LASCON X has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Security [clear filter]
Wednesday, October 23


OWASP Top-10 Training
In this free training, application security expert Josh Sokol will walk developers through some of the most common application security risks that are encountered. You will learn how to detect and prevent common vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection, and Cross-Site Request Forgery (CSRF). No prior experience is assumed and content will be generically applicable to most programming languages.

Presented by:
Dan Cornell and Josh Sokol!

Please note: Lunch is not provided, and you will not be able to bring food into Norris Conference Center. There are several places within walking distance where you will be able to go to eat during the lunch break.

avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 20 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies... Read More →

Josh Sokol

Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information... Read More →

Wednesday October 23, 2019 9:00am - 5:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA
Thursday, October 24


Being Powerful While Powerless: Elevating Security by Leading Without Authority
Inculcating security into a company’s culture is a difficult task in itself. Let’s envision there’s a situation where you’re an individual contributor without a CSO or Director title. Also, imagine that you’re the only member of the Security team and are solely responsible for securing the entire company in a fast-paced, ever-changing environment. That illustration depicted my situation before we grew the team. Are you in such a position? Or are you considering a new opportunity with this scenario?

In this talk, I’ll explore how I leveraged both technical and non-technical strategies for exerting soft power to build a functional, secure foundation and evangelize security as an IC on a 1-person Security team. By building tools and implementing programs, I effectively scaled myself across the organization (engineering and non-engineering alike) by empowering others to deeply care about security too. I’ll share lessons learned and how to thrive in this role.

avatar for Nathan Yee

Nathan Yee

Application Security Engineer, Gusto
Nathan is an Application Security Engineer on the Security team at Gusto, where he partners with engineers to securely develop software by creating tools, consulting on security designs, and delivering security training. Before joining Gusto, he was an early engineer at Synack. Nathan... Read More →

Thursday October 24, 2019 10:00am - 11:00am
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA


The End of the AppSec Team
Is your application security team large enough? After growing beyond a few people, security teams often find themselves desperately trying to hire more AppSec folks. While this is good for those of us in the industry, is it even mathematically possible to hire enough AppSec folks to handle the amount of code, features, platforms, and products the rest of your organization is churning out? Even with all the tools one can buy, it is unlikely the AppSec team can ever match the pace of the rest of the engineering team. If the AppSec team can never be big enough, what can we do? Well, let’s hop into our time machines, skip past the current AppSec grind, and take a look into the future at the end of the AppSec team.

avatar for Justin Collins

Justin Collins

Brakeman Guy
Justin has been an application security engineer at SurveyMonkey, Twitter, and AT&T Interactive, and is the primary author of Brakeman, a free static analysis security tool for Ruby on Rails. His commercial product, Brakeman Pro, was acquired by Synopsys in 2018.

Thursday October 24, 2019 11:00am - 12:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA


Living in AppSec [Promised|Fantasy|Wonder]land
If you've ever listened to the AA Podcast (Absolute AppSec that is), you may have heard how GitHub is AppSec Fantasyland (or something similar). This presentation will tell you how that is true ... and how it's not. We will talk about what makes GitHub AppSec FantasyLand and why sometimes it isn't. We'll talk about what we've done at GitHub "to make AppSec suck less" (if that's your bar for a fantasy land). We'll also talk about the challenges we still face in making AppSec at GitHub the promised land some dream it to be.


Thursday October 24, 2019 12:00pm - 1:00pm
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA


Security Code Analysis is for Everyone
Software applications have become a crucial part of our lives in today's world. Having said that, these applications can also pose a real security threat, not just to the businesses, but also to the end-users. Hackers always find new ways to bypass security.

Securing your applications against such threats is no more a nice to have, but has become a necessity. Considering the impact of some these attacks, it is important for organizations to follow a proactive approach rather than a reactive one in identifying and fixing the vulnerabilities.

Given the complexity of applications, size of code base, use of third-party libraries, number of developers contributing to projects, lack of knowledge on security vulnerabilities, etc., it is almost impossible to identify every loop hole in the source code. This is exactly where Security Code Analysis comes to the rescue.

avatar for Gal Shtokhamer

Gal Shtokhamer

Senior software engineer, Thales
Gal is a senior developer working in Cloud Protection team for 5 years. She has been working in software development for about 20 years. She has a BSC degree in BioInfomatics from Ben Gurion University in Israel.
avatar for Masooma Faquih

Masooma Faquih

Software Developer, Thales Group

sca pdf

Thursday October 24, 2019 12:00pm - 1:00pm
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA


Learning the Power of the “Not My Responsibility” Mindset
Security engineers are naturally responsible people, but that responsibility can sometimes lead to burnout in the engineers and a lack of progress on actually improving security within the company. Learn about how shifting responsibility to the business helps improve accountability, reduce friction, and keep security engineers from burning out.

avatar for Nick Leghorn

Nick Leghorn

Manager, Information Security Risk Management, Indeed
Nick Leghorn leads the Information Security Risk Management Team for Indeed. After graduating from Penn State University with a degree in Security and Risk Analysis, he worked for the U.S. Department of Homeland Security quantifying terrorism risks and identifying mitigations to provide... Read More →

Thursday October 24, 2019 1:00pm - 2:00pm
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA


Kubernetes Ingress-Nginx Security from Beginner to Expert
In Kubernetes the Nginx-Ingress Controller is one of the most deployed Ingress Controller. It is the gateway to your applications, the metaphorical door person right outside. Securing it is crucial to the overall Security of your Cloud, yet many times it is not properly configured, leaving it vulnerable to a variety of attacks.

This presentation will go over the various ways of securing your application with the Nginx-Ingress Controller.

avatar for Fernando Diaz

Fernando Diaz

Technical Marketing Manager, GitLab
I'm a Technical Marketing Manager at Gitlab. I'm passionate about OpenSource and have contributed to several OpenStack and Kubernetes Projects. Keeping Austin Weird one coldbrew at a time.

Thursday October 24, 2019 2:00pm - 3:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA


Baited Canaries - Monitoring attackers with active beacons
By creatively combining properties of various document viewing environments with canary tokens, we are able to gain valuable information directly from our attackers and their victims. These ‘baited’ canaries act as mixture between trip-wires and call back beacons and give us the unique opportunity to detect attacks against our users before they happen.

avatar for Gregory Caswell

Gregory Caswell

Manager of Application Security, Indeed

Thursday October 24, 2019 4:00pm - 5:00pm
Under Armour Room 2525 W Anderson Ln #365, Austin, TX 78757, USA


Soft Skills Panel
Join Wendy Nather, Tanya Janka and Marcus Carey to talk about the value of "soft" skills. We'll cover what these skills are how they work in real life. We'll chat about whether these skills are really that soft, or are they required for success in business?  We'll take a balanced approach to the topic, acknowledging the value of strictly technical track folks. It will be a spicy panel!

avatar for Chip Coy

Chip Coy

Consultant, NTT Data Services
I've been a security consultant for quite awhile, one might say I'm "acoustic coupler" old. I've broken into systems (authorized of course), fixed up systems, and developed/operated security programs to keep system secure.I like to travel, cook, read, scuba dive.
avatar for Tanya Janca

Tanya Janca

Founder, SheHacksPurple.dev
Tanya Janca, also known as ‘SheHacksPurple’, is the founder, security trainer and coach of SheHacksPurple.dev, specializing in software and cloud security. She also consults part time for IANs Research. Her obsession with securing software runs deep, from starting her company... Read More →
avatar for Wendy Nather

Wendy Nather

Head of Advisory CISOs, Duo Security (Cisco)
avatar for Kate Brew

Kate Brew

Editor of blog, AT&T Cybersecurity
Love InfoSec! OWASP and LASCON volunteer. Editor of corporate InfoSec blog for past 6 years. Before that, product management and product marketing.
avatar for Marcus Carey

Marcus Carey

Enterprise Architect, ReliaQuest
Marcus J. Carey is an Enterprise Architect at ReliaQuest. Prior to joining ReliaQuest he was the founder and CEO at Threatcare (acquired by ReliaQuest). Marcus has over 20 years of cybersecurity experience and has worked in penetration testing, incident response, and digital forensics... Read More →

Thursday October 24, 2019 4:00pm - 5:00pm
Red Oak Ballroom 2525 W Anderson Ln #365, Austin, TX 78757, USA
Friday, October 25


Sexy Mobile App Attacks by Example
This talk is a comprehensive review of interesting security flaws that we have discovered over the years in many Android and iOS mobile apps.

This entirely practical walkthrough will cover anonymized juicy findings from reports that we could not make public, interesting vulnerabilities in open source apps with strong security requirements such as password vaults and privacy browsers, security issues in government-mandated apps with considerable media coverage such as Smart Seriff, Chinese Police apps to gather info about citizens, and much more.

This talk is for those who are intending to broaden their knowledge of mobile security with actionable information derived from real-world penetration testing of mobile apps.

avatar for Abraham Aranguren

Abraham Aranguren

CEO, 7ASecurity
After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews, and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version... Read More →

Friday October 25, 2019 10:00am - 11:00am
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA


NetFlow? Where We're Going, We Don't Need... NetFlow
You have SIEM & NetFlow to catch the adversary, but can you query your data for useful information? Do you truly understand what is leaving your network?

This talk is for security professionals and developers who are curious about helping the SecOps folks.

General security knowledge is all that is required to benefit from this talk, but seasoned security gurus will find this helpful too.

We will discuss an ingenious approach to log analysis that augments enterprise security monitoring tools; specifically we will look at analyzing outbound network traffic.

I will cover the visibility gap and how with a bit of scripting I created a tool to quickly discover the most relevant information.

You will leave with specific ideas you can implement in your organization to augment and enhance your threat hunting and blue team operations.

avatar for Petr Sidopulos

Petr Sidopulos

Petr is a security professional in the Austin area.He enjoys both Red team and Blue team activities, log analysis, mentoring, and automating every task he finds boring.When not thinking about world domination, Petr likes to spend time with his family, traveling, camping, and firing... Read More →

Friday October 25, 2019 11:00am - 12:00pm
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA


Breaking Into Red Teaming
Lots of people are interested in being part of a Red Team. What does it take? This talk will cover the basics regarding the knowledge and skills needed to find a role for yourself and become successful within a Red Team program.

avatar for David Hughes

David Hughes

I am a Red Team lead at General Motors and large scale password analysis is one of my side projects. I’ve been in the IT industry for over 20 years, most of which has involved penetration testing and Red Teaming. I am heavily involved in the local Austin security community, OWASP... Read More →
avatar for Johnny Medina

Johnny Medina

Offensive Security Lead, General Motors
Johnny is an Offensive Security Lead responsible for leading logical and physical penetration testing and red teaming security assessments globally. Johnny has a Bachelor’s in Technology Management, Masters in Cyber Security Strategy and holds certifications including CISSP, GPEN... Read More →

Friday October 25, 2019 12:00pm - 1:00pm
Contrast Security Room 2525 W Anderson Ln #365, Austin, TX 78757, USA


Assessing Maturity: OpenSAMM and BSIMM
How do you tell how mature your software security initiative is? Should you use OpenSAMM or BSIMM as a measuring stick? Both? How do you assess an organization against them? Learn about their similarities, differences, and best practices for putting them to use.

avatar for Robin Murphy

Robin Murphy

Application Security Governance, Federal Reserve Bank of St. Louis

Friday October 25, 2019 2:00pm - 3:00pm
Cypress Room 2525 W Anderson Ln #365, Austin, TX 78757, USA