! CISO, CIO, CTO, developers, developer teams, DevOps management, cybersecurity teams, influencers or decision makers responsible for building security in the software development lifecycle.

Four key security areas for DevSecOps?
– security of the developer as super human
– security in the CI/CD pipeline
– security of the CI/CD pipeline
– security operation and automation

“Why All AppSec Products Suck”

Dan Kuykendall

Dan Kuykendal has been building AppSec products for 20 years, and is ready to be candid about the problems with each of the major AppSec products and why they “suck” and there is no one-size fits most solution. By understanding the inherent limitations of each type of product, along with their strengths you will be better equipped to pick the solution(s) that will best help you improve your specific AppSec program. Will be covering details about SAST, DAST, IAST, SCA, WAF, NG-WAF/RASP and more.

Women in Security Panel:
“Governing AppSec; Getting Security into Your SDLC”
Moderator: Tanya Janca

“SBOMs. It’s The Least We Can Do…”

John Dickson

SBOM’s and Software Supply Chain Security – Emerging Trends and How to Update Strategy to Address Software Risk.

Application security received renewed interested when last April the White House released its Executive Order beefing up cybersecurity and enhancing software supply chain security. One of the key elements of the Executive Order mandated that Federal agencies demand Software Build of Materials, or SBOMs, from software vendors. Will demanding SBOMs dramatically improve application security for agencies and will the EO have a broader impact on the commercial market? Aside from demanding SBOMs, what are other questions sophisticated organizations are asking of their suppliers to address software risk? What are the deeper security trends impacting organizations that buy and sell software and how can you adapt to meet these trends?

Learning Objectives
After completing this session, the attendee will:
– Understand software supply chain security trends impacting organizations
– Understand where SBOMs fit in the software security landscape and how organizations can do more to improve the security of applications
– How organizations are adapting software security requirements in a post-Log4J world

Notes
John Dickson is currently a member of the White House Committee for Open Source Security helping the US government and public entities implement Section 4 of the White House Executive Order.

“A Fully Trained Jedi, You Are Not”

Adam Shostack

As software organizations try to bring security earlier in the development processes, what can or should software or operations engineers know about security? Taking as given that we want them to build secure systems, that demands shared understanding of the security issues that might come up, and agreement on what that body of knowledge might entail. Without this knowledge, they’ll keep building insecure systems. With them, we can have fewer recurring problems that are trivially attackable.
Training everyone at a firm is expensive. Even if the training content is free, people’s time is not. If you have 1,000 people, one hour per person is half a person year (before any overhead). So there is enormous pressure to keep it quick, ensure it meets compliance standards like PCI, and … the actual knowledge we should be conveying is almost an afterthought. We need to design knowledge scaffolding and tiered approaches to learning, and this talk offers a structure and tools to get there.
We don’t need every developer to be a fully trained Jedi, and we don’t have time to train everyone to that level, or even as much as we train security champs. So what could we ask everyone to know, and how do we determine what meets that bar?

“Russia’s Information Warfare and the U.S. 2022 Elections: The Evolution of Russia’s Playbook since the Start of the War in Ukraine”

Bilyana Lilly

While the U.S. news cycle is still dominated by war developments in Ukraine and their reverberations across the West, from the Nord Stream pipeline sabotages to missile defense deliveries, the U.S. midterm elections are on the horizon. The record shows that the Russian government has exploited previous elections to stoke social instability and spread conspiracy theories to further polarize an already divided U.S. population. Although Putin’s regime is doubling down on its woefully mismanaged Ukrainian invasion, FBI Director Christopher Wray’s recent statement on potential Russian state-sponsored interference in the U.S. midterm elections should be front and center – “the Russians can walk and chew gum.” This talk will focus on what types of Russian state-sponsored cyberattacks and disinformation operations the U.S. can expect around the 2022 elections and beyond.

Closing Keynote: “The Case for Runtime Protection”

Jeff Williams

For 20 years, “AppSec” has been recommending all sorts of tools, training, activities, and standards you can use to secure your code. Unfortunately, and despite Herculean effort by smart and dedicated people…it doesn’t seem to be working. We have put an immense amount of effort into coercing developers to do better, but every possible metric shows that it hasn’t made a dent. In fact, maybe the only way to move the needle is by significantly raising the work factor for attackers. Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) did this for buffer overflows and radically changed the trajectory of kernel exploits.
In this talk, we are going to discuss how we can replicate this success with web app/API vulnerabilities. We’re going to explore how runtime protection inoculates applications against SQL injection, OGNL injection, unsafe deserialization, and many more entire classes of vulnerability. Runtime protection uses instrumentation to harden applications without having to change anything about the way you code, build, test, or deploy your applications. We’ll share the details of how runtime protection makes the OWASP Top Ten (and more) dramatically more difficult to exploit for hundreds of thousands of apps and APIs in large enterprises. We’ll dig into topics like accuracy, performance, and large scale deployment. But more importantly, we’ll talk about the benefits that runtime protection can have on your entire appsec program and even your security culture.