Loading…
LASCON X has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, October 22
 

9:00am

Training: Attacking Android and iOS apps by Example (Day 1)
Limited Capacity seats available

(Paid Course) - Ticket can be purchased at https://lascon-x-training.eventbrite.com

Course DescriptionThis course has been prepared after years of research and experience gained through pentesting mobile applications. It is structured to follow the OWASP Mobile Top Ten and the OWASP Mobile Security Testing Guide. This is a hands-on practical course, the skills gained can be applied to mobile security assessments immediately. Each day starts with a brief introduction to the mobile platform for that day, and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.
Day 1 includes but is not limited to a brief introduction to Android security, a series of techniques focused on static analysis, followed by dynamic analysis covering both monitoring and modifying app behavior at runtime. The day ends with beautiful CTF challenges to entertain even advanced mobile app penetration testers.

Day 2 begins with a brief iOS security crash course, static analysis techniques, followed by dynamic analysis including both monitoring and modifying app behavior at runtime. The day ends with more lovely CTF challenges.

This is a basic outline of the course; it will contain various other components and details that will help the students understand and perform better. This will be a learning experience from which people relatively new to the ever-growing world of mobile security will benefit, while the advanced students will polish their skills in specific areas and perhaps complete more or the CTF challenges.
Topics Included
1. Review of Common Flaws in Source Code
2. Modification of App Behavior Through Code/Configuration Changes
3. Interception of Network Communication Aka MitM
4. Jailbreak/Root Detection Bypasses and App Review from A Privileged Standpoint
5. Instrumentation (Review and Modification of App Behavior)
6. CFT Challenges for Attendants to Test Their Skills

Attendees will be provided with
- Lifetime access to training portal
- Unlimited access to future updates and step-by-step video recordings
- Government-mandated and police apps in various countries
- Unlimited email support for training-related queries
- Many other excitingly vulnerable real-world apps
- IoT apps controlling Toys, Drones, etc.
- Digital copies of all training material
- Custom Build Lab VMs
- Purpose Build Vulnerable Test apps
- Source code for test apps

Hardware/Software Prerequisites
A laptop with the following specifications:
- Ability to connect to wireless and wired networks.
- Ability to read PDF files
- Administrative rights: USB allowed, the ability to deactivate AV, firewall, install tools, etc
- Knowledge of the BIOS password, in case VT is disabled.
- Minimum 8GB of RAM (recommended: 16GB+)
- 60GB+ of free disk space (to copy a lab VM and other goodies)
- Latest VirtualBox 6.0 or greater, including the “VirtualBox Extension Pack”
- Genymotion (can be the free version)
- A mobile phone capable of receiving text messages
- A jailbroken iPhone / iDevice with iOS >=9 (ideally: iOS 12) for the iOS labs
- Optional but useful: One of the following BurpSuite, ZAP or Fiddler (for MitM)
- Optional but useful: A Mac/Hackintosh with the latest XCode installed, for iOS code review & labs

Course Outline:

Day 1: Attacking Android apps by Example
Part 0 - Android Security Crash Course
- The state of Android Security
- Android security architecture and its components
- Android apps and the filesystem
- Android app signing, sandboxing and provisioning
- Recommended lab setup tips
Part 1 – Emphasis on Static Analysis with Runtime Checks
- Tools and techniques to retrieve/decompile/reverse and review APKs
- Identification of the attack surface of Android apps and general information gathering
- Identification of common vulnerability patterns in Android apps: hardcoded secrets, logic bugs, access control flaws, intents, cool injection attacks, and more
- The art of repackaging: Tips to get around not having root, Manipulating the Android Manifest, defeating pinning, defeating root detection, translating APKs in funny languages and more
Part 2 - Focus on Dynamic Analysis
- Monitoring data: LogCat, Insecure file storage, Android keystore, etc.
- The art of MitM: Intercepting Network Communications
- The art of Instrumentation: Hooking with Xposed and Frida
- App behaviour monitoring at runtime
- Defeating Certificate Pinning and root detection at runtime
- Modifying app behaviour at runtime
Part 3 - Test Your Skills
- CTF time

Day 2: Attacking iOS apps by Example
Part 0 - iOS Security Crash Course
- The state of iOS Security
- iOS security architecture and its components
- iOS app signing, sandboxing and provisioning
- iOS apps and the filesystem - Recommended lab setup tips
Part 1 - Focus on Static Analysis with runtime checks
- Tools and techniques to retrieve/decompile/reverse and review IPAs
- Identification of the attack surface of iOS apps and general information gathering
- Identification of common vulnerability patterns in iOS apps: hardcoded secrets, logic bugs, access, control flaws, URL handlers, cool injection attacks, and more
- Patching and Resigning iOS binaries to alter app behaviour
- Tips to test without a jailbreak Part 2 - Focus on Dynamic Analysis
- Monitoring data: caching, logs, app files, insecure file storage, iOS keychain, etc.
- Crypto flaws
- The art of MitM: Intercepting Network Communications
- Defeating certificate pinning and jailbreak detection at runtime
- The art of Instrumentation: Hooking with Cycript, Frida, Objection
- App behaviour monitoring at runtime
- Modifying app behaviour at runtime
Part 2 - Test your Skills
- CTF time

Speakers
avatar for Abraham Aranguren

Abraham Aranguren

CEO, 7ASecurity
After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews, and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version... Read More →


Tuesday October 22, 2019 9:00am - 5:00pm
TBA

9:00am

Training: Cramming it all in! - Fundamentals of Comprehensive Web Application Testing (Day 1)
Limited Capacity seats available

(Paid Course)  - Ticket can be purchased at https://lascon-x-training.eventbrite.com

This course provides a balance of practical theory and hands-on testing experience related to the assessment of web applications from the perspective of an offensive security consultant. The main goal is to impart an efficiency-focused mindset along with a framework of techniques a professional penetration tester would leverage to evaluate an application's security posture during a time-compressed client engagement. Students will be guided through a consistent, repeatable, and defined approach towards examining an application's attack-surface given a finite amount of resources. An emphasis will be placed on the efficient identification & verification of common web application vulnerabilities and the subsequent communication of remediation recommendations to clients.

Among the main topics discussed will be automated and manual testing techniques related to initial reconnaissance, resource enumeration, session-handling, vulnerability discovery, authentication mechanisms, access controls, and business logic. This course will also review how the Same-Origin-Policy (SOP) and Cross-Origin Resource Sharing (CORS) mechanisms affect cross-site attacks, highlight various advanced Burp Suite techniques, and pass on strategies designed to help students become better, more capable application-focused security professionals. The OWASP Top 10 will be utilized by this course to frame discussions regarding web application security best practices and the avoidance/remediation of common, high-severity vulnerabilities.

Hands-on labs will accompany each lecture component as the class works through an example of a real-world application assessment workflow. Students will get to work with vulnerable applications carrying common vulnerabilities inspired by ones discovered during real engagements. Once completed, students will possess the skills required to deftly navigate time-limited professional web application assessments and feel confident in their delivery of high-quality consultations their clients will benefit from and employers will reward.

This class will make heavy use of the Burp Suite web proxy testing and scanning tool. A trial license for the professional version of Burp Suite will be provided to students at no cost.

Target Audience: This course is geared towards information security professionals (aspiring or gainfully employed) looking to garner a deeper understanding of how to efficiently conduct consultative web application penetration testing engagements.
Course Outline

Day 1
 - Introduction
 - Consultant Considerations
 - Initial Application Reconnaissance
 - Session Handling
 - Application Enumeration
 - Vulnerability Scanning
 - Response Review
 - Security Headers
 - Cookie Security

Day 2
 - XSS, CSRF, & Same Origin Policy
 - Access Controls
 - Authentication Mechanisms
 - File Upload Tests
 - Business Logic
 - Client-side controls
 - Cryptographic Evaluation
 - Vulnerability Remediations
 - Things we left out (further considerations)

Minimum course requirements:
 - Firm understanding of the HTTP protocol.
 - Familiarity with basic web application attack vectors, theory, and practice.
 - Familiarity with web proxies (preferably Burp Suite) and similar tools.
 
Students are expected to bring a laptop with the following requirements:
 - USB Port - Minimum of 8GB RAM
 - At least 10GB of free storage space
 - VMWare Player or VMWare Fusion installed

Speakers
avatar for Ryan Wendel

Ryan Wendel

Senior Application Consultant
Ryan Wendel currently operates as a penetration testing consultant working for the Dell Secureworks Adversary Group. His primary interests and areas of expertise encompass simulating real-world attacks on web applications and external/internal networks & infrastructure. Ryan's technology... Read More →


Tuesday October 22, 2019 9:00am - 5:00pm

9:00am

Training: Doing DevSecOps with OWASP Projects (Day 1)
Limited Capacity seats available

(Paid Course)  - Ticket can be purchased at https://lascon-x-training.eventbrite.com

You’re tasked with ‘doing AppSec’ for your company and you’ve got more apps and issues than you know how to deal with. This training course will help you make sense of the chaos and all will open source projects from OWASP at DevSecOps speeds. This two-day hands-on course consists of a series of lectures and corresponding labs which demonstrate practical use of OWASP projects based on past use in real AppSec teams. Knowing that AppSec team size is usually the most critical constraint, the training will cover how to automate the repetitive things allowing you to spend time on things that require the human brain. Be prepared to return to your company with a whole new arsenal of tools and techniques to make your AppSec efforts more successful by adding automation and OWASP projects running at the speed of DevSecOps. With over 30 years of combined experience between the trainers, the class provides pragmatic and well-tested advice on being successful rather than theoretical ‘best practices’.

Course Outline: https://drive.google.com/file/d/1LSIedlSkPOlgMKd4emt26qdIBcMPgUq5/view

Required MaterialsLaptop running a recent version of Docker (within the last ~6 months) with enough free disk space to download several docker images.


Speakers
avatar for Matt Tesauro

Matt Tesauro

Matt Tesauro is currently establishing a SDLC at a large healthcare software provider. Prior to his current role, he was a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security. Previously, he was a founder and CTO of 10Security, a Senior... Read More →


Tuesday October 22, 2019 9:00am - 5:00pm
TBA

9:00am

Training: Effective Security Leader Training: A Business-Driven Approach with Practical Management Techniques (Only Day)
Limited Capacity seats available

(Paid Course)  - Ticket can be purchased at https://lascon-x-training.eventbrite.com

Course Description
Being an effective security leader is a challenging prospect. As demand for security professionals increases, technical contributors find themselves thrust into management and leadership positions. Often these contributors feel poorly equipped for their new roles. Unfortunately, they grapple for answers, resources, and support in a haphazard way, lacking clarity or effective practices. This training outlines a method of practice which produces professional value over time. It addresses the differences between technical contribution and management, and between management and leadership. The intended audience are those hungry for guidance, those starting to figure things out the hard way, and those who simply want to deliver outstanding value to their employers and the security profession. The topics include concrete recommendations about how to communicate with peers, increase influence with executives, build relationships with one’s team, introduce risk to the decision-making process, and streamline business innovation. If you’re ready to meet others who are wrestling with similar issues and are driven to perform as a leader, let’s get started.

Course Outline - The Case for a Business-Driven Approach - Knowledge Work and Effectiveness
- Business and Risk
- Your Contribution
- Effectiveness Can Be Learned
- Why?
- Are You Ready?
- Meeting the Prerequisites
- Understanding Professional Value
- Security Leader / Business Leader … Is there a Difference?
- Be Productive
- Efficiency vs. Effectiveness
- Parkinson’s Law
- Manage Your Time
- Choose a Method and Stick with It
- Improve Incrementally
- Get Results and Retain Your People
- The Purpose of a Manager
- Break All the Rules
- The Manager Tools Trinity
- Set Goals and Execute
- Influence through Communication
- Communication is What the Listener Does
- Understanding People
- Choose the Right Tool
- Lead with a Story
- Make Effective Decisions
- Behavioral Decision Making
- Practical Risk Analysis
- Strategic Planning
- Measurement
- Understand Business and Innovation
- Business 101
- Make Money
- The Innovator’s Dilemma
- Aligning Security with Business Priorities
- Relevance and Value Above All Else
- Straight Talk
- Execute on the Fundamentals
- Governance and Organization
- Objectives, Goals, and Strategy
- Regulations and Control Frameworks
- Risk Management
- A Primer on Finance and HR
- Hire Slow, Fire Fast
- Encourage Health for Yourself and Those Around You
- Mental Health - Emotional Health
- Physical Health
- Go Forward and Grow
- Become a Reader
- Find a Mentor
- Participate in the Community
- Practice Makes (Almost) Perfect
- Survey

Required MaterialsNo materials required

Speakers

Tuesday October 22, 2019 9:00am - 5:00pm
TBA
 
Wednesday, October 23
 

9:00am

Training: Threat Modeling Workshop (1/2 Day, morning)
Limited Capacity seats available

(Free Course)  - Ticket must be reserved at https://lascon-x-training.eventbrite.com

Threat Modeling is a great way to identify security risk by structuring possible attacks, bad actors and countermeasures over a broad view of the targeted system. Attendees will learn hands on examples of basic threat modeling concepts and how to use them effectively.

This workshop will be a collaborative experience with threat model content created with the audience. We will open the session with a quick introduction and round up of the tools that will be used: attack trees, flow diagrams and related open source software.

Attendees will be able to choose between three ways of getting involved:
- Brainstorming; give your ideas to the whole group to model on a whiteboard.
- Pen and papers; model the group brainstorm ideas and add your own.
- Computer modeling; generate resulting models using code.

We will look at examples from the OWASP Threat Model Cookbook Project and invite attendees to contribute with their creations.

Course Outline:
- Flash introduction on threat modeling
- Selection of participant roles and the target system
- Flow Diagram explanation and collaborative creation
- Attack tree explanation and collaborative creation
- View of code and computer generated diagrams

Required Materials: Pens and paper will be provided. Laptop required only if you want to model as code.


Speakers
avatar for Jonathan Marcil

Jonathan Marcil

Jonathan has created over a hundred threat models during his career and enjoys sharing his experience. He currently leads the OWASP Media Project and is a board member of the OWASP Orange County chapter located in beautiful Irvine, California. Originally from Canada, he was the Montreal... Read More →


Wednesday October 23, 2019 9:00am - 12:30pm
TBA

9:00am

OWASP Top-10 Training
In this free training, application security expert Josh Sokol will walk developers through some of the most common application security risks that are encountered. You will learn how to detect and prevent common vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection, and Cross-Site Request Forgery (CSRF). No prior experience is assumed and content will be generically applicable to most programming languages.

Presented by:
Dan Cornell and Josh Sokol!

Please note: Lunch is not provided, and you will not be able to bring food into Norris Conference Center. There are several places within walking distance where you will be able to go to eat during the lunch break.


Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 20 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies... Read More →
JS

Josh Sokol

Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information... Read More →


Wednesday October 23, 2019 9:00am - 5:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA

9:00am

Training: Attacking Android and iOS apps by Example (Day 2)
Limited Capacity seats available

(Paid Course) - Ticket can be purchased at https://lascon-x-training.eventbrite.com

Course DescriptionThis course has been prepared after years of research and experience gained through pentesting mobile applications. It is structured to follow the OWASP Mobile Top Ten and the OWASP Mobile Security Testing Guide. This is a hands-on practical course, the skills gained can be applied to mobile security assessments immediately. Each day starts with a brief introduction to the mobile platform for that day, and then continues with a look at static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained.
Day 1 includes but is not limited to a brief introduction to Android security, a series of techniques focused on static analysis, followed by dynamic analysis covering both monitoring and modifying app behavior at runtime. The day ends with beautiful CTF challenges to entertain even advanced mobile app penetration testers.

Day 2 begins with a brief iOS security crash course, static analysis techniques, followed by dynamic analysis including both monitoring and modifying app behavior at runtime. The day ends with more lovely CTF challenges.

This is a basic outline of the course; it will contain various other components and details that will help the students understand and perform better. This will be a learning experience from which people relatively new to the ever-growing world of mobile security will benefit, while the advanced students will polish their skills in specific areas and perhaps complete more or the CTF challenges.
Topics Included
1. Review of Common Flaws in Source Code
2. Modification of App Behavior Through Code/Configuration Changes
3. Interception of Network Communication Aka MitM
4. Jailbreak/Root Detection Bypasses and App Review from A Privileged Standpoint
5. Instrumentation (Review and Modification of App Behavior)
6. CFT Challenges for Attendants to Test Their Skills

Attendees will be provided with
- Lifetime access to training portal
- Unlimited access to future updates and step-by-step video recordings
- Government-mandated and police apps in various countries
- Unlimited email support for training-related queries
- Many other excitingly vulnerable real-world apps
- IoT apps controlling Toys, Drones, etc.
- Digital copies of all training material
- Custom Build Lab VMs
- Purpose Build Vulnerable Test apps
- Source code for test apps

Hardware/Software Prerequisites
A laptop with the following specifications:
- Ability to connect to wireless and wired networks.
- Ability to read PDF files
- Administrative rights: USB allowed, the ability to deactivate AV, firewall, install tools, etc
- Knowledge of the BIOS password, in case VT is disabled.
- Minimum 8GB of RAM (recommended: 16GB+)
- 60GB+ of free disk space (to copy a lab VM and other goodies)
- Latest VirtualBox 6.0 or greater, including the “VirtualBox Extension Pack”
- Genymotion (can be the free version)
- A mobile phone capable of receiving text messages
- A jailbroken iPhone / iDevice with iOS >=9 (ideally: iOS 12) for the iOS labs
- Optional but useful: One of the following BurpSuite, ZAP or Fiddler (for MitM)
- Optional but useful: A Mac/Hackintosh with the latest XCode installed, for iOS code review & labs

Course Outline:

Day 1: Attacking Android apps by Example
Part 0 - Android Security Crash Course
- The state of Android Security
- Android security architecture and its components
- Android apps and the filesystem
- Android app signing, sandboxing and provisioning
- Recommended lab setup tips
Part 1 – Emphasis on Static Analysis with Runtime Checks
- Tools and techniques to retrieve/decompile/reverse and review APKs
- Identification of the attack surface of Android apps and general information gathering
- Identification of common vulnerability patterns in Android apps: hardcoded secrets, logic bugs, access control flaws, intents, cool injection attacks, and more
- The art of repackaging: Tips to get around not having root, Manipulating the Android Manifest, defeating pinning, defeating root detection, translating APKs in funny languages and more
Part 2 - Focus on Dynamic Analysis
- Monitoring data: LogCat, Insecure file storage, Android keystore, etc.
- The art of MitM: Intercepting Network Communications
- The art of Instrumentation: Hooking with Xposed and Frida
- App behaviour monitoring at runtime
- Defeating Certificate Pinning and root detection at runtime
- Modifying app behaviour at runtime
Part 3 - Test Your Skills
- CTF time

Day 2: Attacking iOS apps by Example
Part 0 - iOS Security Crash Course
- The state of iOS Security
- iOS security architecture and its components
- iOS app signing, sandboxing and provisioning
- iOS apps and the filesystem - Recommended lab setup tips
Part 1 - Focus on Static Analysis with runtime checks
- Tools and techniques to retrieve/decompile/reverse and review IPAs
- Identification of the attack surface of iOS apps and general information gathering
- Identification of common vulnerability patterns in iOS apps: hardcoded secrets, logic bugs, access, control flaws, URL handlers, cool injection attacks, and more
- Patching and Resigning iOS binaries to alter app behaviour
- Tips to test without a jailbreak Part 2 - Focus on Dynamic Analysis
- Monitoring data: caching, logs, app files, insecure file storage, iOS keychain, etc.
- Crypto flaws
- The art of MitM: Intercepting Network Communications
- Defeating certificate pinning and jailbreak detection at runtime
- The art of Instrumentation: Hooking with Cycript, Frida, Objection
- App behaviour monitoring at runtime
- Modifying app behaviour at runtime
Part 2 - Test your Skills
- CTF time

Speakers
avatar for Abraham Aranguren

Abraham Aranguren

CEO, 7ASecurity
After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews, and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version... Read More →


Wednesday October 23, 2019 9:00am - 5:00pm
TBA

9:00am

Training: Cramming it all in! - Fundamentals of Comprehensive Web Application Testing (Day 2)
Limited Capacity seats available

(Paid Course)  - Ticket can be purchased at https://lascon-x-training.eventbrite.com

This course offering seeks to provide students a balance of practical theory and hands-on testing experience related to the assessment of web applications from the perspective of an offensive security consultant. The main goal is to communicate the mindset and methodology a professional penetration tester would leverage to comprehensively evaluate an application's security posture during a time-compressed client engagement. The course will guide students through a consistent, repeatable, and defined approach towards examining an application's attack-surface given a finite amount of resources. An emphasis will be placed on the efficient identification & verification of common web application vulnerabilities and the subsequent communication of remediation recommendations to clients. Among the main topics discussed will be automated and manual testing techniques related to initial reconnaissance, resource enumeration, session-handling, vulnerability scanning, authentication mechanisms, access controls, and business logic. The course will also touch on generic web application security best practices, issues impacting cross-site attacks, various advanced Burp Suite skills, and strategy behind providing the most value to customers given a short engagement time-frame. Hands-on labs will accompany each lecture component as the class works through an example of a real-world application assessment workflow. Students will get to work with vulnerable applications carrying common vulnerabilities inspired by ones discovered during real engagements. Once completed, students will possess the skills required to deftly navigate time-limited professional web application assessments and feel confident in their delivery of high-quality consultations their clients will benefit from and employers will reward. This class will make heavy use of the Burp Suite web proxy testing and scanning tool.

Course Outline
Day 1
- Introduction
-Consultant Considerations
- Initial Application Reconnaissance
- Session Handling
- Application Enumeration
- Vulnerability Scanning
- XSS, CSRF, & Same Origin Policy
- Security Headers
- Cookie Security
- Access Controls

Day 2
- Authentication Mechanisms
- Session Management Mechanisms
- File Upload Tests
- Business Logic
- Client-side controls
- Cryptographic Evaluation
- Comment Review
- Vulnerability Remediations
- Things we left out (further considerations)

Required Materials
Minimum course requirements:
- Firm understanding of the HTTP protocol.
- Familiarity with basic web application attack vectors, theory, and practice.
- Familiarity with web proxies (preferably Burp Suite) and similar tools.
Students are expected to bring a laptop with the following requirements:
- USB Port
- Minimum of 8GB RAM
- At least 30GB of free storage space
- VMWare Player or VMWare Fusion installed




Speakers
avatar for Ryan Wendel

Ryan Wendel

Senior Application Consultant
Ryan Wendel currently operates as a penetration testing consultant working for the Dell Secureworks Adversary Group. His primary interests and areas of expertise encompass simulating real-world attacks on web applications and external/internal networks & infrastructure. Ryan's technology... Read More →


Wednesday October 23, 2019 9:00am - 5:00pm

9:00am

Training: Doing DevSecOps with OWASP Projects (Day 2)
Limited Capacity seats available

(Paid Course)  - Ticket can be purchased at https://lascon-x-training.eventbrite.com

You’re tasked with ‘doing AppSec’ for your company and you’ve got more apps and issues than you know how to deal with. This training course will help you make sense of the chaos and all will open source projects from OWASP at DevSecOps speeds. This two-day hands-on course consists of a series of lectures and corresponding labs which demonstrate practical use of OWASP projects based on past use in real AppSec teams. Knowing that AppSec team size is usually the most critical constraint, the training will cover how to automate the repetitive things allowing you to spend time on things that require the human brain. Be prepared to return to your company with a whole new arsenal of tools and techniques to make your AppSec efforts more successful by adding automation and OWASP projects running at the speed of DevSecOps. With over 30 years of combined experience between the trainers, the class provides pragmatic and well-tested advice on being successful rather than theoretical ‘best practices’.

Course Outline: https://drive.google.com/file/d/1LSIedlSkPOlgMKd4emt26qdIBcMPgUq5/view

Required MaterialsLaptop running a recent version of Docker (within the last ~6 months) with enough free disk space to download several docker images.


Speakers
avatar for Matt Tesauro

Matt Tesauro

Matt Tesauro is currently establishing a SDLC at a large healthcare software provider. Prior to his current role, he was a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security. Previously, he was a founder and CTO of 10Security, a Senior... Read More →


Wednesday October 23, 2019 9:00am - 5:00pm
TBA

1:30pm

Training: Threat Modeling Workshop (1/2 Day, afternoon)
Limited Capacity seats available

(Free Course)  - Ticket must be reserved at https://lascon-x-training.eventbrite.com

Threat Modeling is a great way to identify security risk by structuring possible attacks, bad actors and countermeasures over a broad view of the targeted system. Attendees will learn hands on examples of basic threat modeling concepts and how to use them effectively.

This workshop will be a collaborative experience with threat model content created with the audience. We will open the session with a quick introduction and round up of the tools that will be used: attack trees, flow diagrams and related open source software.

Attendees will be able to choose between three ways of getting involved:
- Brainstorming; give your ideas to the whole group to model on a whiteboard.
- Pen and papers; model the group brainstorm ideas and add your own.
- Computer modeling; generate resulting models using code.

We will look at examples from the OWASP Threat Model Cookbook Project and invite attendees to contribute with their creations.

Session outline:
- Flash introduction on threat modeling
- Selection of participant roles and the target system
- Flow Diagram explanation and collaborative creation
- Attack tree explanation and collaborative creation
- View of code and computer generated diagrams

Required Materials: Pens and paper will be provided. Laptop required only if you want to model as code.


Speakers
avatar for Jonathan Marcil

Jonathan Marcil

Jonathan has created over a hundred threat models during his career and enjoys sharing his experience. He currently leads the OWASP Media Project and is a board member of the OWASP Orange County chapter located in beautiful Irvine, California. Originally from Canada, he was the Montreal... Read More →


Wednesday October 23, 2019 1:30pm - 5:00pm
TBA
 
Thursday, October 24
 

7:30am

Breakfast Tacos (Sponsored by AT&T Cybersecurity)
Thursday October 24, 2019 7:30am - 8:45am
(Expo Room) Live Oak Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

7:30am

Registration Opens
Registration will be available after the time specified.

Thursday October 24, 2019 7:30am - 9:00am
Lobby 2525 W Anderson Ln #365, Austin, TX 78757, USA

8:00am

Expo Hall Open
Thursday October 24, 2019 8:00am - 5:00pm
Expo Hall (Live Oak Room)
  • surveys n

9:00am

Keynote: Tanya Janca
Speakers
avatar for Tanya Janca

Tanya Janca

CEO and Co-Founder, Security Sidekick
Tanya Janca is the co-founder and CEO of Security Sidekick. Her obsession with securing software runs deep, from starting her company, to running her own OWASP chapter for 4 years and founding the OWASP DevSlop open-source and education project. With her countless blog articles, workshops... Read More →


Thursday October 24, 2019 9:00am - 10:00am
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA
  • surveys y

10:00am

A Stratagem on Strategy: Rolling Testing into Product Testing
Commercial software products rely on formal test strategies to describe who will perform testing, the process that will be followed, the depth of testing, and more. Test strategies are extended by test plans that detail specific tests that will be executed and how success will be measured. Test strategies and plans support objectively evaluating that software meets requirements and functions properly.

Conversely, security teams think about where security gates should be in the SDLC and deploy SAST, DAST, IAST, or a combination. Rarely is it considered what level of coverage these methods provide, and output from security testing is not mapped back to requirements. Compared to other teams involved in the SDLC, security seems to just be winging their test strategies and plans.

This talk will describe how product teams leverage test strategies and plans to make sure software delivered meets requirements, and how security can do the same.

Speakers
KF

Kevin Fealey

Senior Manager, Product Security, EY



Thursday October 24, 2019 10:00am - 11:00am
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

10:00am

Invited Speaker - Dan Cornell
Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 20 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies... Read More →



Thursday October 24, 2019 10:00am - 11:00am
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA

10:00am

New age cloud security - How to build secure multi-cloud applications and still sleep well at night.
Application security can be incredibly complicated. For most developers, it's one of the hardest parts of creating an app. How can you be sure that you are protecting your users information? How can you sure your system cannot be infiltrated? How do you manage access controls, and ensure you address all the newly discovered vulnerabilities? What if your application runs on different cloud providers, with completely different security systems? Looking for answers? Join us in this session to learn the latest security industry trends!

Speakers
avatar for Anton Aleksandrov

Anton Aleksandrov

Chief Architect, IBM Cloud Application Identity Service, IBM
Anton Aleksandrov is the Chief Architect for IBM Cloud Application Identity Service - a cloud service that lets developers to easily add authentication, authorization and user profile capabilities to apps and APIs running on cloud.  Having 15+ years of hands-on software architecture... Read More →


Thursday October 24, 2019 10:00am - 11:00am
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

10:00am

Being Powerful While Powerless: Elevating Security by Leading Without Authority
Inculcating security into a company’s culture is a difficult task in itself. Let’s envision there’s a situation where you’re an individual contributor without a CSO or Director title. Also, imagine that you’re the only member of the Security team and are solely responsible for securing the entire company in a fast-paced, ever-changing environment. That illustration depicted my situation before we grew the team. Are you in such a position? Or are you considering a new opportunity with this scenario?

In this talk, I’ll explore how I leveraged both technical and non-technical strategies for exerting soft power to build a functional, secure foundation and evangelize security as an IC on a 1-person Security team. By building tools and implementing programs, I effectively scaled myself across the organization (engineering and non-engineering alike) by empowering others to deeply care about security too. I’ll share lessons learned and how to thrive in this role.

Speakers
avatar for Nathan Yee

Nathan Yee

Application Security Engineer, Gusto
Nathan is an Application Security Engineer on the Security team at Gusto, where he partners with engineers to securely develop software by creating tools, consulting on security designs, and delivering security training. Before joining Gusto, he was an early engineer at Synack. Nathan... Read More →


Thursday October 24, 2019 10:00am - 11:00am
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

11:00am

Application Logging in the Era of GDPR
Applications log their activities for a variety of purposes including security. Developers and operation personnel adopt OWASP tools and others to enhance the security posture of their products and services.

On the one hand, businesses have different security requirements based on risks faced by and trust levels required of their products. More relevant security guidance is often needed by developers. On the other hand, GDPR is the law safeguarding privacy of individual EU citizens. This affects all products sold or operated in EU. Developers often raise questions regarding to what data can or cannot be logged to keep GDPR compliance. Although many material and training on GDPR exist, few provides guidance on application logging.

In this talk, we describe how we address these issues, including security and privacy related to application logging, protection of log data, and impacts of GDPR. Audiences will take away with recommendations and tips.

Speakers


Thursday October 24, 2019 11:00am - 12:00pm
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

11:00am

Choosing the Right Static Code Analyzers Based on Hard Data
Published research shows that static code analysis cost-effectively catches security weaknesses before they become exploitable vulnerabilities. But finding the right code analyzers can be challenging.
This talk will discuss research funded by the U.S. Department of Homeland Security to deliver unbiased methods and information to assess and compare the performance of static analyzer products.
In this talk we introduce a new, freely-available website that presents the results of our research. We will discuss plans to track the types of weaknesses that analyzers can detect to help people quickly find the right analyzer and how to achieve good detection coverage of multiple weaknesses.
We’ll discuss the properties of analyzers important to consider when bringing one (or a few!) into your development pipeline. We’ll also cover plans to benchmark results quality using real code, not artificial data sets. Finally, we’re looking forward to audience feedback on what information or capabilities are important.

Speakers
avatar for Chris Horn

Chris Horn

Product Strategy & Development, Secure Decisions & Code Dx
Chris Horn is a Researcher at Secure Decisions, an R&D organization, and helps guide product development at Code Dx. He is currently engaged in several application security (AppSec) research projects, including: developing a system for benchmarking static code analyzers, studying... Read More →


Thursday October 24, 2019 11:00am - 12:00pm
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

11:00am

The End of the AppSec Team
Is your application security team large enough? After growing beyond a few people, security teams often find themselves desperately trying to hire more AppSec folks. While this is good for those of us in the industry, is it even mathematically possible to hire enough AppSec folks to handle the amount of code, features, platforms, and products the rest of your organization is churning out? Even with all the tools one can buy, it is unlikely the AppSec team can ever match the pace of the rest of the engineering team. If the AppSec team can never be big enough, what can we do? Well, let’s hop into our time machines, skip past the current AppSec grind, and take a look into the future at the end of the AppSec team.

Speakers
avatar for Justin Collins

Justin Collins

Brakeman Guy
Justin has been an application security engineer at SurveyMonkey, Twitter, and AT&T Interactive, and is the primary author of Brakeman, a free static analysis security tool for Ruby on Rails. His commercial product, Brakeman Pro, was acquired by Synopsys in 2018.



Thursday October 24, 2019 11:00am - 12:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

11:30am

Lunch - Day 1
Red Oak Ballroom is available (with musician!)

Thursday October 24, 2019 11:30am - 1:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA
  • surveys y

12:00pm

The Hacker Hippocampus: Meet your brain on games
<New Talk as of 9/26/19>
Always on the edge of your seat when it comes to new exploits and tricks. From bug bounties, CTFs, live hacking events, simulations, and interactive educational modules, they have been proven to stimulate and enforce new tools and knowledge to become stronger red teamers, blue teamers, and purple teamers.
But how did gamification come into play and in infosec?

This interactive talk shares the history of gamification in infosec, how our brains are stimulated by them, and how it’s transforming lives.


Speakers
avatar for Chloé Messdaghi

Chloé Messdaghi

Security Researcher Advocate, WoSEC & WomenHackerz
Chloe Messdaghi is a Security Researcher Advocate. Since entering cybersecurity space, she sees security as a humanitarian issue. Humanitarian work includes advising as a UN Volunteer, serving as a board member for several humanitarian organizations and started a nonprofit called... Read More →


Thursday October 24, 2019 12:00pm - 1:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

12:00pm

Living in AppSec [Promised|Fantasy|Wonder]land
If you've ever listened to the AA Podcast (Absolute AppSec that is), you may have heard how GitHub is AppSec Fantasyland (or something similar). This presentation will tell you how that is true ... and how it's not. We will talk about what makes GitHub AppSec FantasyLand and why sometimes it isn't. We'll talk about what we've done at GitHub "to make AppSec suck less" (if that's your bar for a fantasy land). We'll also talk about the challenges we still face in making AppSec at GitHub the promised land some dream it to be.

Speakers


Thursday October 24, 2019 12:00pm - 1:00pm
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

12:00pm

Security Code Analysis is for Everyone
Software applications have become a crucial part of our lives in today's world. Having said that, these applications can also pose a real security threat, not just to the businesses, but also to the end-users. Hackers always find new ways to bypass security.

Securing your applications against such threats is no more a nice to have, but has become a necessity. Considering the impact of some these attacks, it is important for organizations to follow a proactive approach rather than a reactive one in identifying and fixing the vulnerabilities.

Given the complexity of applications, size of code base, use of third-party libraries, number of developers contributing to projects, lack of knowledge on security vulnerabilities, etc., it is almost impossible to identify every loop hole in the source code. This is exactly where Security Code Analysis comes to the rescue.

Speakers
avatar for Gal Shtokhamer

Gal Shtokhamer

Senior software engineer, Thales
Gal is a senior developer working in Cloud Protection team for 5 years. She has been working in software development for about 20 years. She has a BSC degree in BioInfomatics from Ben Gurion University in Israel.
avatar for Masooma Faquih

Masooma Faquih

Software Developer, Thales Group


sca pdf

Thursday October 24, 2019 12:00pm - 1:00pm
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

1:00pm

Achieve AI-powered API Privacy using Open Source
This presentation, part talk and part practical demonstration, will introduce Privacy-by-Design (PbD) onto a typical software application as part of a Secure Development Lifecycle, with a live demo showcasing how artificial intelligence (AI) can contribute to the process. We will cover:

- How ever-increasing privacy regulation impacts the software industry now, and what the future may bring.
- What lessons we can learn from the DevSecOps approach to security
- How we can harness both PbD and threat modeling to control software risk up front, addressing privacy issues before they impact consumers
- Leveraging security defense approaches to protect customer information
- Introduction to Deep Neural Networks (DNN); how DNN can be leveraged to address privacy concerns
- How to use free and open source software (TensorFlow, Keras and PrivAPI) to roll out Privacy-by-Design
- Live demo based on free and open source stack(s); showcasing AI for detecting sensitive dataflows in a typical API

Speakers
avatar for Gianluca Brigandi

Gianluca Brigandi

Founder & CEO, Atricore Inc.



Thursday October 24, 2019 1:00pm - 2:00pm
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

1:00pm

How to Secure a nodejs Application End-to-End
Since the creation of the first web application, more and more applications are moving to the web. As applications, data, and the users migrate online, so do the respective threats. Viruses that used to infect people’s computers now try to steal user data online.
As developers, it is our responsibility to protect our end users from potential threats. Although the vulnerabilities apply to any web servers, the tools and best practices we will discuss are specific to nodejs based webserver. Nodejs is a javascript runtime which can be used to serve web application with highly scalable asynchronous I/O.

Speakers
avatar for Muzamil Muein

Muzamil Muein

Senior Software Architect, Thales
Muein Muzamil is a member of the technical community at Thales and works as a senior software architect in the Enterprise and Cybersecurity group based in Austin, TX. His research interests include evolving authentication solutions, federated authentication, one-time password (OTP... Read More →



Thursday October 24, 2019 1:00pm - 2:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

1:00pm

Invited Speaker - Josh Sokol
Speakers
JS

Josh Sokol

Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information... Read More →


Thursday October 24, 2019 1:00pm - 2:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA

1:00pm

Learning the Power of the “Not My Responsibility” Mindset
Security engineers are naturally responsible people, but that responsibility can sometimes lead to burnout in the engineers and a lack of progress on actually improving security within the company. Learn about how shifting responsibility to the business helps improve accountability, reduce friction, and keep security engineers from burning out.

Speakers
avatar for Nick Leghorn

Nick Leghorn

Manager, Information Security Risk Management, Indeed
Nick Leghorn leads the Information Security Risk Management Team for Indeed. After graduating from Penn State University with a degree in Security and Risk Analysis, he worked for the U.S. Department of Homeland Security quantifying terrorism risks and identifying mitigations to provide... Read More →



Thursday October 24, 2019 1:00pm - 2:00pm
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

2:00pm

Threat Modelling Stories from the Trenches
Threat modelling is a software analysis technique capable of finding design defects. But what sort of issues are uncovered in practice using threat modelling? This talk bridges the gap between theory and practice by describing case studies – design flaws uncovered for actual (but anonymised) systems across many domains, for example online gaming, two-factor authentication, business-to-business, embedded, and cloud. In this talk we are less concerned with theory. Instead, in this interactive session the attendee will gain insight into the mindset of threat modelling by considering mistakes in the real-world. Along the way we will (re)learn secure design principles and attack patterns and see how the theory is expressed in reality.

Speakers
SR

Stark Riedesel

Associate Principal Consultant, Synopsys



Thursday October 24, 2019 2:00pm - 3:00pm
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

2:00pm

Invited Speaker - Peter Ewane
Speakers
PE

Peter Ewane

Senior Security Manager, Capgemini
Peter Ewane is a Senior Manager with Capgemini's Cyber Security Practice leading teams to deliver secure outcomes for clients through optimized security operations and threat intelligence. Before Capgemini, he was part of the Alienvault security research team where he researched... Read More →


Thursday October 24, 2019 2:00pm - 3:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA

2:00pm

The Battle to Address Mobile in the Endpoint Security Space

What contains your personal and corporate data, is most likely not running the latest OS, and is constantly connected to the Internet

Mobile devices are used more than ever, generating 52.2% of all website traffic worldwide.  Not only that, but they are also being targeted more than ever. 74% of IT leaders from global enterprises report that their organization has experienced a data breach due to a mobile security issue.

It's not surprising that mobile devices have been ranked the #1 hardest enterprise asset to defend.  Compounded by bring-your-own-device policies, enterprises are struggling to protect themselves against mobile threats. Attacks on the endpoint are no longer limited to servers and desktop PCs. 

Join me during this session to learn about the challenges and successes the endpoint security industry has had addressing mobile. Learn about the evolution of mobile device protection, where it is today, and where it is headed. 


Speakers
avatar for Allie Mellen

Allie Mellen

Cybereason
Allie writes about security at Cybereason. She has several years of experience in cybersecurity and has been recognized globally for her security research. She has a B.S. degree in Computer Engineering and has had various engineering, mobile app development, and consulting roles in... Read More →



Thursday October 24, 2019 2:00pm - 3:00pm
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

2:00pm

Kubernetes Ingress-Nginx Security from Beginner to Expert
In Kubernetes the Nginx-Ingress Controller is one of the most deployed Ingress Controller. It is the gateway to your applications, the metaphorical door person right outside. Securing it is crucial to the overall Security of your Cloud, yet many times it is not properly configured, leaving it vulnerable to a variety of attacks.

This presentation will go over the various ways of securing your application with the Nginx-Ingress Controller.

Speakers
avatar for Fernando Diaz

Fernando Diaz

Technical Marketing Manager, GitLab
I'm a Technical Marketing Manager at Gitlab. I'm passionate about OpenSource and have contributed to several OpenStack and Kubernetes Projects. Keeping Austin Weird one coldbrew at a time.



Thursday October 24, 2019 2:00pm - 3:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

2:45pm

Snack Break
Thursday October 24, 2019 2:45pm - 3:15pm
Expo Hall (Live Oak Room)
  • surveys n

3:00pm

Cloud Security At Scale: Managing the Chaos
This talk will cover the journey that many organizations take when moving to the cloud. Large enterprises face a harder road moving their on-prem and legacy infrastructure to the cloud in a secure way. We'll discuss the dos and don't while making that journey.

Speakers
avatar for Ken Toler

Ken Toler

Consultant, IBM
avatar for Michael McCabe

Michael McCabe

President, MBM Consultants
Michael McCabe is the president of MBM Consultants. Michael helps clients migrate their workloads to the cloud in a secure and managed way. He's worked with large financials during their cloud migrations and transformations. He focuses on creating secure, sane and organized solutions... Read More →


Thursday October 24, 2019 3:00pm - 4:00pm
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

3:00pm

"On the Internet, nobody knows you're a dog": Revisiting the meme after 25 years
On the Internet, nobody knows you're a dog" is an adage and meme about identity verification on the Internet, or rather lack thereof. It began as a cartoon caption by Peter Steiner and was published by The New Yorker on July 5, 1993. Ironically, quarter of a century later we still seem to be battling the same issues, though on a different scale, and are now looking towards artificial intelligence and machine learning techniques. This talk will provide a high level overview of the historical trends, current challenges and future opportunities in the field of user identity, online authentication, and access management. The current landscape of AI and ML with specific focus on identity space will be discussed. It will cover scenarios that work, those that don’t and those that can perhaps serve as a cautionary tale for technologists and policy makers alike.

Speakers

Thursday October 24, 2019 3:00pm - 4:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

3:00pm

Invited Speaker - Mary Haskett
Face Recognition & Privacy

The concept of identifying people based upon unique physical characteristics dates back to 14th century China where we have found evidence of fingerprinting. Since then, we have developed many other characteristics to use to identify people including iris (colored part of the eye), gait, palm vein patterns, hand geometry and face recognition. Of all of these techniques, face recognition has been the most controversial because it can be collected passively - without the user’s knowledge or consent. Recent media coverage has often been inaccurate and accidentally (or intentionally) misleading, generating further controversy. Face recognition surveillance can be a terrible invasion of user privacy and the foundation of an Orwellian police state. However, not all face recognition is used for surveillance and the technology CAN be used in a privacy preserving way if designed correctly. Existing privacy legislation attempts to address these issues and bring control back to the user, but the legal landscape is complex. This talk will address existing face recognition, privacy legislation world-wide and will dispel common myths about the strengths and weaknesses of this valuable identification technology.

Speakers
avatar for Mary Haskett

Mary Haskett

CEO, Blink Identity
Mary Haskett is the CEO and co-founder of Blink Identity, an Austin based startup developing a unique privacy-preserving face recognition product that can identify people at a full walking speed and in any lighting conditions. She got her start running a skydiving school and went... Read More →



Thursday October 24, 2019 3:00pm - 4:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA

4:00pm

Detect Insider Threats Using Blockchains
Tamper resistant property of blockchains can be used to identify the insider threats to centralized DBs.

Speakers
avatar for Nishit Majithia

Nishit Majithia

Nishit Majithia is currently working as a security engineer at Walmart Labs, India. During the internship time of his B.Tech degree, he contributed one payload in ISRO's IMS-1A satellite. After getting M.Tech degree in Cyber Security area from IIT Kanpur, Nishit developed his curiosity... Read More →
avatar for Rohit Sehgal

Rohit Sehgal

Cybersecurity Engineer, VISA
A Security enthusiast with sound knowledge of Linux binary exploitation and web penetration testing. I love to play with secure systems and always tries to find innovative ways to crack systems.Post graduated IIT Kanpur with specialization in System Security.Have experience in Cyber... Read More →


Thursday October 24, 2019 4:00pm - 5:00pm
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

4:00pm

Baited Canaries - Monitoring attackers with active beacons
By creatively combining properties of various document viewing environments with canary tokens, we are able to gain valuable information directly from our attackers and their victims. These ‘baited’ canaries act as mixture between trip-wires and call back beacons and give us the unique opportunity to detect attacks against our users before they happen.

Speakers
avatar for Gregory Caswell

Gregory Caswell

Manager of Application Security, Indeed


Thursday October 24, 2019 4:00pm - 5:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

4:00pm

Soft Skills Panel
Join Wendy Nather, Tanya Janka and Marcus Carey to talk about the value of "soft" skills. We'll cover what these skills are how they work in real life. We'll chat about whether these skills are really that soft, or are they required for success in business?  We'll take a balanced approach to the topic, acknowledging the value of strictly technical track folks. It will be a spicy panel!

Speakers
avatar for Chip Coy

Chip Coy

Consultant, NTT Data Services
I've been a security consultant for quite awhile, one might say I'm "acoustic coupler" old. I've broken into systems (authorized of course), fixed up systems, and developed/operated security programs to keep system secure.I like to travel, cook, read, scuba dive.
avatar for Tanya Janca

Tanya Janca

CEO and Co-Founder, Security Sidekick
Tanya Janca is the co-founder and CEO of Security Sidekick. Her obsession with securing software runs deep, from starting her company, to running her own OWASP chapter for 4 years and founding the OWASP DevSlop open-source and education project. With her countless blog articles, workshops... Read More →
avatar for Wendy Nather

Wendy Nather

Head of Advisory CISOs, Duo Security (Cisco)
avatar for Kate Brew

Kate Brew

Editor of blog, AT&T Cybersecurity
Love InfoSec! OWASP and LASCON volunteer. Editor of corporate InfoSec blog for past 6 years. Before that, product management and product marketing.
avatar for Marcus Carey

Marcus Carey

Enterprise Architect, ReliaQuest
Marcus J. Carey is an Enterprise Architect at ReliaQuest. Prior to joining ReliaQuest he was the founder and CEO at Threatcare (acquired by ReliaQuest). Marcus has over 20 years of cybersecurity experience and has worked in penetration testing, incident response, and digital forensics... Read More →


Thursday October 24, 2019 4:00pm - 5:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA

5:00pm

Fireside Chat
Speakers
avatar for Roger Thornton

Roger Thornton

VP of Products and Technology, AT&T Cybersecuity
Roger Thornton, VP Products & Technology, AT&T Cybersecurity, has more than 25 years of experience in the computer and network security industry. He has driven the formation and growth of dozens of new companies including Fortify Software and hundreds of products, serving in a wide... Read More →


Thursday October 24, 2019 5:00pm - 6:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

5:00pm

Speed Debates
Thursday October 24, 2019 5:00pm - 6:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA
  • surveys y

5:00pm

Happy Hour
Thursday October 24, 2019 5:00pm - 7:00pm
Lobby 2525 W Anderson Ln #365, Austin, TX 78757, USA
  • surveys y

5:00pm

Ride the Bull!
Thursday October 24, 2019 5:00pm - 7:00pm
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA
  • surveys y
 
Friday, October 25
 

8:00am

Expo Hall Open
Friday October 25, 2019 8:00am - 3:00pm
Expo Hall (Live Oak Room)
  • surveys n

9:00am

Keynote: John Bambenek
Speakers
avatar for John Bambenek

John Bambenek

Keynote Speaker
John Bambenek is the Vice President for Security, Research and Intelligence with ThreatSTOP, Lecturer in the Department of Computer Science at the University of Illinois at Urbana-Champaign and a handler with the SANS Internet Storm Center. He has over 19 years of experience in information... Read More →



Friday October 25, 2019 9:00am - 10:00am
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA

10:00am

Security Management 101: Practical Techniques They Should’ve Taught You
Becoming a new manager in information security can be overwhelming. As demand for security professionals increases, technical contributors find themselves thrust into management and leadership positions, and often feel poorly equipped. Unfortunately, they grapple for answers, resources, and support in a haphazard way, lacking clarity or effective practices.

This presentation introduces the fundamental activities a new manager should adopt. It addresses the differences between technical contribution and management, and between management and leadership. The intended audience are those hungry for guidance, those starting to figure things out the hard way, and those who simply want to deliver outstanding value to their employers and the security profession.

The topics include concrete recommendations about how to build relationships with one’s team and get results. If you’re ready to meet others who are wrestling with similar issues and are driven to perform as a leader, let’s get started.

Speakers

Friday October 25, 2019 10:00am - 11:00am
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

10:00am

Lost in Translation: Communicating Outside of Security
As organizations adopt DevSecOps, security professionals interact more and more with pure development teams. If you’ve ever explained why security is important to a developer, however, you’ve probably run into a language barrier. This talk is given by a developer/casual hacker that wants to help infosec communities understand communication pitfalls; some common language we can all use; and what developers need from security to succeed.

Speakers
avatar for Jessica Schalz

Jessica Schalz

Security Engineer
I love talking about app sec tools, organizational psychology in security, and diversity/inclusion! Also dogs and Golang!


Friday October 25, 2019 10:00am - 11:00am
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

10:00am

Security Instrumentation Is the Future of All Software
Security Instrumentation Is the Future of All Software

Building security in has failed. After decades of attempts to improve software security, vulnerability rates are still staggering, attacks are increasing in volume and severity, development speed is increasing, and we have perennial talent shortages.  In essence, we have been unable to push security into software through software development. But maybe there’s another way. Using instrumentation, we can add security capabilities to already compiled applications without changing any code. Just a few examples of these new capabilities include:
  • Intrusion detection so applications can diagnose attacks
  • Automatic self-reporting of software bill of materials (SBOM)
  • Dynamic software composition analysis (DSCA)
  • Interactive security testing for detecting novel vulnerabilities
  • Runtime protection to make vulnerabilities unexploitable
Future applications won’t be static executables, but will be the result of dynamically merging business logic and powerful security capabilities. Dynamic instrumentation is a safe and powerful way for development and security teams to collaborate. Come learn from the inventor how instrumentation works, how it is already enhancing the security of applications in thousands of organizations, and what the future holds for this powerful technology.

Speakers
avatar for Jeff Williams

Jeff Williams

Co-founder and CTO, Contrast Security
I've been in security since the late 1980's and have been blessed with the opportunity to help start three great application security organizations: Contrast Security, OWASP, and Aspect Security (recently sold to EY).I'm coming to LASCON to meet *you*. I'm easy to find :-) and love... Read More →



Friday October 25, 2019 10:00am - 11:00am
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA

10:00am

Sexy Mobile App Attacks by Example
This talk is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps.

This entirely practical walkthrough will cover anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Seriff, Chinese Police apps to gather info about citizens, and much more.

This talk is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps.

Speakers
avatar for Abraham Aranguren

Abraham Aranguren

CEO, 7ASecurity
After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews, and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version... Read More →


Friday October 25, 2019 10:00am - 11:00am
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

11:00am

A DevOps View of AppSec
Speakers

Friday October 25, 2019 11:00am - 12:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

11:00am

Thwarting Intruders with Ever Morphing Infrastructure
Is it possible to break the cyber attack lifecycle by continuously reshuffling the infrastructure and services being attacked?
How would the intruder be able to reconnaissance a network when physical servers are reimaged and brought back online with new keys, passwords, and IP addresses every few hours? We use modern application development and devops techniques such as a service mesh and a bare metal cloud to build an ever-morphing cloud of physical servers. Is that enough to thwart the enemy?

Speakers
avatar for John Studarus

John Studarus

Software Architect, JHL Consulting
John merges his interests in computing infrastructure, networking, and software security. His background includes leading product teams, writing prototype code and examining distributed systems at Fortune 500s and startups alike. He brings a rare combination of technical expertise... Read More →



Friday October 25, 2019 11:00am - 12:00pm
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

11:00am

NetFlow? Where We're Going, We Don't Need... NetFlow
You have SIEM & NetFlow to catch the adversary, but can you query your data for useful information? Do you truly understand what is leaving your network?

This talk is for security professionals and developers who are curious about helping the SecOps folks.

General security knowledge is all that is required to benefit from this talk, but seasoned security gurus will find this helpful too.

We will discuss an ingenious approach to log analysis that augments enterprise security monitoring tools; specifically we will look at analyzing outbound network traffic.

I will cover the visibility gap and how with a bit of scripting I created a tool to quickly discover the most relevant information.

You will leave with specific ideas you can implement in your organization to augment and enhance your threat hunting and blue team operations.

Speakers
avatar for Petr Sidopulos

Petr Sidopulos

Petr is a security professional in the Austin area.He enjoys both Red team and Blue team activities, log analysis, mentoring, and automating every task he finds boring.When not thinking about world domination, Petr likes to spend time with his family, traveling, camping, and firing... Read More →



Friday October 25, 2019 11:00am - 12:00pm
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

11:30am

Lunch - Day 2
Red Oak Ballroom is available (with musician!)

Friday October 25, 2019 11:30am - 1:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA
  • surveys y

12:00pm

Micro-services Challenges - Istio to the Rescue
It is widely accepted that monolithic applications do not scale well in a cloud environment. Micro-services pattern offers a solution to monolithic application challenges, like scalability, agility, availability, etc. However, micro-services come with their own set of challenges and issues: duplication of common code is a major one and in case of different technologies, there is not only duplication of code, but re-implementation of common functionality in different technologies. Micro-services also add significant overhead for operations as they have to manage many applications.
There is a need to solve the micro-service overhead problem so developers can focus on implementing business requirements instead of re-implementing common functionalities. Also, it should remain easy for devops teams to manage and monitor all applications in a uniform way. Monitoring should also be easier, so we have an efficient way of diagnosing issues: where is the application failing, which micro-service is the issue, etc.

Speakers
FB

Famechon Benoit

R&D Manager, Thales
Benoit Famechon is a R&D manager in the Cloud Protection and Licensing unit of Gemalto, a Thales company (Austin). He is currently heading a team to develop Authentication, Access Management and Identity based solutions. He has worked in embedded development for Telecommmunication... Read More →



Friday October 25, 2019 12:00pm - 1:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

12:00pm

Reversing Client Side JavaScript Using the Chrome Dev Tools Protocol
This talk will show how the Chrome Dev Tools protocol works and how we can use it to reverse JavaScript and alter the behavior of an app to find bugs and vulnerabilities. This can be done by writing functions that modify the behavior of web applications and that can automate pentesting tasks. A Go based tool that allows anyone to write simple plugins for use with this protocol will also be demoed.

Speakers
avatar for Alex Useche

Alex Useche

Senior Application Security Consultant, nVisium
Alex is an Application Senior Security Consultant at nVisium with over 12 years of experience in the IT industry as a software developer, security engineer, and penetration tester. As a software developer, he has worked and architected mobile and web applications in a wide range of... Read More →


Friday October 25, 2019 12:00pm - 1:00pm
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

12:00pm

Breaking Into Red Teaming
Lots of people are interested in being part of a Red Team. What does it take? This talk will cover the basics regarding the knowledge and skills needed to find a role for yourself and become successful within a Red Team program.

Speakers
avatar for David Hughes

David Hughes

I am a Red Team lead at General Motors and large scale password analysis is one of my side projects. I’ve been in the IT industry for over 20 years, most of which has involved penetration testing and Red Teaming. I am heavily involved in the local Austin security community, OWASP... Read More →
avatar for Johnny Medina

Johnny Medina

Offensive Security Lead, General Motors
Johnny is an Offensive Security Lead responsible for leading logical and physical penetration testing and red teaming security assessments globally. Johnny has a Bachelor’s in Technology Management, Masters in Cyber Security Strategy and holds certifications including CISSP, GPEN... Read More →


Friday October 25, 2019 12:00pm - 1:00pm
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

1:00pm

Do Certain Types of Developers or Teams Write More Secure Code?
Why do some developers and development teams write more secure code than others? In this talk we will describe several human factors—developer, team and environmental characteristics—that influence whether developers will inadvertently introduce security weaknesses into their code. We’ll present the results of research on how factors such as developer experience, disrupted attention, team size, team co-location, communication, work hours, and code rewrites affect software security. The research results are drawn from DoD-funded R&D conducted by our company on both open-source and proprietary software repositories, as well as academic research on software engineering practices. At the end of the talk, we will describe how others can participate in this research.

Speakers
avatar for Chris Horn

Chris Horn

Product Strategy & Development, Secure Decisions & Code Dx
Chris Horn is a Researcher at Secure Decisions, an R&D organization, and helps guide product development at Code Dx. He is currently engaged in several application security (AppSec) research projects, including: developing a system for benchmarking static code analyzers, studying... Read More →
avatar for Anita Damico

Anita Damico

CEO, Code Dx
Anita D’Amico, PhD is CEO of Code Dx, Inc. which provides open-source and commercial application security solutions based on advanced technologies developed by Secure Decisions, an R&D organization which she also directs. Her roots are in experimental psychology and human factors... Read More →


Friday October 25, 2019 1:00pm - 2:00pm
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

1:00pm

How to Build an Effective Malware Protection Architecture for File Uploads in Modern Web Apps
Web applications have traditionally accepted file uploaded via web portals, which had bot prevention controls to avoid bots uploading files vs user. With the boom of API economy, more and more applications have started accepting files over API, this allows uploading of file a programmatic approach available for good bots and vector for allowing numerous file uploads during a day. This convenience, also comes with security shortcomings - for example, files cannot be analysed manually for potential malware since the number is huge, there could be synchronous processing needed as business functionality in web app. This talk will look at a novel approach to build and operate a practical automated malware analysis platform and considerations for it to scale at enterprise level maintaining heavy performance needs of web apps, to effectively detect and discard malicious file uploads in web app.

Speakers
avatar for Ravi K Muthukrishnan

Ravi K Muthukrishnan

Product Security Lead, Visa Inc.
Ravi is a technologist, and a security expert specializing in web application security, cloud security, data protection, risk management, and cybersecurity.He has 8+ years of global work experience in the cybersecurity industry. He is currently leading security architecture for Visa... Read More →


Friday October 25, 2019 1:00pm - 2:00pm
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

1:00pm

Running FaaS with Scissors
Taking a DevSecOps mindset has created many opportunities to nudge organizations into improving how we create secure code. The security and DevOps landscape has continued to evolve with many exciting improvements in the past year. In this talk, we’ll cover the new methods available utilizing serverless and Function as as Service (FaaS) technologies. We’ll discuss how you can pave a speedy road for app teams to develop  while constructing guard rails using OpenFaaS. Utilizing containerized security tools allows for dramatically quicker and more consistent assessments of both running and static code. By using the techniques discussed, you can change security testing from an occasional point in time exercise to continuously testing with fast feedback loops.  Having created these at past employers, we bring real-world experience of creating fast and agile testing automation to AppSec teams

Speakers
avatar for Matt Tesauro

Matt Tesauro

Matt Tesauro is currently establishing a SDLC at a large healthcare software provider. Prior to his current role, he was a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security. Previously, he was a founder and CTO of 10Security, a Senior... Read More →



Friday October 25, 2019 1:00pm - 2:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

1:00pm

Invited Speaker - HD Moore
Speakers
avatar for HD Moore

HD Moore

Developer, Critical Research Corporation
H D Moore is network security expert, open source programmer, and hacker. He is a developer of the Metasploit Framework, a penetration testing software suite, and the founder of the Metasploit Project.He served as Chief Research Officer at Boston, MA based security firm Rapid7, a... Read More →



Friday October 25, 2019 1:00pm - 2:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA

1:45pm

Snack Break
Friday October 25, 2019 1:45pm - 2:15pm
Expo Hall (Live Oak Room)
  • surveys y

2:00pm

Offensive Threat Models Against the Supply Chain
This presentation focuses on applying a more adversarial threat model to supply chain systems that are integrated into client environments.  It focuses on how to research geo-political risk issues or historical threats that are specific to your industry as a means to begin with building an effective threat library.  From there, the presentation covers on how to build upon that library with a list of attack sequences and targets that would be the objects of your supply chain threat model.  

Speakers
avatar for Tony UcedaVelez

Tony UcedaVelez

CEO/ Owner, VerSprite
Tony UcedaVélez is CEO at VerSprite, an Atlanta based security services firm assisting global multi-national corporations on various areas of cyber security, secure software development, threat modeling, application security, security governance, and security risk management. Tony... Read More →



Friday October 25, 2019 2:00pm - 3:00pm
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

2:00pm

Securing Modern API and Microservices-based Applications by Design
This talk provides the audience with a high level understanding of modern API and microservices-based application architectures, awareness of key security concerns with these architectures, and knowledge on how to best secure microservices and their APIs. The speaker leverages existing concepts and his years of experience with building security architecture patterns and solutions in this domain for one of world's largest Global financial institutions to present actionable architectural take-aways.

Speakers


Friday October 25, 2019 2:00pm - 3:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

2:00pm

Invited Speaker - Shannon Leitz
Speakers
avatar for Shannon Leitz

Shannon Leitz

Director, DevSecOps, Intuit
Award winning leader in security innovation with experience developing emerging security programs for Fortune 500 companies: Intuit, ServiceNow, Sony, Sempra Energy, Savvis, Cable and Wireless, 99 Cents Only, Exodus, Bank of America, among others internationally. Received the Scott... Read More →


Friday October 25, 2019 2:00pm - 3:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA

2:00pm

Assessing Maturity: OpenSAMM and BSIMM
How do you tell how mature your software security initiative is? Should you use OpenSAMM or BSIMM as a measuring stick? Both? How do you assess an organization against them? Learn about their similarities, differences, and best practices for putting them to use.

Speakers
avatar for Robin Murphy

Robin Murphy

Application Security Governance, Federal Reserve Bank of St. Louis



Friday October 25, 2019 2:00pm - 3:00pm
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA

3:00pm

Badge Game Walk-Thru
Speakers
JS

Josh Sokol

Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information... Read More →


Friday October 25, 2019 3:00pm - 4:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA

3:00pm

Expo Hall Closes
Expo Hall closes at 3:00 PM on Friday.  Thanks to all our wonderful Sponsors!

Friday October 25, 2019 3:00pm - 5:00pm
Expo Hall (Live Oak Room)
  • surveys y

4:00pm

Closing, Giveaways and Drawings!
Friday October 25, 2019 4:00pm - 5:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA