OWASP - User contributions [en]

2019 BASC Agenda

2019-10-15T16:00:47Z

Laberdale: Add Steven Pelletier

{{2019_BASC:Header_Template | Agenda}}


__FORCETOC__

 
 

= Presentations =


{| style="width:80%" border="0" align="center"
! colspan="3" align="center" |
<table>
<tr>
<td>
[[File:OWASP Logo.gif]] 
</td>
<td>
'''Presentations OWASP Boston Application Security Conference Saturday, October 19, 2019'''
</td>
</tr>
</table>
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 8:30-9:30
| colspan="7" style="width:80%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | '''Breakfast and Registration''' 
provided by our Platinum Sponsor 
'''[https://www.whitehatsec.com/ WhiteHat Security]''' 
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 09:00-09:50
| colspan="6" style="width:80%; margin:10px; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | '''Opening Keynote''' 
'''[[2019_BASC_Homepage#Keynotes|The Internet Sucks. Should we replace it?]]''' 
'''[[2019_BASC_Homepage#Keynotes|Andy Ellis]]''' 

|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" | || align="center" style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Washington/Jefferson Room'''
| align="center" style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Adams Room'''
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 10:00-10:50
| style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|OWASP Serverless Top 10|Tal Melamed }}
| style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|An Intelligent Approach to Upgrading OSS Libraries|Madison Cool }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 11:00-11:50
| style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Critical Thinking in Cybersecurity|Kristin Dahl }}
| style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Security Culture Hacking: Disrupting the Security Status Quo|Chris Romeo }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 12:00-1:00 || colspan="2" style="background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
'''Lunch''' 
provided by our Platinum Sponsor 
'''[https://www.ordr.net/ Ordr]''' 
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 1:00-1:50
| style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Defending against the Acceleration of Client-Side Website Attacks|Aanand Krishnan }}
| style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Open Source Security on a Shoestring|Paulina Valdivieso }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 2:00-2:50
| style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|SAST Triage Tricks of the Trade - How to Triage Before the Universe Dies Out|Kristofer Duer & Rashmi Patil }}
| style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Put that Cease and Desist Down: How to Train Your Org to Work with Hackers|Luke Tucker }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 3:00-3:50
| style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Automate or Die - DevSecOps in the Age of Software Supply Chain Attacks|Artie Jurgenson }}
| style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Finding Bugs Using Your Own Code: Machine Learning-based Inconsistent Code Detection|Mansour Ahmadi & Reza Mirzazade Farkhani }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 4:00-4:50
| style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|The User Experience of Information Security|Chris Chagnon & Ryan LaMarche }}
| style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Identifying Malicious Android Applications in the Presence of Adversaries: A Cat-and-Mouse Game|Omid Mirzaei }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 5:00-5:30
| colspan="2" style="width:30%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width: 1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
'''Social Time''' 
provided by our Platinum Sponsor 
'''[https://www.nccgroup.trust/ NCC Group]''' 
|-
| rowspan="2" style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 1px" align="center" | 5:30-6:30
| colspan="2" style="width:30%; background:#background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | '''Closing Keynote''' 
'''[[2019_BASC_Homepage#Keynotes|Sandcastles in a Storm: Application Vulnerabilities and how they weaken our organizations]]''' 
'''[[2019_BASC_Homepage#Keynotes|Kevin Johnson]]'''
|-
| colspan="2" style="width:30%; background:#background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 1px" align="center" | '''Raffle''' 
'''Wrap Up'''
 
|}



= Workshops =

{| style="width:80%" border="0" align="center"
! colspan="7" align="center" |
<table>
<tr>
<td>
[[File:OWASP Logo.gif]] 
</td>
<td>
'''Workshops OWASP Boston Application Security Conference Saturday, October 19, 2019'''
</td>
</tr>
</table>
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" |
| align="center" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Attitash'''
| align="center" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Monroe'''
| align="center" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Cannon'''
| align="center" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Bretton Woods'''
| align="center" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Jay Peak'''
| align="center" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Cranmore'''
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 10:00-10:50
| rowspan="2" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Resume_Agenda_Template|Session 1 }}
| rowspan="6" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Workshop_Agenda_Template|Presentation|CMD+CTRL Cyber Range|Chad Holmes }}
| rowspan="2" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Workshop_Agenda_Template|Presentation|Capture Ever-Evolving Security Needs of Users with IKE & Proto-Research Persona Development|Prateek Jain & Ryan LaMarche }}
| rowspan="2" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Workshop_Agenda_Template|Presentation|The Ultimate Secure Coding Showdown|Brad Giguere & Steven Pelletier }}
| rowspan="2" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Workshop_Agenda_Template|Presentation|How to Talk to Humans|Kitty Huang & Roy Wattanasin }}
| rowspan="2" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Workshop_Agenda_Template|Presentation|Zero to Hero: Intro to Web App Pentesting|Carson Owlett & Gabrielle Hempel }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 11:00-11:50
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 1:00-1:50
| rowspan="4" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Resume_Agenda_Template|Session 2 }}
| rowspan="5" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 1px" align="center" |
| rowspan="2" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentaton_Agenda_Template|Workshop|Threat Modeling Workshop|Robert Hurlbut }}
| rowspan="5" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 1px" align="center" |
| rowspan="4" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentaton_Agenda_Template|Workshop|AWS Cloud Security Fundamentals|Joshua Dow & Rami McCarthy }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 2:00-2:50
| rowspan="1" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
| rowspan="1" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
| rowspan="1" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 3:00-3:50
| rowspan="2" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentaton_Agenda_Template|Workshop|Effective Threat Modeling with CTM|Izar Tarandach }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 1px" align="center" | 4:00-4:50
| style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
| rowspan="1" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
| rowspan="1" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
| rowspan="1" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
|}

{{2019_BASC:Footer_Template | Agenda}}

2019 BASC Speakers

2019-10-15T15:58:32Z

Laberdale: Add Steven Pelletier

{{2019_BASC:Header_Template | Speakers/Trainers}}

=== Mansour Ahmadi ===
'''Northeastern University''' 
Mansour Ahmadi is a research associate at Northeastern University. Before coming to Northeastern, he obtained a PhD in Computer Engineering from the University of Cagliari in 2017. His research is mainly focused in applying machine learning methods for systems security problems, especially malware detection and classification, and vulnerability discovery. He co-authored over 10 scientific papers. Also, He is the lead developer of IntelliAV, which is the first on-device machine learning-based mobile malware detector.

=== Chris Chagnon ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Chris Chagnon is an ITSM Architect and developer who designs, develops, and maintains award-winning experiences for managing and carrying out the ITSM process. Chris has a Master of Science in Information Technology, and a bachelor’s degree in Visual Communications. In addition, Chris is a PhD Candidate studying Information Systems with a focus on user and service experience. As A Top 25 Thought Leader in ITSM, and an ALE IT Vanguard, Chris speaks nationally about the future of ITSM, practical applications of artificial intelligence and machine learning, gamification, continual service improvement, and customer service/experience. Follow Chris on Twitter @Chagn0n.

=== Madison Cool ===
'''TraceLink''' 
Madison Cool is an associate AppSec engineer at TraceLink, delivering a secure platform for the Pharmaceutical Supply Chain. She works with the TraceLink team to make "TraceLink = Trusted" by ensuring that customers, partners and internal engineering can meet and exceed best security practices. Their goal is to make security accessible and understandable by both the security-minded and the security-unaware.

=== Kristin Dahl ===
'''IBM X-Force IRIS''' 
Kristin Dahl is a cyber security consultant with IBM X-Force IRIS and former research staff member at MIT Lincoln Laboratory. Kristin’s experience includes investigative research, policy development, threat assessment, and security operations across the defense sectors, critical systems, academia, and private industry. Kristin has worked collaboratively with multiple stakeholders and federal agencies, including the Department of Defense, the Department of Homeland Security, and the Department of Energy.

=== Joshua Dow ===
'''NCC Group''' 
Joshua Dow is a Security Consultant with NCC Group, joining the organization in Spring of 2019. Joshua has made contributions in his career as both a blue team practitioner and a red team operator. Joshua specializes in web application penetration testing, network penetration testing, and cloud security auditing. Joshua worked as a Senior Software Engineer prior to getting his start in Information Security.

=== Kristofer Duer ===
'''HCL''' 
Kristofer Duer is the Lead Cognitive Researcher for AppScan Source. He has worked in the application security field for the last 8 years in the world of Static Application Security Testing (SAST) and researching language specific attack surfaces. His particular specialty deals with applying machine learning to solve some of the impossible problems which occur naturally in the world of SAST - namely Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

Outside of work he enjoys the gym, Disc Golf (super fun!) and spending time with his wife and two kids.

=== Reza Mirzazade Farkhani ===
'''Northeastern University''' 
Reza Mirzazade Farkhani is pursuing a PhD in Cybersecurity at Northeastern University. His research interests span a wide range of topics in systems security with a particular focus on software vulnerability detection, exploit mitigation techniques and binary analysis. Currently, Reza is focusing on developing novel techniques to protect applications against memory safety vulnerabilities. He is especially interested in new security features in ARM architecture to accelerate the performance and security of the current systems.

=== Brad Giguere ===
'''Secure Code Warrior''' 
Brad Giguere is a Sales Engineer for Secure Code Warrior, a global security company that makes software development better and more secure. Giguere has worked in the technology and SAAS software industry for the majority of his career and is passionate about helping organizations better understand their business challenges and translating those into a solution tailored to meet their needs. He now focuses on empowering development teams to be the first line of defense in making security a highly visible piece of the SDLC.

=== Gabrielle E. Hempel, CHTI ===
'''Black Mirage''' 
Gabrielle is a graduate of the University of Cincinnati, where she studied Neuroscience and Psychology. She worked for an institutional review board in regulatory pharmaceutical and medical device compliance, and led specialized committees targeting Phase I research and emergency research. She moved to IT consulting in 2018, and currently works as a penetration tester for Black Mirage while pursuing a certificate in Advanced Computer Security at Stanford. She continues to serve as a genetic scientist for NIH-regulated recombinant genetic studies, and serves as an instructor and mentor for a student cohort of cybersecurity analysts through Cybrary. She recently obtained her Certified Human Trafficking Investigator (CHTI) credentials through the McAfee Institute, and works with various law enforcement groups and task forces in order to combat human trafficking through digital forensics and analysis. Her area of expertise lies in GDPR/HIPAA/regulatory compliance and medical device security.

=== Chad Holmes ===
'''Security Innovation''' 
Chad Holmes is a Product Marketing Manager for Security Innovation with a focus on educating customers on emerging Cyber Range technologies and how they can improve security education within organizations. Prior to joining Security Innovation Chad was a Penetration Tester, Product Manager, Security Program Manager and team lead at Cigital, Veracode and Red Hat.

=== Kitty Huang ===
'''Communications Trainer and Relationship Coach''' 
Kitty Huang is an award-winning speaker who has led several fun and effective communication workshops at MIT, Harvard University, and corporate training events. She has worked as a copywriter at advertising agencies, a screenwriter for a television situation comedy, and a newspaper journalist. She is also a relationship coach. Her perceptive mind and creative approaches have successfully helped many individuals to solve problems in professional relationships and personal relationships.

=== Robert Hurlbut ===
'''Bank of America''' 
Robert Hurlbut, is a Threat Modeling Architect / Lead at Bank of America. Robert is a Microsoft MVP for Developer Security and Technologies and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure security, software architecture, and software development. He speaks at user groups, national and international conferences, and has provided training for many companies in the past. Robert is also a co-host of the Application Security Podcast (Twitter - @AppSecPodcast). Follow Robert on Twitter at @RobertHurlbut.

=== Prateek Jain ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Prateek Jain is a UX researcher currently pursuing Ph.D. in Innovation with User Experience at Worcester Polytechnic Institute. His Ph.D. research focuses on User Experience. His research interests are augmented reality, internet of things (IoT), accessibility and persona development. He is working on multiple research projects focusing on the use of augmented reality and IoT to improve the user experience of products and services. Along with that, he is also working on developing and testing different persona frameworks to help organizations make effective design decisions.

=== Artie Jurgenson ===
'''Sonatype''' 
Artie Jurgenson is a Solution Architect at Sonatype. He spends his day to day working with companies small and large to apply the principles of DevSecOps and automation to their software development supply chains. This stems from an intense distaste of performing the same procedures more than once. Artie looks to resolve such redundancies both inside and out of his professional life which has led him down pursuits including: implementation of CI/CD toolchains and workflows from completely manual build/deploy processes, development and automation of crypto/forex trading algorithms, front-end test and deployment automation, container orchestration, API development, and computational scientific research optimized for supercomputer clusters. Artie is happy to talk about any of the above at the reception.

=== Aanand Krishnan ===
'''Tala Security''' 
Aanand Krishnan is the CEO and Founder of Tala Security. Most recently he held senior technical roles at Symantec. Aanand spent several years in M&A and investment banking at Morgan Stanley and Dolby Labs acting as an adviser to leading security software, semiconductor and clean-tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and a Bachelors in Electrical Engineering with Honors from BITS, Pilani.

=== Ryan LaMarche ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Ryan LaMarche is a digital transformation and design thinking expert that brings ideas to life with a focus on user experience, and smart system design. When Ryan isn’t building systems, he spends his time as a dual-enrolled Bachelor’s and Master’s student at Worcester Polytechnic Institute studying Computer Science and Innovation with UX. Ryan is also a founding member and CTO of Seldom Technologies where he works with companies to develop systems, applications, and websites and consult on process improvement in the ITSM space.

=== Rami McCarthy ===
'''NCC Group''' 
Rami McCarthy is a Security Consultant with NCC Group, joining with the acquisition of VSR in 2016. He's spent the past three years performing security assessments of all kinds, from SaaS products to cloud IoT platforms. In addition to client work, Rami has published research into misspelled security headers and Chromebook security. Rami got his start in security as an intern at a deep web threat analysis startup, and has a BS in CS from Northeastern University, with a concentration in cyber operations. He's currently working towards an MS from Brandeis University.

=== Tal Melamed ===
'''Protego Labs''' 
In the past two years, Tal Melamed has been experimenting in offensive and defensive security for the serverless technology, as Head of Security Research at Protego Labs. He specializes in AppSec with more than 15 years of experience in security research and vulnerability assessment. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects, and is a frequent speaker at security conferences, including DefCon, DerbyCon, OWASP, BSides and more. Follow Tal on Twitter at @_nu11p0inter

=== Omid Mirzaei ===
'''Northeastern University''' 
Omid Mirzaei is a postdoctoral research associate in the Systems Security Lab (SecLab) at Northeastern University, working with Prof. Engin Kirda. Prior to this, Omid was an assistant professor in Universidad Carlos III de Madrid. Also, he spent around 4 years at COmputer SECurity lab (COSEC) as a PhD student and he received his PhD degree in Computer Science from the same university. Omid's thesis was mainly focused on Android malware analysis and triage. Generally speaking, Omid is working and conducting research in computer and cyber security. However, he is particularly interested in mobile security, malware analysis, reverse engineering and applied machine learning in security. In addition, he is eager to tackle security issues from a multi-objective perspective, i.e. trying to deal with such problems by consuming the least possible amount of in hand resources. Previously and as an undergraduate student, Omid worked in a wide range of areas, from advanced software engineering to Artificial Intelligence (AI). Omid also developed several intelligent systems and passed different AI-related courses, including machine learning, pattern mining, fuzzy systems, evolutionary computation and optimization, neural networks and image processing.

=== Carson E. Owlett, OSCP CEH ===
'''Black Mirage''' 
Carson is a graduate of Connecticut College, where he studied Computer Science and Slavic Studies. After graduating, he obtained his OSCP and CEH and did a brief stint doing research for DARPA. He then founded Black Mirage in 2019, where he serves as the CEO and Assessment Team Lead for penetration tests, and he has been working to implement programs for offensive security education.

=== Rashmi Patil ===
'''HCL''' 
Rashmi is passionate about software engineering and applying it to solve complex problems in day to day life. She has a diverse set of work experience through past research, internships and full-time work experience that has really helped others in understanding the broader picture. In her free time, she volunteers and conducts educational workshops to teach young high school girls about the importance of Cybersecurity and encourage them to pursue a career in Computer Engineering.

=== Steven Pelletier ===
'''Secure Code Warrior''' 
Steven Pelletier is an Enterprise Account Executive for Secure Code Warrior. Secure Code Warrior is a global software security company that aims to make software development more secure by offering an interactive gamified training platform. After serving 10 years in the US military, he transitioned into the technology industry where he has helped organizations understand complex business requirements while implementing new solutions to help hit target KPIs and advance the organization's mission.

=== Chris Romeo ===
'''Security Journey''' 
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. Find Chris on Twitter, @edgeroute, or on LinkedIN, https://www.linkedin.com/in/securityjourney/

=== Izar Tarandach ===
'''Autodesk Inc.''' 
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he’s willing to admit to in the information security arena, he is a member of SAFECode Technical Leadership Council and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served
as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon.

=== Luke Tucker ===
'''HackerOne''' 
Luke Tucker is the Senior Director of Community at HackerOne — the leading hacker-powered security platform with the largest community of hackers in the world. A seasoned community engagement professional, he is passionate about helping identify and nurture what makes people and communities tick, so understanding how hackers feel and how they are seen is his bread and butter. He is the Creator and Editor of the Zero Daily Newsletter, which provides daily application security, hacker and bug bounty news. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development for the growing community of hackers. Prior to HackerOne, he served in several creative roles including Captricity and Sultan Ventures.

=== Paulina Valdivieso ===
'''Bennington College''' 
Paulina Valdivieso is a senior undergrad in Computer Science and Public Policy, studying the intersections between Cybersecurity, Law and Politics. Interested in hacking, information security, programming and general electronic shenanigans, she recently started to apply all of this knowledge into the workplace, centering on network and application security. She is an advocate for open access and privacy, using and committing to open source tools whenever possible and making sure people understand the implications and dark side of the tools they use everyday.

=== Roy Wattanasin ===
'''Information Security Professional''' 
Roy Wattanasin is a healthcare information security professional. You can find him on @wr0

{{2019_BASC:Footer_Template | Speakers/Trainers}}

2019 BASC Workshops

2019-10-15T15:56:16Z

Laberdale: Add Steven Pelletier

{{2019_BASC:Header_Template | Workshops}}

__FORCETOC__
We would like to thank our workshop leaders for donating their time and effort to help make this conference successful.

== All-Day Workshop ==
{{2019_BASC:Presentaton_Info_Template|CMD+CTRL Cyber Range|Chad Holmes| | | }}
Want to test your skills in identifying web app vulnerabilities? Join OWASP Boston and Security Innovation as members compete in [https://www.securityinnovation.com/training/cmd-ctrl-cyber-range-security-training/ CMD+CTRL] a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.

For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.

When you register for BASC and select to attend this CMD+CTRL Cyber Range workshop, a link will be provided so you can reserve your spot with Security Innovation. Spaces are limited. Register early to reserve your spot!

== Morning Workshops ==

{{2019_BASC:Presentaton_Info_Template|The Ultimate Secure Coding Showdown|Brad Giguere and Steven Pelletier| | | }}
Are. You. Ready? Head to the AppSec battlefield and prove that you are the ultimate secure coding champion. Go head-to-head with your peers as you test your web application security knowledge of the OWASP Top 10. Strut your skills. Crush the competition. Score excellent prizes and take home the title of Secure Code Warrior!

Players will be presented with a series of vulnerable code challenges that will ask them to identify the problem, locate the insecure code, and fix the vulnerability. Select from a range of software languages to complete the tournament, including Java EE, Java Spring, C# MVC, C# WebForms, Ruby on Rails, Python Django, Scala Play & Node.JS. It’s gamified, it’s relevant, but most of all - it’s fun.

Watch as you earn points and climb to the top of the real-time leaderboard during the event. Prizes will be awarded to the top 3 point scorers, with one security superhero being crowned the ultimate Secure Code Warrior. Will it be you?

Psst: Want to test your secure coding skills at your own pace, without the competition? You’re welcome to come along and join the fun.

'''''Participants must bring a laptop.'''''

{{2019_BASC:Presentaton_Info_Template|Zero to Hero: Intro to Web App Pentesting|Carson Owlett and Gabrielle Hempel| | | }}
As more information and functionality moves to the internet, the interface between end users and web application servers becomes increasingly vulnerable. Because of these visible vulnerabilities, penetration testing skills are in high demand; however, courses catering to beginners and those wanting to get a “foot in the door” are scarce. In this workshop, you can utilize a custom environment and expertise in order to begin your journey into offensive security. We will focus on four areas of web application penetration testing: injection, XSS, XXE, and insecure deserialization. This course welcomes total beginners and will be largely oriented towards those wanting to build a foundation in web application pentesting.

'''''Users should have a laptop equipped with BurpSuite.'''''

{{2019_BASC:Presentaton_Info_Template|Capture Ever-Evolving Security Needs of Users with IKE and Proto-Research Persona Development|Prateek Jain and Ryan LaMarche| | | }}
In this workshop, grounded in design thinking approach, we demonstrate the software platform IKE and its process framework for persona development, which facilitate a fast, effective, and relatively inexpensive way to inform design decisions, such as those needed to encourage and enable users to effectively utilize security features. The IKE software platform not only facilitates a deeper understanding of user needs but also provides a Key performance Indicator (KPI) that can measure an organizations’ performance in gauging its target market evolving security needs.

Understanding customers and what their needs are is paramount to the success of any organization. In security and privacy industry, users and their needs vary drastically depending on various factors like age, education, technology use, etc. Persona development is one of the useful tools to capture these needs. It can reveal security needs, pain points, habits, security challenges, etc. of the user base. The traditional approach to persona development is rigorous but time-consuming and resource-intensive. It doesn't account for fast changes in the technological world of privacy and security. These personas become outdated as soon as they are developed. At UXDM lab, we created a unique approach to persona development. We also developed a software platform called IKE for developing and managing personas. IKE treats personas as living documents to make effective design decisions and to follow evolving user needs over time.

{{2019_BASC:Presentaton_Info_Template|How to Talk to Humans|Kitty Huang and Roy Wattanasin| | | }}
Do you feel frustrated sometimes trying to help non-technical users? Do you find it challenging asking for more resources from management? Effective communication can help IT professionals to be more productive and be heard. This workshop demonstrates communication skills through scenarios that IT security engineers encounter regularly. We will decode written and verbal scripts by technical engineers and translate them into a communication style that non-technical people can understand and appreciate. These cases include asking for more resources from upper management, making a suggestion to implement better security, and verifying the legitimacy of an email with an employee. Excessive workload, pressing deadlines and the lack of support can make IT engineers feel exhausted, hopeless and frustrated. This workshop provides perspectives on viewing various work situations in a different light.

== Afternoon Workshops ==

{{2019_BASC:Presentaton_Info_Template|Threat Modeling Workshop|Robert Hurlbut| | | }}

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. Threat modeling should be part of your secure software design process. Using threat modeling and some principals of risk management, you can design software in a way that makes security one of the top goals, along with performance, scalability, reliability, and maintenance.

Objective: In this workshop, attendees will be introduced to Threat Modeling, learn how to conduct a Threat Modeling session, learn how to use practical strategies in finding Threats and proposing Countermeasures, and learn how to apply Risk Management in dealing with the threats. Depending on time, we will go through 1 or 2 Real World Threat Modeling case studies. Finally, we will end the day with the latest updates in Threat Modeling process, tools, etc.

'''''Laptop recommended for some labs, but not required.'''''

{{2019_BASC:Presentaton_Info_Template|Effective Threat Modeling with CTM|Izar Tarandach| | | }}
Recently Autodesk open-sourced our Continuous Threat Modeling methodology, which aims to enable product teams to threat model every story in a quick and focused manner in order to scale the ability of an organization to keep up with rapid product changes, and enable developers to acquire a security "muscle memory" ability to really infuse their practices with security design capabilities.

In this course you will learn how to perform and enable Continuous Threat Modeling in your organization and provide support to the learning curve of your product teams as a security SME.

CTM is available at https://github.com/Autodesk/continuous-threat-modeling
A threat-modeling-as-code tool will also be introduced, available at https://github.com/izar/pytm

'''''If you are new to the discipline of Threat Modeling we highly advise participating in the earlier Threat Modeling Workshop by Robert Hurlbut in order to solidify your understanding of the subject.'''''

{{2019_BASC:Presentaton_Info_Template|AWS Cloud Security Fundamentals|Joshua Dow and Rami McCarthy | | | }}
As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. In this workshop, we will take participants through a baseline understanding of cloud security - with a focus on AWS security fundamentals.

First, we will briefly outline the cloud security model, the similarities across platforms, and the shared responsibility model that Amazon employs. From there, we will introduce participants to open-source tooling for AWS account auditing and hardening, including NCC's own ScoutSuite. We will provide access to an intentionally vulnerable AWS environment, to allow workshop attendees to follow along and explore misconfigurations with their own eyes. We also will support attendees who want to immediately dive into auditing their own AWS accounts/environments.

Next, we'll highlight easy wins for AWS security, that the audience will be able to immediately apply to their own environments. Following that, we'll speak to Amazon's built-in security tooling, including:

* Security Hub
* Trusted Advisor
* CloudTrail
* Inspector
* GuardDuty
* Macie (and why it's probably wrong for you!)

We'll focus on actionable guidance to walk away and be able to use these tools to harden your own posture. Subsequently, we'll work with attendees through the misconfigurations that led to the Capital One breach, via the CloudGoat scenario. Wrapping up, we'll provide a easy to follow cheatsheet of best practices, easy wins, and open source tools that attendees can reference to improve their own environments.

'''''Users should bring a laptop having: administrator privileges, at least 8GB of RAM, 10GB of free disk space, the latest version of 64-bit Virtualbox installed, and USB ports for copying data.'''''



{{2019_BASC:Footer_Template|Workshops}}

2019 BASC Presentations

2019-10-14T19:01:53Z

Laberdale: Fix Ahmadi description

{{2019_BASC:Header_Template|Presentations}}

__FORCETOC__
We would like to thank our speakers for donating their time and effort to help make this conference successful.

{{2019_BASC:Presentaton_Info_Template|An Intelligent Approach to Upgrading OSS Libraries|Madison Cool| | | }}
Maintaining secure versions of third-party libraries is a repetitive and tedious task at best. At worst, with many interdependent internal projects (think microservices) and dozens of layers of transitive dependencies, it is a logistical nightmare. A top-down, ad hoc approach is often used to resolve vulnerable third-party libraries, prioritizing high-severity vulnerabilities or internal projects critical to business functions, but failing to address the larger impact of vulnerabilities. TraceLink is taking a different approach, utilizing the graph structure of interconnected projects to perform security upgrades in an informed order from the bottom up. This process aims to automate third-party library version maintenance as much as possible, aiding in the completion of vital security upgrades and compounding the effects of each individual upgrade to reduce overall work done.

{{2019_BASC:Presentaton_Info_Template|OWASP Serverless Top 10|Tal Melamed| | | }}
In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. Attackers are thinking differently, and developers must do so as well to gain the upper hand.

In this talk, I will dive into the Top 10 risks of the OWASP Serverless Top 10 project. I will discuss why these risks are different from traditional attacks and how we should protect our application against them. I will also introduce OWASP DVSA, a deliberately vulnerable tool, aiming to assist both security professionals and developers to better understand the implications and processes of serverless security.

{{2019_BASC:Presentaton_Info_Template|Security Culture Hacking: Disrupting the Security Status Quo|Chris Romeo| | | }}
This session is an exploration into the world of security culture hacking. In the wake of the “data breach of the day”, organizations claim they are more serious about security. The truth is that many still have weak security cultures. At the end of the day, how much actual security culture change occurs post-breach? The answer is not enough. This session describes how to change security culture from the inside out, utilizing best practices and real-world examples. With security culture disruption, the security team attempts to impact employees through positive security learning and experience.

The session begins by introducing the audience to the concepts of security culture and security culture hacking, and then explains the security status quo. Security culture hacking is the skills and creativity necessary to disrupt an existing culture and redirect it towards a more secure future. Security status quo is the idea that companies move in a herd mentality and believe that their security must only be an average of their peers. To prove this point, we profile some anonymous organizations based on their external security story versus reality. Next, we’ll discuss what makes a good security culture hacker, including the skills required for success in this type of endeavor.

The middle of this session includes a how-to of hacking security culture. Each section includes various tips and stories from real life experience about how to influence security culture. The phases of security culture improvement are explored, including awareness, big learning, and community. In addition, a discussion of organizational reach, marketing, rewards, recognition, and metrics surrounding security culture improvement are explored. It’s time to make security fun.

At the conclusion, a plan is laid out for how a learner could put true security culture change into practice in their organization. Audience members receive a 30-60-90-1-year plan for how to implement true security culture change.

{{2019_BASC:Presentaton_Info_Template|Critical Thinking in Cybersecurity|Kristin Dahl| | | }}
Security's most important skill is overlooked – critical thinking. Keeping up with the latest technical tools and trends is only one contributor to success. Security is a constantly evolving field. Long-term success requires that we think on our feet—regardless of technology—to understand tools and how to apply them to the changing landscape.

We often do not think about critical thinking. What does it feel like? How is "critical" thinking different from "normal" thinking? How do you develop these skills? And how do you apply them to security?

Critical thinking is part art, part science. It takes a combination of intuition, logic, and creativity to understand the 'why' and not just the 'how.' It should help us address the root cause of an issue and not just the symptoms. In security it means decomposing a problem, analyzing objectively, evaluating a hypothesis, and recognizing context. This session will explore how to apply critical thinking in your day-to-day job pulling from my experience and observations across academia, industry, and government.

{{2019_BASC:Presentaton_Info_Template|Defending against the Acceleration of Client-Side Website Attacks|Aanand Krishnan| | | }}
The acceleration of attacks leading to the theft of private customer information, financial transaction data and disruptions to user experience are the number one threat to digital commerce. These attacks include first and third-party JavaScript/supply chain compromises, cross-site scripting (XSS), ad injections and other forms of client-side attacks. Client-side website attacks like Magecart have mostly targeted eCommerce sites with the sole purpose of stealing credit card info. Unfortunately, the reality is that the same attack vector – malicious JavaScript supply chain attacks – could be used to steal user banking credentials, PII data, healthcare data, or just about any information that users enter into a browser. Nearly every website is vulnerable.
Key Takeaways: Learn about the myriad of attack vectors threat-actors can leverage to compromise a website;
Learn about the standards-based, native website security controls most often recommended by security practitioners to secure your customer’s website experience; Learn about the compliance standards that require consideration for the website experience you provide to your customers.

{{2019_BASC:Presentaton_Info_Template|Open Source Security on a Shoestring|Paulina Valdivieso| | | }}
Securing assets is a difficult job without the appropriate support, be it from your superiors or having access to resources: getting what you need can be challenging, but that is no excuse to not securing it. In small and medium companies where technology departments are service oriented, security is often overlooked in favor of ease of access, forcing IT to compromise on solutions and, potentially, leave the organization vulnerable.

This talk will explore the open source and open access tools available to the public, their pros and cons, the elements to consider when implementing and the hurdles along the way, covering basic aspects of security in a company: incident response, application security, network security, training, risk & compliance, among others. Analysts, engineers and technicians whose many hats may result in security holes benefit from the implementation of these tools… and managers from knowing alternatives to the increasingly costly solutions in the market.

{{2019_BASC:Presentaton_Info_Template|Put that Cease and Desist Down: How to Train Your Org to Work with Hackers|Luke Tucker| | | }}
Before that hacker slides into your brand’s DMs, how do you prepare your organization to talk to researchers and spot vulnerability disclosure? Today, poorly handled disclosures can cause the same reputational damage as a public security incident. As security continues to climb the ranks of importance, more decision makers and stakeholders are involved in interactions that were once solely owned by security teams. The vulnerability reports are coming. Ready or not. Everyone is on the front lines of security and this includes researcher interactions. Are your executives, legal, PR, and social media teams prepared?

Based on hundreds of hacker and company mediation request, this talk will look at common and extreme scenarios many are seeing for the first time. We will cover real-world communication failures, as well as the success stories you will never read about. Attendees will walk away with armed with practical tips to prepare their colleagues for the inevitable vulnerability report, starting with hacker motivations, what disclosure success looks like, and de-escalation tips. This talk will cover: Responding to vulnerabilities reported via social media; How to minimize the chances of your vulnerabilities ending up on Twitter; Tips for keeping the press out of your bug reporting workflow; Prepare your company to talk to a hacker who is requesting cash; De-escalation tips to find a happy f@%#&$* ending when tempers flare and you are caught in the middle; and How to advocate for security researchers without losing friends or your job.

{{2019_BASC:Presentaton_Info_Template|Identifying Malicious Android Applications in the Presence of Adversaries: A Cat-and-Mouse Game|Omid Mirzaei| | | }}
Android is by far the leading operating system in smartphones. As of March 2019, 51% of US smartphone subscribers were using a Google Android device. This percentage is much higher in an international scale. Also, there are currently more than 2 million Android applications on the official Google Market, known as Google Play. As most of the functionalities of smartphones are provided to users via applications, this huge market with billions of users is tempting for attackers to develop and distribute their malicious applications (or malware).

Mobile malware has raised explosively since 2009. Symantec reported an increase of 54% in the new mobile malware variants in 2017 as compared to the previous year. This rise has happened for Android malware as well since only 20% of devices are running the newest major version of Android OS based on Symantec report in 2018. Thus, detecting malicious and potentially risky applications in the Android platform is of the utmost importance. During this talk, I will summarize different automated techniques proposed for Android malware detection and risk assessment. Along with this, I will discuss how adversaries have tried to bypass these mechanisms.

{{2019_BASC:Presentaton_Info_Template|Automate or Die - DevSecOps in the Age of Software Supply Chain Attacks|Artie Jurgenson| | | }}
As nimble organizations deliver new innovations, adversaries are also upping their game; something we’ve seen in recent high profile and devastating cyber attacks. Bad actors have the intent and ability to exploit security vulnerabilities in the software supply chain - and in some cases plant vulnerabilities themselves. They have increased scale through automation and improved breach success through precision targeting. If we don’t fight back by doing the same - automating security directly in the DevOps pipeline - then we’ll always be at the hackers’ mercy. This session will provide new research on the above, and details on how to get started.

Key takeaways: Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks; Key insights from the 2019 DevSecOps community report - including the top investments for automated security; A walkthrough of how security principles have been automated into a CICD pipeline and what standards for implementation are beginning to follow suite; Why DevSecOps is more than a buzzword, and why it’s vital to protecting your software supply chain; How automating security of policies makes it harder to ignore.

{{2019_BASC:Presentaton_Info_Template|Finding Bugs Using Your Own Code: Machine Learning-based Inconsistent Code Detection|Mansour Ahmadi and Reza Mirzazade Farkhani| | | }}
Machine learning has shown success in detecting known types of software vulnerabilities in recent years, but they mostly need extensive specimens to train their models.

As a new alternative to such approaches, we present a learning-based technique that can identify potentially buggy code snippets which deviate from most of the code snippets implementing similar functionalities. Our approach learns from a codebase itself without the need for the cumbersome task of gathering and cleansing training samples. The core idea is that various kinds of bugs can be viewed as inconsistencies that deviate from non-buggy code that implement the same or similar logic.

More specifically, we design a two-step clustering technique to find functionally-similar yet inconsistent code in software. We implemented our system on top of LLVM, which makes our approach language-agnostic.

We evaluated our tool on 4 popular open source security software codebases, such as OpenSSL, OpenSSH, WolfSSL, and Mbedtls. Our tool discovered 10 new unique deep bugs, despite that some of these codebases are constantly undergoing vulnerability scans. All of the bugs have been confirmed by their developers and later fixed by either our pull requests or the developers.

How does the system work really? How easy to find bugs by our approach and how much manual effort does it need? What is a proper code granularity for detecting inconsistencies?

{{2019_BASC:Presentaton_Info_Template|SAST Triage Tricks of the Trade - How to Triage Before the Universe Dies Out|Kristofer Duer and Rashmi Patil| | | }}
Ever gotten a pile of SAST findings and wondered - what now? How do you possibly trim the fat of uninteresting findings down to a manageable set and get to work making the world a safer place? We will talk about some easy tips on how to prioritize and isolate those results which matter the most to your organization.

{{2019_BASC:Presentaton_Info_Template|The User Experience of Information Security|Chris Chagnon and Ryan LaMarche| | | }}
Targeted and increasingly sophisticated attacks are growing in popularity. With spear-phishing, ransomware, and a slew of other user-oriented attacks, our information security, particularly our operational security, relies on having our users on board. But training end-users can be difficult, and our response to mitigating these attacks can sometimes come at a great expense to UX. This session delves into the User Experience of Information Security, and provides attendees with insights into how some of our best laid security measures might actually increase our vulnerability to future attacks.

{{2019_BASC:Footer_Template|Presentations}}

2019 BASC Speakers

2019-10-14T15:58:51Z

Laberdale: Fix Huang bio

{{2019_BASC:Header_Template | Speakers/Trainers}}

=== Mansour Ahmadi ===
'''Northeastern University''' 
Mansour Ahmadi is a research associate at Northeastern University. Before coming to Northeastern, he obtained a PhD in Computer Engineering from the University of Cagliari in 2017. His research is mainly focused in applying machine learning methods for systems security problems, especially malware detection and classification, and vulnerability discovery. He co-authored over 10 scientific papers. Also, He is the lead developer of IntelliAV, which is the first on-device machine learning-based mobile malware detector.

=== Chris Chagnon ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Chris Chagnon is an ITSM Architect and developer who designs, develops, and maintains award-winning experiences for managing and carrying out the ITSM process. Chris has a Master of Science in Information Technology, and a bachelor’s degree in Visual Communications. In addition, Chris is a PhD Candidate studying Information Systems with a focus on user and service experience. As A Top 25 Thought Leader in ITSM, and an ALE IT Vanguard, Chris speaks nationally about the future of ITSM, practical applications of artificial intelligence and machine learning, gamification, continual service improvement, and customer service/experience. Follow Chris on Twitter @Chagn0n.

=== Madison Cool ===
'''TraceLink''' 
Madison Cool is an associate AppSec engineer at TraceLink, delivering a secure platform for the Pharmaceutical Supply Chain. She works with the TraceLink team to make "TraceLink = Trusted" by ensuring that customers, partners and internal engineering can meet and exceed best security practices. Their goal is to make security accessible and understandable by both the security-minded and the security-unaware.

=== Kristin Dahl ===
'''IBM X-Force IRIS''' 
Kristin Dahl is a cyber security consultant with IBM X-Force IRIS and former research staff member at MIT Lincoln Laboratory. Kristin’s experience includes investigative research, policy development, threat assessment, and security operations across the defense sectors, critical systems, academia, and private industry. Kristin has worked collaboratively with multiple stakeholders and federal agencies, including the Department of Defense, the Department of Homeland Security, and the Department of Energy.

=== Joshua Dow ===
'''NCC Group''' 
Joshua Dow is a Security Consultant with NCC Group, joining the organization in Spring of 2019. Joshua has made contributions in his career as both a blue team practitioner and a red team operator. Joshua specializes in web application penetration testing, network penetration testing, and cloud security auditing. Joshua worked as a Senior Software Engineer prior to getting his start in Information Security.

=== Kristofer Duer ===
'''HCL''' 
Kristofer Duer is the Lead Cognitive Researcher for AppScan Source. He has worked in the application security field for the last 8 years in the world of Static Application Security Testing (SAST) and researching language specific attack surfaces. His particular specialty deals with applying machine learning to solve some of the impossible problems which occur naturally in the world of SAST - namely Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

Outside of work he enjoys the gym, Disc Golf (super fun!) and spending time with his wife and two kids.

=== Reza Mirzazade Farkhani ===
'''Northeastern University''' 
Reza Mirzazade Farkhani is pursuing a PhD in Cybersecurity at Northeastern University. His research interests span a wide range of topics in systems security with a particular focus on software vulnerability detection, exploit mitigation techniques and binary analysis. Currently, Reza is focusing on developing novel techniques to protect applications against memory safety vulnerabilities. He is especially interested in new security features in ARM architecture to accelerate the performance and security of the current systems.

=== Brad Giguere ===
'''Secure Code Warrior''' 
Brad Giguere is a Sales Engineer for Secure Code Warrior, a global security company that makes software development better and more secure. Giguere has worked in the technology and SAAS software industry for the majority of his career and is passionate about helping organizations better understand their business challenges and translating those into a solution tailored to meet their needs. He now focuses on empowering development teams to be the first line of defense in making security a highly visible piece of the SDLC.

=== Gabrielle E. Hempel, CHTI ===
'''Black Mirage''' 
Gabrielle is a graduate of the University of Cincinnati, where she studied Neuroscience and Psychology. She worked for an institutional review board in regulatory pharmaceutical and medical device compliance, and led specialized committees targeting Phase I research and emergency research. She moved to IT consulting in 2018, and currently works as a penetration tester for Black Mirage while pursuing a certificate in Advanced Computer Security at Stanford. She continues to serve as a genetic scientist for NIH-regulated recombinant genetic studies, and serves as an instructor and mentor for a student cohort of cybersecurity analysts through Cybrary. She recently obtained her Certified Human Trafficking Investigator (CHTI) credentials through the McAfee Institute, and works with various law enforcement groups and task forces in order to combat human trafficking through digital forensics and analysis. Her area of expertise lies in GDPR/HIPAA/regulatory compliance and medical device security.

=== Chad Holmes ===
'''Security Innovation''' 
Chad Holmes is a Product Marketing Manager for Security Innovation with a focus on educating customers on emerging Cyber Range technologies and how they can improve security education within organizations. Prior to joining Security Innovation Chad was a Penetration Tester, Product Manager, Security Program Manager and team lead at Cigital, Veracode and Red Hat.

=== Kitty Huang ===
'''Communications Trainer and Relationship Coach''' 
Kitty Huang is an award-winning speaker who has led several fun and effective communication workshops at MIT, Harvard University, and corporate training events. She has worked as a copywriter at advertising agencies, a screenwriter for a television situation comedy, and a newspaper journalist. She is also a relationship coach. Her perceptive mind and creative approaches have successfully helped many individuals to solve problems in professional relationships and personal relationships.

=== Robert Hurlbut ===
'''Bank of America''' 
Robert Hurlbut, is a Threat Modeling Architect / Lead at Bank of America. Robert is a Microsoft MVP for Developer Security and Technologies and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure security, software architecture, and software development. He speaks at user groups, national and international conferences, and has provided training for many companies in the past. Robert is also a co-host of the Application Security Podcast (Twitter - @AppSecPodcast). Follow Robert on Twitter at @RobertHurlbut.

=== Prateek Jain ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Prateek Jain is a UX researcher currently pursuing Ph.D. in Innovation with User Experience at Worcester Polytechnic Institute. His Ph.D. research focuses on User Experience. His research interests are augmented reality, internet of things (IoT), accessibility and persona development. He is working on multiple research projects focusing on the use of augmented reality and IoT to improve the user experience of products and services. Along with that, he is also working on developing and testing different persona frameworks to help organizations make effective design decisions.

=== Artie Jurgenson ===
'''Sonatype''' 
Artie Jurgenson is a Solution Architect at Sonatype. He spends his day to day working with companies small and large to apply the principles of DevSecOps and automation to their software development supply chains. This stems from an intense distaste of performing the same procedures more than once. Artie looks to resolve such redundancies both inside and out of his professional life which has led him down pursuits including: implementation of CI/CD toolchains and workflows from completely manual build/deploy processes, development and automation of crypto/forex trading algorithms, front-end test and deployment automation, container orchestration, API development, and computational scientific research optimized for supercomputer clusters. Artie is happy to talk about any of the above at the reception.

=== Aanand Krishnan ===
'''Tala Security''' 
Aanand Krishnan is the CEO and Founder of Tala Security. Most recently he held senior technical roles at Symantec. Aanand spent several years in M&A and investment banking at Morgan Stanley and Dolby Labs acting as an adviser to leading security software, semiconductor and clean-tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and a Bachelors in Electrical Engineering with Honors from BITS, Pilani.

=== Ryan LaMarche ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Ryan LaMarche is a digital transformation and design thinking expert that brings ideas to life with a focus on user experience, and smart system design. When Ryan isn’t building systems, he spends his time as a dual-enrolled Bachelor’s and Master’s student at Worcester Polytechnic Institute studying Computer Science and Innovation with UX. Ryan is also a founding member and CTO of Seldom Technologies where he works with companies to develop systems, applications, and websites and consult on process improvement in the ITSM space.

=== Rami McCarthy ===
'''NCC Group''' 
Rami McCarthy is a Security Consultant with NCC Group, joining with the acquisition of VSR in 2016. He's spent the past three years performing security assessments of all kinds, from SaaS products to cloud IoT platforms. In addition to client work, Rami has published research into misspelled security headers and Chromebook security. Rami got his start in security as an intern at a deep web threat analysis startup, and has a BS in CS from Northeastern University, with a concentration in cyber operations. He's currently working towards an MS from Brandeis University.

=== Tal Melamed ===
'''Protego Labs''' 
In the past two years, Tal Melamed has been experimenting in offensive and defensive security for the serverless technology, as Head of Security Research at Protego Labs. He specializes in AppSec with more than 15 years of experience in security research and vulnerability assessment. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects, and is a frequent speaker at security conferences, including DefCon, DerbyCon, OWASP, BSides and more. Follow Tal on Twitter at @_nu11p0inter

=== Omid Mirzaei ===
'''Northeastern University''' 
Omid Mirzaei is a postdoctoral research associate in the Systems Security Lab (SecLab) at Northeastern University, working with Prof. Engin Kirda. Prior to this, Omid was an assistant professor in Universidad Carlos III de Madrid. Also, he spent around 4 years at COmputer SECurity lab (COSEC) as a PhD student and he received his PhD degree in Computer Science from the same university. Omid's thesis was mainly focused on Android malware analysis and triage. Generally speaking, Omid is working and conducting research in computer and cyber security. However, he is particularly interested in mobile security, malware analysis, reverse engineering and applied machine learning in security. In addition, he is eager to tackle security issues from a multi-objective perspective, i.e. trying to deal with such problems by consuming the least possible amount of in hand resources. Previously and as an undergraduate student, Omid worked in a wide range of areas, from advanced software engineering to Artificial Intelligence (AI). Omid also developed several intelligent systems and passed different AI-related courses, including machine learning, pattern mining, fuzzy systems, evolutionary computation and optimization, neural networks and image processing.

=== Carson E. Owlett, OSCP CEH ===
'''Black Mirage''' 
Carson is a graduate of Connecticut College, where he studied Computer Science and Slavic Studies. After graduating, he obtained his OSCP and CEH and did a brief stint doing research for DARPA. He then founded Black Mirage in 2019, where he serves as the CEO and Assessment Team Lead for penetration tests, and he has been working to implement programs for offensive security education.

=== Rashmi Patil ===
'''HCL''' 
Rashmi is passionate about software engineering and applying it to solve complex problems in day to day life. She has a diverse set of work experience through past research, internships and full-time work experience that has really helped others in understanding the broader picture. In her free time, she volunteers and conducts educational workshops to teach young high school girls about the importance of Cybersecurity and encourage them to pursue a career in Computer Engineering.

=== Chris Romeo ===
'''Security Journey''' 
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. Find Chris on Twitter, @edgeroute, or on LinkedIN, https://www.linkedin.com/in/securityjourney/

=== Izar Tarandach ===
'''Autodesk Inc.''' 
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he’s willing to admit to in the information security arena, he is a member of SAFECode Technical Leadership Council and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served
as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon.

=== Luke Tucker ===
'''HackerOne''' 
Luke Tucker is the Senior Director of Community at HackerOne — the leading hacker-powered security platform with the largest community of hackers in the world. A seasoned community engagement professional, he is passionate about helping identify and nurture what makes people and communities tick, so understanding how hackers feel and how they are seen is his bread and butter. He is the Creator and Editor of the Zero Daily Newsletter, which provides daily application security, hacker and bug bounty news. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development for the growing community of hackers. Prior to HackerOne, he served in several creative roles including Captricity and Sultan Ventures.

=== Paulina Valdivieso ===
'''Bennington College''' 
Paulina Valdivieso is a senior undergrad in Computer Science and Public Policy, studying the intersections between Cybersecurity, Law and Politics. Interested in hacking, information security, programming and general electronic shenanigans, she recently started to apply all of this knowledge into the workplace, centering on network and application security. She is an advocate for open access and privacy, using and committing to open source tools whenever possible and making sure people understand the implications and dark side of the tools they use everyday.

=== Roy Wattanasin ===
'''Information Security Professional''' 
Roy Wattanasin is a healthcare information security professional. You can find him on @wr0

{{2019_BASC:Footer_Template | Speakers/Trainers}}

2019 BASC Speakers

2019-10-14T15:57:41Z

Laberdale: Fix Mairzaei bio

{{2019_BASC:Header_Template | Speakers/Trainers}}

=== Mansour Ahmadi ===
'''Northeastern University''' 
Mansour Ahmadi is a research associate at Northeastern University. Before coming to Northeastern, he obtained a PhD in Computer Engineering from the University of Cagliari in 2017. His research is mainly focused in applying machine learning methods for systems security problems, especially malware detection and classification, and vulnerability discovery. He co-authored over 10 scientific papers. Also, He is the lead developer of IntelliAV, which is the first on-device machine learning-based mobile malware detector.

=== Chris Chagnon ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Chris Chagnon is an ITSM Architect and developer who designs, develops, and maintains award-winning experiences for managing and carrying out the ITSM process. Chris has a Master of Science in Information Technology, and a bachelor’s degree in Visual Communications. In addition, Chris is a PhD Candidate studying Information Systems with a focus on user and service experience. As A Top 25 Thought Leader in ITSM, and an ALE IT Vanguard, Chris speaks nationally about the future of ITSM, practical applications of artificial intelligence and machine learning, gamification, continual service improvement, and customer service/experience. Follow Chris on Twitter @Chagn0n.

=== Madison Cool ===
'''TraceLink''' 
Madison Cool is an associate AppSec engineer at TraceLink, delivering a secure platform for the Pharmaceutical Supply Chain. She works with the TraceLink team to make "TraceLink = Trusted" by ensuring that customers, partners and internal engineering can meet and exceed best security practices. Their goal is to make security accessible and understandable by both the security-minded and the security-unaware.

=== Kristin Dahl ===
'''IBM X-Force IRIS''' 
Kristin Dahl is a cyber security consultant with IBM X-Force IRIS and former research staff member at MIT Lincoln Laboratory. Kristin’s experience includes investigative research, policy development, threat assessment, and security operations across the defense sectors, critical systems, academia, and private industry. Kristin has worked collaboratively with multiple stakeholders and federal agencies, including the Department of Defense, the Department of Homeland Security, and the Department of Energy.

=== Joshua Dow ===
'''NCC Group''' 
Joshua Dow is a Security Consultant with NCC Group, joining the organization in Spring of 2019. Joshua has made contributions in his career as both a blue team practitioner and a red team operator. Joshua specializes in web application penetration testing, network penetration testing, and cloud security auditing. Joshua worked as a Senior Software Engineer prior to getting his start in Information Security.

=== Kristofer Duer ===
'''HCL''' 
Kristofer Duer is the Lead Cognitive Researcher for AppScan Source. He has worked in the application security field for the last 8 years in the world of Static Application Security Testing (SAST) and researching language specific attack surfaces. His particular specialty deals with applying machine learning to solve some of the impossible problems which occur naturally in the world of SAST - namely Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

Outside of work he enjoys the gym, Disc Golf (super fun!) and spending time with his wife and two kids.

=== Reza Mirzazade Farkhani ===
'''Northeastern University''' 
Reza Mirzazade Farkhani is pursuing a PhD in Cybersecurity at Northeastern University. His research interests span a wide range of topics in systems security with a particular focus on software vulnerability detection, exploit mitigation techniques and binary analysis. Currently, Reza is focusing on developing novel techniques to protect applications against memory safety vulnerabilities. He is especially interested in new security features in ARM architecture to accelerate the performance and security of the current systems.

=== Brad Giguere ===
'''Secure Code Warrior''' 
Brad Giguere is a Sales Engineer for Secure Code Warrior, a global security company that makes software development better and more secure. Giguere has worked in the technology and SAAS software industry for the majority of his career and is passionate about helping organizations better understand their business challenges and translating those into a solution tailored to meet their needs. He now focuses on empowering development teams to be the first line of defense in making security a highly visible piece of the SDLC.

=== Gabrielle E. Hempel, CHTI ===
'''Black Mirage''' 
Gabrielle is a graduate of the University of Cincinnati, where she studied Neuroscience and Psychology. She worked for an institutional review board in regulatory pharmaceutical and medical device compliance, and led specialized committees targeting Phase I research and emergency research. She moved to IT consulting in 2018, and currently works as a penetration tester for Black Mirage while pursuing a certificate in Advanced Computer Security at Stanford. She continues to serve as a genetic scientist for NIH-regulated recombinant genetic studies, and serves as an instructor and mentor for a student cohort of cybersecurity analysts through Cybrary. She recently obtained her Certified Human Trafficking Investigator (CHTI) credentials through the McAfee Institute, and works with various law enforcement groups and task forces in order to combat human trafficking through digital forensics and analysis. Her area of expertise lies in GDPR/HIPAA/regulatory compliance and medical device security.

=== Chad Holmes ===
'''Security Innovation''' 
Chad Holmes is a Product Marketing Manager for Security Innovation with a focus on educating customers on emerging Cyber Range technologies and how they can improve security education within organizations. Prior to joining Security Innovation Chad was a Penetration Tester, Product Manager, Security Program Manager and team lead at Cigital, Veracode and Red Hat.

=== Kitty Huang ===
'''Communications Trainer and Relationship Coach''' 
Kitty Huang is an award-winning speaker who has led several fun and effective communication workshops at MIT, Harvard University, and corporate training events. She has worked as a copywriter at advertising agencies, a screenwriter for a television situation comedy, and a newspaper journalist. Her perceptive mind and creative approaches have successfully helped many individuals to solve problems in professional relationships and personal relationships.

=== Robert Hurlbut ===
'''Bank of America''' 
Robert Hurlbut, is a Threat Modeling Architect / Lead at Bank of America. Robert is a Microsoft MVP for Developer Security and Technologies and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure security, software architecture, and software development. He speaks at user groups, national and international conferences, and has provided training for many companies in the past. Robert is also a co-host of the Application Security Podcast (Twitter - @AppSecPodcast). Follow Robert on Twitter at @RobertHurlbut.

=== Prateek Jain ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Prateek Jain is a UX researcher currently pursuing Ph.D. in Innovation with User Experience at Worcester Polytechnic Institute. His Ph.D. research focuses on User Experience. His research interests are augmented reality, internet of things (IoT), accessibility and persona development. He is working on multiple research projects focusing on the use of augmented reality and IoT to improve the user experience of products and services. Along with that, he is also working on developing and testing different persona frameworks to help organizations make effective design decisions.

=== Artie Jurgenson ===
'''Sonatype''' 
Artie Jurgenson is a Solution Architect at Sonatype. He spends his day to day working with companies small and large to apply the principles of DevSecOps and automation to their software development supply chains. This stems from an intense distaste of performing the same procedures more than once. Artie looks to resolve such redundancies both inside and out of his professional life which has led him down pursuits including: implementation of CI/CD toolchains and workflows from completely manual build/deploy processes, development and automation of crypto/forex trading algorithms, front-end test and deployment automation, container orchestration, API development, and computational scientific research optimized for supercomputer clusters. Artie is happy to talk about any of the above at the reception.

=== Aanand Krishnan ===
'''Tala Security''' 
Aanand Krishnan is the CEO and Founder of Tala Security. Most recently he held senior technical roles at Symantec. Aanand spent several years in M&A and investment banking at Morgan Stanley and Dolby Labs acting as an adviser to leading security software, semiconductor and clean-tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and a Bachelors in Electrical Engineering with Honors from BITS, Pilani.

=== Ryan LaMarche ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Ryan LaMarche is a digital transformation and design thinking expert that brings ideas to life with a focus on user experience, and smart system design. When Ryan isn’t building systems, he spends his time as a dual-enrolled Bachelor’s and Master’s student at Worcester Polytechnic Institute studying Computer Science and Innovation with UX. Ryan is also a founding member and CTO of Seldom Technologies where he works with companies to develop systems, applications, and websites and consult on process improvement in the ITSM space.

=== Rami McCarthy ===
'''NCC Group''' 
Rami McCarthy is a Security Consultant with NCC Group, joining with the acquisition of VSR in 2016. He's spent the past three years performing security assessments of all kinds, from SaaS products to cloud IoT platforms. In addition to client work, Rami has published research into misspelled security headers and Chromebook security. Rami got his start in security as an intern at a deep web threat analysis startup, and has a BS in CS from Northeastern University, with a concentration in cyber operations. He's currently working towards an MS from Brandeis University.

=== Tal Melamed ===
'''Protego Labs''' 
In the past two years, Tal Melamed has been experimenting in offensive and defensive security for the serverless technology, as Head of Security Research at Protego Labs. He specializes in AppSec with more than 15 years of experience in security research and vulnerability assessment. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects, and is a frequent speaker at security conferences, including DefCon, DerbyCon, OWASP, BSides and more. Follow Tal on Twitter at @_nu11p0inter

=== Omid Mirzaei ===
'''Northeastern University''' 
Omid Mirzaei is a postdoctoral research associate in the Systems Security Lab (SecLab) at Northeastern University, working with Prof. Engin Kirda. Prior to this, Omid was an assistant professor in Universidad Carlos III de Madrid. Also, he spent around 4 years at COmputer SECurity lab (COSEC) as a PhD student and he received his PhD degree in Computer Science from the same university. Omid's thesis was mainly focused on Android malware analysis and triage. Generally speaking, Omid is working and conducting research in computer and cyber security. However, he is particularly interested in mobile security, malware analysis, reverse engineering and applied machine learning in security. In addition, he is eager to tackle security issues from a multi-objective perspective, i.e. trying to deal with such problems by consuming the least possible amount of in hand resources. Previously and as an undergraduate student, Omid worked in a wide range of areas, from advanced software engineering to Artificial Intelligence (AI). Omid also developed several intelligent systems and passed different AI-related courses, including machine learning, pattern mining, fuzzy systems, evolutionary computation and optimization, neural networks and image processing.

=== Carson E. Owlett, OSCP CEH ===
'''Black Mirage''' 
Carson is a graduate of Connecticut College, where he studied Computer Science and Slavic Studies. After graduating, he obtained his OSCP and CEH and did a brief stint doing research for DARPA. He then founded Black Mirage in 2019, where he serves as the CEO and Assessment Team Lead for penetration tests, and he has been working to implement programs for offensive security education.

=== Rashmi Patil ===
'''HCL''' 
Rashmi is passionate about software engineering and applying it to solve complex problems in day to day life. She has a diverse set of work experience through past research, internships and full-time work experience that has really helped others in understanding the broader picture. In her free time, she volunteers and conducts educational workshops to teach young high school girls about the importance of Cybersecurity and encourage them to pursue a career in Computer Engineering.

=== Chris Romeo ===
'''Security Journey''' 
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. Find Chris on Twitter, @edgeroute, or on LinkedIN, https://www.linkedin.com/in/securityjourney/

=== Izar Tarandach ===
'''Autodesk Inc.''' 
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he’s willing to admit to in the information security arena, he is a member of SAFECode Technical Leadership Council and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served
as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon.

=== Luke Tucker ===
'''HackerOne''' 
Luke Tucker is the Senior Director of Community at HackerOne — the leading hacker-powered security platform with the largest community of hackers in the world. A seasoned community engagement professional, he is passionate about helping identify and nurture what makes people and communities tick, so understanding how hackers feel and how they are seen is his bread and butter. He is the Creator and Editor of the Zero Daily Newsletter, which provides daily application security, hacker and bug bounty news. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development for the growing community of hackers. Prior to HackerOne, he served in several creative roles including Captricity and Sultan Ventures.

=== Paulina Valdivieso ===
'''Bennington College''' 
Paulina Valdivieso is a senior undergrad in Computer Science and Public Policy, studying the intersections between Cybersecurity, Law and Politics. Interested in hacking, information security, programming and general electronic shenanigans, she recently started to apply all of this knowledge into the workplace, centering on network and application security. She is an advocate for open access and privacy, using and committing to open source tools whenever possible and making sure people understand the implications and dark side of the tools they use everyday.

=== Roy Wattanasin ===
'''Information Security Professional''' 
Roy Wattanasin is a healthcare information security professional. You can find him on @wr0

{{2019_BASC:Footer_Template | Speakers/Trainers}}

2019 BASC Homepage

2019-10-12T15:24:05Z

Laberdale: Fixed typos

{{2019_BASC:Header_Template | Home}}

__NOTOC__
== Welcome ==
This is the homepage for the 2019 Boston Application Security Conference (BASC). Conference will take place 8:30am to 6:30pm on Saturday, October 19th at
* Location: [https://goo.gl/maps/MErChZ3cX5B2 5 Wayside Road Burlington, MA]

The BASC will be a free*, one day, informal conference, aimed at increasing awareness and knowledge of application security in the greater Boston area. While many of the presentations will cover state-of-the-art application security concepts, the BASC is intended to appeal to a wide-array of attendees. Application security professionals, professional software developers, software quality engineers, computer science students, and security software vendors should be able to come to the BASC, learn, and hopefully enjoy themselves at the same time.

NOTE: * Some workshops and training may have a separate fee.


== Registration ==

[https://www.eventbrite.com/e/boston-application-security-conference-basc-2019-tickets-71803643631 Register Here]

Registration is required for breakfast, lunch, and the evening social time. We will do everything possible to accommodate late registrants but the facility and food are limited.

You may also register for one or more workshops, but workshop tickets are limited. Please be considerate of others and '''only register for a workshop if you plan to attend'''. If your plans change, please cancel your ticket to free the space up for others. Do not sign up for more than one session of the same workshop, or for workshops whose times overlap. If you do, conference organizers will cancel your ticket orders.

== Keynotes ==

'''The Internet Sucks. Should We Replace It?'''

'''Andy Ellis,''' Akamai

[[File:Andy-ellis_0532_1-2.jpg|left|frameless]]

50 years into the Internet, it’s become very clear that there are virtually no security goals designed into the underpinnings of the Internet, and even higher level protocols suffer from this lack. As a result, existing on the Internet makes the Wild West look like a tame environment. Should we attempt to redesign the Internet, and make it secure by default? Let’s explore the dystopian world of an alternate Internet, and see why the Internet we have might actually be the best Internet we could hope for.

Andy Ellis is Akamai’s Chief Security Officer, and his mission is “making the Internet suck less.” Governing cybersecurity, compliance, and safety for Akamai’s planetary-scale cloud platform since 2000, he has also designed and brought to market Akamai’s TLS acceleration network, its DDoS defense offerings, and several of the core technologies behind its security solutions. Andy has also guided Akamai’s IT transformation from a flat password-based network to a distributed, zero-trust enterprise based on strong authentication.

Andy is a graduate of MIT with a degree in computer science, and has served as an officer in the United States Air Force with the 609th Information Warfare Squadron and the Electronic Systems Center.

Also active in Internet policy and governance circles, Andy has supported past and present Akamai CEOs in roles on the NIAC and NSTAC, as well as serving on the FCC’s Communications Security, Reliability, and Interoperability Council. He is an affiliate of Harvard’s Berkman Klein Center, and a guest lecturer in executive education at MIT and the Harvard Kennedy School. He is a frequent speaker on topics of Internet security, anthropocentric risk management, and security governance; and occasionally blogs at www.csoandy.com. He can be found on Twitter as @csoandy, where he discusses security, wine, American football, and hairstyling.

Andy is also an Advisor to YL Ventures’ YLV3 Fund, Uptycs, and Vulcan Cyber.

Andy has received The Spirit of Disneyland Award, The Wine Spectator’s Award of Excellence (as The Arlington Inn), the US Air Force Commendation Medal, and the CSO Compass Award.

'''Sandcastles in a Storm: Application Vulnerabilities and How They Weaken Our Organizations'''

'''Kevin Johnson,''' Secure Ideas

[[File:KevinJohnson.jpg|175px|left|frameless]]

In this presentation Kevin will walk through some of the issues we face as we move more and more of our life into applications and the Internet of Things. We will explore the vulnerabilities, how they are attacked, and what it means to all of us.

Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is a faculty member at IANS and was an instructor and author for the SANS Institute.

In his free time, Kevin enjoys spending time with his family and is an avid Star Wars fan and member of the 501st Legion (Star Wars charity group)

Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer.

== Details ==

* [[2019_BASC_Presentations | Presentations]]
* [[2019_BASC_Workshops | Workshops]]
* [[2019_BASC_Speakers | Speakers]]
* [[2019_BASC_Agenda | Agenda]]
* Twitter: Follow [https://twitter.com/BASConf @BASConf] @[https://twitter.com/owaspboston OWASPBoston] HashTag: #basc2019

== OWASP Boston Chapter ==
BASC is presented by the [https://www.owasp.org/index.php/Boston OWASP Boston] chapter.

{{2019_BASC:Footer_Template | Welcome}}

2019 BASC Homepage

2019-10-10T16:10:28Z

Laberdale: Not accepting any more sponsors.

{{2019_BASC:Header_Template | Home}}

__NOTOC__
== Welcome ==
This is the homepage for the 2019 Boston Application Security Conference (BASC). Conference will take place 8:30am to 6:30pm on Saturday, October 19th at
* Location: [https://goo.gl/maps/MErChZ3cX5B2 5 Wayside Road Burlington, MA]

The BASC will be a free*, one day, informal conference, aimed at increasing awareness and knowledge of application security in the greater Boston area. While many of the presentations will cover state-of-the-art application security concepts, the BASC is intended to appeal to a wide-array of attendees. Application security professionals, professional software developers, software quality engineers, computer science students, and security software vendors should be able to come to the BASC, learn, and hopefully enjoy themselves at the same time.

NOTE: * Some workshops and training may have a separate fee.


== Registration ==

[https://www.eventbrite.com/e/boston-application-security-conference-basc-2019-tickets-71803643631 Register Here]

Registration is required for breakfast, lunch, and the evening social time. We will do everything possible to accommodate late registrants but the facility and food are limited.

You may also register for one or more workshops, but workshop tickets are limited. Please be considerate of others and '''only register for a workshop if you plan to attend'''. If your plans change, please cancel your ticket to free the space up for others. Do not sign up for more than one session of the same workshop, or for workshops whose times overlap. If you do, conference organizers will cancel your ticket orders.

== Keynotes ==

'''The Internet Sucks. Should we replace it?'''

'''Andy Ellis,''' Akamai

[[File:Andy-ellis_0532_1-2.jpg|left|frameless]]

50 years into the Internet, it’s become very clear that there are virtually no security goals designed into the underpinnings of the Internet, and even higher level protocols suffer from this lack. As a result, existing on the Internet makes the Wild West look like a tame environment. Should we attempt to redesign the Internet, and make it secure by default? Let’s explore the dystopian world of an alternate Internet, and see why the Internet we have might actually be the best Internet we could hope for.

Andy Ellis is Akamai’s Chief Security Officer, and his mission is “making the Internet suck less.” Governing cybersecurity, compliance, and safety for Akamai’s planetary-scale cloud platform since 2000, he has also designed and brought to market Akamai’s TLS acceleration network, its DDoS defense offerings, and several of the core technologies behind its security solutions. Andy has also guided Akamai’s IT transformation from a flat password-based network to a distributed, zero-trust enterprise based on strong authentication.

Andy is a graduate of MIT with a degree in computer science, and has served as an officer in the United States Air Force with the 609th Information Warfare Squadron and the Electronic Systems Center.

Also active in Internet policy and governance circles, Andy has supported past and present Akamai CEOs in roles on the NIAC and NSTAC, as well as serving on the FCC’s Communications Security, Reliability, and Interoperability Council. He is an affiliate of Harvard’s Berkman Klein Center, and a guest lecturer in executive education at MIT and the Harvard Kennedy School. He is a frequent speaker on topics of Internet security, anthropocentric risk management, and security governance; and occasionally blogs at www.csoandy.com. He can be found on Twitter as @csoandy, where he discusses security, wine, American football, and hairstyling.

Andy is also an Advisor to YL Ventures’ YLV3 Fund, Uptycs, and Vulcan Cyber.

Andy has received The Spirit of Disneyland Award, The Wine Spectator’s Award of Excellence (as The Arlington Inn), the US Air Force Commendation Medal, and the CSO Compass Award.

'''Sandcastles in a Storm: Application Vulnerabilities and how they weaken our organizations'''

'''Kevin Johnson,''' Secure Ideas

[[File:KevinJohnson.jpg|175px|left|frameless]]

In this presentation Kevin will walk through some of the issues we face as we move more and more of our life into applications and the Internet of Things. We will explore the vulnerabilities, how they are attacked, and what it means to all of us.

Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is a faculty member at IANS and was an instructor and author for the SANS Institute.

In his free time, Kevin enjoys spending time with his family and is an avid Star Wars fan and member of the 501st Legion (Star Wars charity group)

Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer.

== Details ==

* [[2019_BASC_Presentations | Presentations]]
* [[2019_BASC_Workshops | Workshops]]
* [[2019_BASC_Speakers | Speakers]]
* [[2019_BASC_Agenda | Agenda]]
* Twitter: Follow [https://twitter.com/BASConf @BASConf] @[https://twitter.com/owaspboston OWASPBoston] HashTag: #basc2019

== OWASP Boston Chapter ==
BASC is presented by the [https://www.owasp.org/index.php/Boston OWASP Boston] chapter.

{{2019_BASC:Footer_Template | Welcome}}

2019 BASC Agenda

2019-10-04T03:55:34Z

Laberdale: Create Agenda

{{2019_BASC:Header_Template | Agenda}}


__FORCETOC__

 
 

= Presentations =


{| style="width:80%" border="0" align="center"
! colspan="3" align="center" |
<table>
<tr>
<td>
[[File:OWASP Logo.gif]] 
</td>
<td>
'''Presentations OWASP Boston Application Security Conference Saturday, October 19, 2019'''
</td>
</tr>
</table>
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 8:30-9:30
| colspan="7" style="width:80%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | '''Breakfast and Registration''' 
provided by our Platinum Sponsor 
'''[https://www.whitehatsec.com/ WhiteHat Security]''' 
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 09:00-09:50
| colspan="6" style="width:80%; margin:10px; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | '''Opening Keynote''' 
'''[[2019_BASC_Homepage#Keynotes|The Internet Sucks. Should we replace it?]]''' 
'''[[2019_BASC_Homepage#Keynotes|Andy Ellis]]''' 

|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" | || align="center" style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Washington/Jefferson Room'''
| align="center" style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Adams Room'''
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 10:00-10:50
| style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|OWASP Serverless Top 10|Tal Melamed }}
| style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|An Intelligent Approach to Upgrading OSS Libraries|Madison Cool }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 11:00-11:50
| style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Critical Thinking in Cybersecurity|Kristin Dahl }}
| style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Security Culture Hacking: Disrupting the Security Status Quo|Chris Romeo }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 12:00-1:00 || colspan="2" style="background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
'''Lunch''' 
provided by our Platinum Sponsor 
'''[https://www.ordr.net/ Ordr]''' 
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 1:00-1:50
| style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Defending against the Acceleration of Client-Side Website Attacks|Aanand Krishnan }}
| style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Open Source Security on a Shoestring|Paulina Valdivieso }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 2:00-2:50
| style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|SAST Triage Tricks of the Trade - How to Triage Before the Universe Dies Out|Kristofer Duer & Rashmi Patil }}
| style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Put that Cease and Desist Down: How to Train Your Org to Work with Hackers|Luke Tucker }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 3:00-3:50
| style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Automate or Die - DevSecOps in the Age of Software Supply Chain Attacks|Artie Jurgenson }}
| style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Finding Bugs Using Your Own Code: Machine Learning-based Inconsistent Code Detection|Mansour Ahmadi & Reza Mirzazade Farkhani }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 4:00-4:50
| style="width:30%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|The User Experience of Information Security|Chris Chagnon & Ryan LaMarche }}
| style="width:30%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentation_Agenda_Template|Presentation|Identifying Malicious Android Applications in the Presence of Adversaries: A Cat-and-Mouse Game|Omid Mirzaei }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 5:00-5:30
| colspan="2" style="width:30%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width: 1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
'''Social Time''' 
provided by our Platinum Sponsor 
'''[https://www.nccgroup.trust/ NCC Group]''' 
|-
| rowspan="2" style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 1px; border-left-width: 0px; border-bottom-width: 1px" align="center" | 5:30-6:30
| colspan="2" style="width:30%; background:#background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | '''Closing Keynote''' 
'''[[2019_BASC_Homepage#Keynotes|Sandcastles in a Storm: Application Vulnerabilities and how they weaken our organizations]]''' 
'''[[2019_BASC_Homepage#Keynotes|Kevin Johnson]]'''
|-
| colspan="2" style="width:30%; background:#background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 1px" align="center" | '''Raffle''' 
'''Wrap Up'''
 
|}



= Workshops =

{| style="width:80%" border="0" align="center"
! colspan="7" align="center" |
<table>
<tr>
<td>
[[File:OWASP Logo.gif]] 
</td>
<td>
'''Workshops OWASP Boston Application Security Conference Saturday, October 19, 2019'''
</td>
</tr>
</table>
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" |
| align="center" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Attitash'''
| align="center" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Monroe'''
| align="center" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Cannon'''
| align="center" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Bretton Woods'''
| align="center" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Jay Peak'''
| align="center" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" | '''Cranmore'''
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 10:00-10:50
| rowspan="2" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Resume_Agenda_Template|Session 1 }}
| rowspan="6" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Workshop_Agenda_Template|Presentation|CMD+CTRL Cyber Range|Chad Holmes }}
| rowspan="2" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Workshop_Agenda_Template|Presentation|Capture Ever-Evolving Security Needs of Users with IKE & Proto-Research Persona Development|Prateek Jain & Ryan Lamarche }}
| rowspan="2" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Workshop_Agenda_Template|Presentation|The Ultimate Secure Coding Showdown|Brad Giguere }}
| rowspan="2" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Workshop_Agenda_Template|Presentation|How to Talk to Humans|Kitty Huang & Roy Wattanasin }}
| rowspan="2" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Workshop_Agenda_Template|Presentation|Zero to Hero: Intro to Web App Pentesting|Carson Owlett & Gabrielle Hempel }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 11:00-11:50
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 1:00-1:50
| rowspan="4" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Resume_Agenda_Template|Session 2 }}
| rowspan="5" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 1px" align="center" |
| rowspan="2" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentaton_Agenda_Template|Workshop|Threat Modeling Workshop|Robert Hurlbut }}
| rowspan="5" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 1px" align="center" |
| rowspan="4" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentaton_Agenda_Template|Workshop|AWS Cloud Security Fundamentals|Joshua Dow & Rami McCarthy }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 2:00-2:50
| rowspan="1" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
| rowspan="1" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
| rowspan="1" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | 3:00-3:50
| rowspan="2" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" | {{2019_BASC:Presentaton_Agenda_Template|Workshop|Effective Threat Modeling with CTM|Izar Tarandach }}
|-
| style="width:10%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 1px" align="center" | 4:00-4:50
| style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
| rowspan="1" style="width:15%; background:#FFFBDF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
| rowspan="1" style="width:15%; background:#FFFFFF; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
| rowspan="1" style="width:15%; background:#F8F8ED; border-style: solid; border-color: #D2D2D2; border-top-width:1px; border-right-width: 0px; border-left-width: 0px; border-bottom-width: 0px" align="center" |
|}

{{2019_BASC:Footer_Template | Agenda}}

Template:2019 BASC:Workshop Agenda Template

2019-10-04T02:53:37Z

Laberdale: Created page with "<!-- Parameters: 1=Caption. For example, "Presentation", or "Breakfast" 2=Presentation Name __EXACTLY__ as it appears on the presentation page 3=Presenta..."

<div style="margin:0px;">
[[2019_BASC_Workshops#{{{2}}}|{{{2}}}]] 
[[2019_BASC_Speakers#{{{3}}}|{{{3}}}]] 
</div>

Template:2019 BASC:Resume Agenda Template

2019-10-04T02:52:21Z

Laberdale: Created page with "<!-- Parameters: 1=Caption. For example, "Presentation", or "Breakfast" 2=Presentation Name __EXACTLY__ as it appears on the presentation page 3=Presenta..."

<div style="margin:0px;">
[[2019_BASC_Resume_Room|CyberSN Career Center]] 
{{{1}}} 
</div>

Template:2019 BASC:Presentation Agenda Template

2019-10-04T02:40:27Z

Laberdale: Create template

<div style="margin:0px;">
[[2019_BASC_Presentations#{{{2}}}|{{{2}}}]] 
[[2019_BASC_Speakers#{{{3}}}|{{{3}}}]] 
</div>

Template:2019 BASC:Presentaton Agenda Template

2019-10-04T02:36:10Z

Laberdale: Create template

<div style="margin:0px;">
[[2019_BASC_Presentations#{{{2}}}|{{{2}}}]] 
[[2019_BASC_Speakers#{{{3}}}|{{{3}}}]] 
</div>

2019 BASC Speakers

2019-10-03T16:54:51Z

Laberdale: Update speakers

{{2019_BASC:Header_Template | Speakers/Trainers}}

=== Mansour Ahmadi ===
'''Northeastern University''' 
Mansour Ahmadi is a research associate at Northeastern University. Before coming to Northeastern, he obtained a PhD in Computer Engineering from the University of Cagliari in 2017. His research is mainly focused in applying machine learning methods for systems security problems, especially malware detection and classification, and vulnerability discovery. He co-authored over 10 scientific papers. Also, He is the lead developer of IntelliAV, which is the first on-device machine learning-based mobile malware detector.

=== Chris Chagnon ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Chris Chagnon is an ITSM Architect and developer who designs, develops, and maintains award-winning experiences for managing and carrying out the ITSM process. Chris has a Master of Science in Information Technology, and a bachelor’s degree in Visual Communications. In addition, Chris is a PhD Candidate studying Information Systems with a focus on user and service experience. As A Top 25 Thought Leader in ITSM, and an ALE IT Vanguard, Chris speaks nationally about the future of ITSM, practical applications of artificial intelligence and machine learning, gamification, continual service improvement, and customer service/experience. Follow Chris on Twitter @Chagn0n.

=== Madison Cool ===
'''TraceLink''' 
Madison Cool is an associate AppSec engineer at TraceLink, delivering a secure platform for the Pharmaceutical Supply Chain. She works with the TraceLink team to make "TraceLink = Trusted" by ensuring that customers, partners and internal engineering can meet and exceed best security practices. Their goal is to make security accessible and understandable by both the security-minded and the security-unaware.

=== Kristin Dahl ===
'''IBM X-Force IRIS''' 
Kristin Dahl is a cyber security consultant with IBM X-Force IRIS and former research staff member at MIT Lincoln Laboratory. Kristin’s experience includes investigative research, policy development, threat assessment, and security operations across the defense sectors, critical systems, academia, and private industry. Kristin has worked collaboratively with multiple stakeholders and federal agencies, including the Department of Defense, the Department of Homeland Security, and the Department of Energy.

=== Joshua Dow ===
'''NCC Group''' 
Joshua Dow is a Security Consultant with NCC Group, joining the organization in Spring of 2019. Joshua has made contributions in his career as both a blue team practitioner and a red team operator. Joshua specializes in web application penetration testing, network penetration testing, and cloud security auditing. Joshua worked as a Senior Software Engineer prior to getting his start in Information Security.

=== Kristofer Duer ===
'''HCL''' 
Kristofer Duer is the Lead Cognitive Researcher for AppScan Source. He has worked in the application security field for the last 8 years in the world of Static Application Security Testing (SAST) and researching language specific attack surfaces. His particular specialty deals with applying machine learning to solve some of the impossible problems which occur naturally in the world of SAST - namely Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

Outside of work he enjoys the gym, Disc Golf (super fun!) and spending time with his wife and two kids.

=== Reza Mirzazade Farkhani ===
'''Northeastern University''' 
Reza Mirzazade Farkhani is pursuing a PhD in Cybersecurity at Northeastern University. His research interests span a wide range of topics in systems security with a particular focus on software vulnerability detection, exploit mitigation techniques and binary analysis. Currently, Reza is focusing on developing novel techniques to protect applications against memory safety vulnerabilities. He is especially interested in new security features in ARM architecture to accelerate the performance and security of the current systems.

=== Brad Giguere ===
'''Secure Code Warrior''' 
Brad Giguere is a Sales Engineer for Secure Code Warrior, a global security company that makes software development better and more secure. Giguere has worked in the technology and SAAS software industry for the majority of his career and is passionate about helping organizations better understand their business challenges and translating those into a solution tailored to meet their needs. He now focuses on empowering development teams to be the first line of defense in making security a highly visible piece of the SDLC.

=== Gabrielle E. Hempel, CHTI ===
'''Black Mirage''' 
Gabrielle is a graduate of the University of Cincinnati, where she studied Neuroscience and Psychology. She worked for an institutional review board in regulatory pharmaceutical and medical device compliance, and led specialized committees targeting Phase I research and emergency research. She moved to IT consulting in 2018, and currently works as a penetration tester for Black Mirage while pursuing a certificate in Advanced Computer Security at Stanford. She continues to serve as a genetic scientist for NIH-regulated recombinant genetic studies, and serves as an instructor and mentor for a student cohort of cybersecurity analysts through Cybrary. She recently obtained her Certified Human Trafficking Investigator (CHTI) credentials through the McAfee Institute, and works with various law enforcement groups and task forces in order to combat human trafficking through digital forensics and analysis. Her area of expertise lies in GDPR/HIPAA/regulatory compliance and medical device security.

=== Chad Holmes ===
'''Security Innovation''' 
Chad Holmes is a Product Marketing Manager for Security Innovation with a focus on educating customers on emerging Cyber Range technologies and how they can improve security education within organizations. Prior to joining Security Innovation Chad was a Penetration Tester, Product Manager, Security Program Manager and team lead at Cigital, Veracode and Red Hat.

=== Kitty Huang ===
'''Communications Trainer and Relationship Coach''' 
Kitty Huang is an award-winning speaker who has led several fun and effective communication workshops at MIT, Harvard University, and corporate training events. She has worked as a copywriter at advertising agencies, a screenwriter for a television situation comedy, and a newspaper journalist. Her perceptive mind and creative approaches have successfully helped many individuals to solve problems in professional relationships and personal relationships.

=== Robert Hurlbut ===
'''Bank of America''' 
Robert Hurlbut, is a Threat Modeling Architect / Lead at Bank of America. Robert is a Microsoft MVP for Developer Security and Technologies and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure security, software architecture, and software development. He speaks at user groups, national and international conferences, and has provided training for many companies in the past. Robert is also a co-host of the Application Security Podcast (Twitter - @AppSecPodcast). Follow Robert on Twitter at @RobertHurlbut.

=== Prateek Jain ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Prateek Jain is a UX researcher currently pursuing Ph.D. in Innovation with User Experience at Worcester Polytechnic Institute. His Ph.D. research focuses on User Experience. His research interests are augmented reality, internet of things (IoT), accessibility and persona development. He is working on multiple research projects focusing on the use of augmented reality and IoT to improve the user experience of products and services. Along with that, he is also working on developing and testing different persona frameworks to help organizations make effective design decisions.

=== Artie Jurgenson ===
'''Sonatype''' 
Artie Jurgenson is a Solution Architect at Sonatype. He spends his day to day working with companies small and large to apply the principles of DevSecOps and automation to their software development supply chains. This stems from an intense distaste of performing the same procedures more than once. Artie looks to resolve such redundancies both inside and out of his professional life which has led him down pursuits including: implementation of CI/CD toolchains and workflows from completely manual build/deploy processes, development and automation of crypto/forex trading algorithms, front-end test and deployment automation, container orchestration, API development, and computational scientific research optimized for supercomputer clusters. Artie is happy to talk about any of the above at the reception.

=== Aanand Krishnan ===
'''Tala Security''' 
Aanand Krishnan is the CEO and Founder of Tala Security. Most recently he held senior technical roles at Symantec. Aanand spent several years in M&A and investment banking at Morgan Stanley and Dolby Labs acting as an adviser to leading security software, semiconductor and clean-tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and a Bachelors in Electrical Engineering with Honors from BITS, Pilani.

=== Ryan LaMarche ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Ryan LaMarche is a digital transformation and design thinking expert that brings ideas to life with a focus on user experience, and smart system design. When Ryan isn’t building systems, he spends his time as a dual-enrolled Bachelor’s and Master’s student at Worcester Polytechnic Institute studying Computer Science and Innovation with UX. Ryan is also a founding member and CTO of Seldom Technologies where he works with companies to develop systems, applications, and websites and consult on process improvement in the ITSM space.

=== Rami McCarthy ===
'''NCC Group''' 
Rami McCarthy is a Security Consultant with NCC Group, joining with the acquisition of VSR in 2016. He's spent the past three years performing security assessments of all kinds, from SaaS products to cloud IoT platforms. In addition to client work, Rami has published research into misspelled security headers and Chromebook security. Rami got his start in security as an intern at a deep web threat analysis startup, and has a BS in CS from Northeastern University, with a concentration in cyber operations. He's currently working towards an MS from Brandeis University.

=== Tal Melamed ===
'''Protego Labs''' 
In the past two years, Tal Melamed has been experimenting in offensive and defensive security for the serverless technology, as Head of Security Research at Protego Labs. He specializes in AppSec with more than 15 years of experience in security research and vulnerability assessment. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects, and is a frequent speaker at security conferences, including DefCon, DerbyCon, OWASP, BSides and more. Follow Tal on Twitter at @_nu11p0inter

=== Omid Mirzaei ===
'''Northeastern University''' 
Omid Mirzaei is a postdoctoral research associate in the Systems Security (SecLab) and the Research in Software and Systems Security (RiS3) Labs at Northeastern University, working with Prof. Engin Kirda and Dr. Long Lu. Prior to this, Omid was an assistant professor in Universidad Carlos III de Madrid. Also, he spent around 4 years at COmputer SECurity lab (COSEC) as a PhD student and he received his PhD degree in Computer Science from the same university. Omid's thesis was mainly focused on Android malware analysis and triage. Generally speaking, Omid is working and conducting research in computer and cyber security. However, he is particularly interested in mobile security, malware analysis, reverse engineering and applied machine learning in security. In addition, he is eager to tackle security issues from a multi-objective perspective, i.e. trying to deal with such problems by consuming the least possible amount of in hand resources. Previously and as an undergraduate student, Omid worked in a wide range of areas, from advanced software engineering to Artificial Intelligence (AI). Omid also developed several intelligent systems and passed different AI-related courses, including machine learning, pattern mining, fuzzy systems, evolutionary computation and optimization, neural networks and image processing.

=== Carson E. Owlett, OSCP CEH ===
'''Black Mirage''' 
Carson is a graduate of Connecticut College, where he studied Computer Science and Slavic Studies. After graduating, he obtained his OSCP and CEH and did a brief stint doing research for DARPA. He then founded Black Mirage in 2019, where he serves as the CEO and Assessment Team Lead for penetration tests, and he has been working to implement programs for offensive security education.

=== Rashmi Patil ===
'''HCL''' 
Rashmi is passionate about software engineering and applying it to solve complex problems in day to day life. She has a diverse set of work experience through past research, internships and full-time work experience that has really helped others in understanding the broader picture. In her free time, she volunteers and conducts educational workshops to teach young high school girls about the importance of Cybersecurity and encourage them to pursue a career in Computer Engineering.

=== Chris Romeo ===
'''Security Journey''' 
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. Find Chris on Twitter, @edgeroute, or on LinkedIN, https://www.linkedin.com/in/securityjourney/

=== Izar Tarandach ===
'''Autodesk Inc.''' 
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he’s willing to admit to in the information security arena, he is a member of SAFECode Technical Leadership Council and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served
as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon.

=== Luke Tucker ===
'''HackerOne''' 
Luke Tucker is the Senior Director of Community at HackerOne — the leading hacker-powered security platform with the largest community of hackers in the world. A seasoned community engagement professional, he is passionate about helping identify and nurture what makes people and communities tick, so understanding how hackers feel and how they are seen is his bread and butter. He is the Creator and Editor of the Zero Daily Newsletter, which provides daily application security, hacker and bug bounty news. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development for the growing community of hackers. Prior to HackerOne, he served in several creative roles including Captricity and Sultan Ventures.

=== Paulina Valdivieso ===
'''Bennington College''' 
Paulina Valdivieso is a senior undergrad in Computer Science and Public Policy, studying the intersections between Cybersecurity, Law and Politics. Interested in hacking, information security, programming and general electronic shenanigans, she recently started to apply all of this knowledge into the workplace, centering on network and application security. She is an advocate for open access and privacy, using and committing to open source tools whenever possible and making sure people understand the implications and dark side of the tools they use everyday.

=== Roy Wattanasin ===
'''Information Security Professional''' 
Roy Wattanasin is a healthcare information security professional. You can find him on @wr0

{{2019_BASC:Footer_Template | Speakers/Trainers}}

2019 BASC Workshops

2019-10-03T16:53:22Z

Laberdale: Update workshop leaders

{{2019_BASC:Header_Template | Workshops}}

__FORCETOC__
We would like to thank our workshop leaders for donating their time and effort to help make this conference successful.

== All-Day Workshop ==
{{2019_BASC:Presentaton_Info_Template|CMD+CTRL Cyber Range|Chad Holmes| | | }}
Want to test your skills in identifying web app vulnerabilities? Join OWASP Boston and Security Innovation as members compete in [https://www.securityinnovation.com/training/cmd-ctrl-cyber-range-security-training/ CMD+CTRL] a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.

For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.

When you register for BASC and select to attend this CMD+CTRL Cyber Range workshop, a link will be provided so you can reserve your spot with Security Innovation. Spaces are limited. Register early to reserve your spot!

== Morning Workshops ==

{{2019_BASC:Presentaton_Info_Template|The Ultimate Secure Coding Showdown|Brad Giguere| | | }}
Are. You. Ready? Head to the AppSec battlefield and prove that you are the ultimate secure coding champion. Go head-to-head with your peers as you test your web application security knowledge of the OWASP Top 10. Strut your skills. Crush the competition. Score excellent prizes and take home the title of Secure Code Warrior!

Players will be presented with a series of vulnerable code challenges that will ask them to identify the problem, locate the insecure code, and fix the vulnerability. Select from a range of software languages to complete the tournament, including Java EE, Java Spring, C# MVC, C# WebForms, Ruby on Rails, Python Django, Scala Play & Node.JS. It’s gamified, it’s relevant, but most of all - it’s fun.

Watch as you earn points and climb to the top of the real-time leaderboard during the event. Prizes will be awarded to the top 3 point scorers, with one security superhero being crowned the ultimate Secure Code Warrior. Will it be you?

Psst: Want to test your secure coding skills at your own pace, without the competition? You’re welcome to come along and join the fun.

'''''Participants must bring a laptop.'''''

{{2019_BASC:Presentaton_Info_Template|Zero to Hero: Intro to Web App Pentesting|Carson Owlett and Gabrielle Hempel| | | }}
As more information and functionality moves to the internet, the interface between end users and web application servers becomes increasingly vulnerable. Because of these visible vulnerabilities, penetration testing skills are in high demand; however, courses catering to beginners and those wanting to get a “foot in the door” are scarce. In this workshop, you can utilize a custom environment and expertise in order to begin your journey into offensive security. We will focus on four areas of web application penetration testing: injection, XSS, XXE, and insecure deserialization. This course welcomes total beginners and will be largely oriented towards those wanting to build a foundation in web application pentesting.

'''''Users should have a laptop equipped with BurpSuite.'''''

{{2019_BASC:Presentaton_Info_Template|Capture Ever-Evolving Security Needs of Users with IKE and Proto-Research Persona Development|Prateek Jain and Ryan Lamarche| | | }}
In this workshop, grounded in design thinking approach, we demonstrate the software platform IKE and its process framework for persona development, which facilitate a fast, effective, and relatively inexpensive way to inform design decisions, such as those needed to encourage and enable users to effectively utilize security features. The IKE software platform not only facilitates a deeper understanding of user needs but also provides a Key performance Indicator (KPI) that can measure an organizations’ performance in gauging its target market evolving security needs.

Understanding customers and what their needs are is paramount to the success of any organization. In security and privacy industry, users and their needs vary drastically depending on various factors like age, education, technology use, etc. Persona development is one of the useful tools to capture these needs. It can reveal security needs, pain points, habits, security challenges, etc. of the user base. The traditional approach to persona development is rigorous but time-consuming and resource-intensive. It doesn't account for fast changes in the technological world of privacy and security. These personas become outdated as soon as they are developed. At UXDM lab, we created a unique approach to persona development. We also developed a software platform called IKE for developing and managing personas. IKE treats personas as living documents to make effective design decisions and to follow evolving user needs over time.

{{2019_BASC:Presentaton_Info_Template|How to Talk to Humans|Kitty Huang and Roy Wattanasin| | | }}
Do you feel frustrated sometimes trying to help non-technical users? Do you find it challenging asking for more resources from management? Effective communication can help IT professionals to be more productive and be heard. This workshop demonstrates communication skills through scenarios that IT security engineers encounter regularly. We will decode written and verbal scripts by technical engineers and translate them into a communication style that non-technical people can understand and appreciate. These cases include asking for more resources from upper management, making a suggestion to implement better security, and verifying the legitimacy of an email with an employee. Excessive workload, pressing deadlines and the lack of support can make IT engineers feel exhausted, hopeless and frustrated. This workshop provides perspectives on viewing various work situations in a different light.

== Afternoon Workshops ==

{{2019_BASC:Presentaton_Info_Template|Threat Modeling Workshop|Robert Hurlbut| | | }}

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. Threat modeling should be part of your secure software design process. Using threat modeling and some principals of risk management, you can design software in a way that makes security one of the top goals, along with performance, scalability, reliability, and maintenance.

Objective: In this workshop, attendees will be introduced to Threat Modeling, learn how to conduct a Threat Modeling session, learn how to use practical strategies in finding Threats and proposing Countermeasures, and learn how to apply Risk Management in dealing with the threats. Depending on time, we will go through 1 or 2 Real World Threat Modeling case studies. Finally, we will end the day with the latest updates in Threat Modeling process, tools, etc.

'''''Laptop recommended for some labs, but not required.'''''

{{2019_BASC:Presentaton_Info_Template|Effective Threat Modeling with CTM|Izar Tarandach| | | }}
Recently Autodesk open-sourced our Continuous Threat Modeling methodology, which aims to enable product teams to threat model every story in a quick and focused manner in order to scale the ability of an organization to keep up with rapid product changes, and enable developers to acquire a security "muscle memory" ability to really infuse their practices with security design capabilities.

In this course you will learn how to perform and enable Continuous Threat Modeling in your organization and provide support to the learning curve of your product teams as a security SME.

CTM is available at https://github.com/Autodesk/continuous-threat-modeling
A threat-modeling-as-code tool will also be introduced, available at https://github.com/izar/pytm

'''''If you are new to the discipline of Threat Modeling we highly advise participating in the earlier Threat Modeling Workshop by Robert Hurlbut in order to solidify your understanding of the subject.'''''

{{2019_BASC:Presentaton_Info_Template|AWS Cloud Security Fundamentals|Joshua Dow and Rami McCarthy | | | }}
As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. In this workshop, we will take participants through a baseline understanding of cloud security - with a focus on AWS security fundamentals.

First, we will briefly outline the cloud security model, the similarities across platforms, and the shared responsibility model that Amazon employs. From there, we will introduce participants to open-source tooling for AWS account auditing and hardening, including NCC's own ScoutSuite. We will provide access to an intentionally vulnerable AWS environment, to allow workshop attendees to follow along and explore misconfigurations with their own eyes. We also will support attendees who want to immediately dive into auditing their own AWS accounts/environments.

Next, we'll highlight easy wins for AWS security, that the audience will be able to immediately apply to their own environments. Following that, we'll speak to Amazon's built-in security tooling, including:

* Security Hub
* Trusted Advisor
* CloudTrail
* Inspector
* GuardDuty
* Macie (and why it's probably wrong for you!)

We'll focus on actionable guidance to walk away and be able to use these tools to harden your own posture. Subsequently, we'll work with attendees through the misconfigurations that led to the Capital One breach, via the CloudGoat scenario. Wrapping up, we'll provide a easy to follow cheatsheet of best practices, easy wins, and open source tools that attendees can reference to improve their own environments.

'''''Users should bring a laptop having: administrator privileges, at least 8GB of RAM, 10GB of free disk space, the latest version of 64-bit Virtualbox installed, and USB ports for copying data.'''''



{{2019_BASC:Footer_Template|Workshops}}

Template:2019 BASC:Sponsor Bar Template

2019-10-03T16:50:46Z

Laberdale: Update sponsors

File:SON logo main@2x (1).png

2019-10-03T14:58:46Z

Laberdale:

Template:2019 BASC:Sponsor Bar Template

2019-10-03T14:57:21Z

Laberdale: Add more sponsors

2019 BASC Speakers

2019-09-30T00:23:00Z

Laberdale: Swap Joel Carson for Brad Giguere

{{2019_BASC:Header_Template | Speakers/Trainers}}

=== Mansour Ahmadi ===
'''Northeastern University''' 
Mansour Ahmadi is a research associate at Northeastern University. Before coming to Northeastern, he obtained a PhD in Computer Engineering from the University of Cagliari in 2017. His research is mainly focused in applying machine learning methods for systems security problems, especially malware detection and classification, and vulnerability discovery. He co-authored over 10 scientific papers. Also, He is the lead developer of IntelliAV, which is the first on-device machine learning-based mobile malware detector.

=== Chris Chagnon ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Chris Chagnon is an ITSM Architect and developer who designs, develops, and maintains award-winning experiences for managing and carrying out the ITSM process. Chris has a Master of Science in Information Technology, and a bachelor’s degree in Visual Communications. In addition, Chris is a PhD Candidate studying Information Systems with a focus on user and service experience. As A Top 25 Thought Leader in ITSM, and an ALE IT Vanguard, Chris speaks nationally about the future of ITSM, practical applications of artificial intelligence and machine learning, gamification, continual service improvement, and customer service/experience. Follow Chris on Twitter @Chagn0n.

=== Madison Cool ===
'''TraceLink''' 
Madison Cool is an associate AppSec engineer at TraceLink, delivering a secure platform for the Pharmaceutical Supply Chain. She works with the TraceLink team to make "TraceLink = Trusted" by ensuring that customers, partners and internal engineering can meet and exceed best security practices. Their goal is to make security accessible and understandable by both the security-minded and the security-unaware.

=== Kristin Dahl ===
'''IBM X-Force IRIS''' 
Kristin Dahl is a cyber security consultant with IBM X-Force IRIS and former research staff member at MIT Lincoln Laboratory. Kristin’s experience includes investigative research, policy development, threat assessment, and security operations across the defense sectors, critical systems, academia, and private industry. Kristin has worked collaboratively with multiple stakeholders and federal agencies, including the Department of Defense, the Department of Homeland Security, and the Department of Energy.

=== Joshua Dow ===
'''NCC Group''' 
Joshua Dow is a Security Consultant with NCC Group, joining the organization in Spring of 2019. Joshua has made contributions in his career as both a blue team practitioner and a red team operator. Joshua specializes in web application penetration testing, network penetration testing, and cloud security auditing. Joshua worked as a Senior Software Engineer prior to getting his start in Information Security.

=== Kristofer Duer ===
'''HCL''' 
Kristofer Duer is the Lead Cognitive Researcher for AppScan Source. He has worked in the application security field for the last 8 years in the world of Static Application Security Testing (SAST) and researching language specific attack surfaces. His particular specialty deals with applying machine learning to solve some of the impossible problems which occur naturally in the world of SAST - namely Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

Outside of work he enjoys the gym, Disc Golf (super fun!) and spending time with his wife and two kids.

=== Reza Mirzazade Farkhani ===
'''Northeastern University''' 
Reza Mirzazade Farkhani is pursuing a PhD in Cybersecurity at Northeastern University. His research interests span a wide range of topics in systems security with a particular focus on software vulnerability detection, exploit mitigation techniques and binary analysis. Currently, Reza is focusing on developing novel techniques to protect applications against memory safety vulnerabilities. He is especially interested in new security features in ARM architecture to accelerate the performance and security of the current systems.

=== Brad Giguere ===
'''Secure Code Warrior''' 
Brad Giguere is a Sales Engineer for Secure Code Warrior, a global security company that makes software development better and more secure. Giguere has worked in the technology and SAAS software industry for the majority of his career and is passionate about helping organizations better understand their business challenges and translating those into a solution tailored to meet their needs. He now focuses on empowering development teams to be the first line of defense in making security a highly visible piece of the SDLC.

=== Gabrielle E. Hempel, CHTI ===
'''Black Mirage''' 
Gabrielle is a graduate of the University of Cincinnati, where she studied Neuroscience and Psychology. She worked for an institutional review board in regulatory pharmaceutical and medical device compliance, and led specialized committees targeting Phase I research and emergency research. She moved to IT consulting in 2018, and currently works as a penetration tester for Black Mirage while pursuing a certificate in Advanced Computer Security at Stanford. She continues to serve as a genetic scientist for NIH-regulated recombinant genetic studies, and serves as an instructor and mentor for a student cohort of cybersecurity analysts through Cybrary. She recently obtained her Certified Human Trafficking Investigator (CHTI) credentials through the McAfee Institute, and works with various law enforcement groups and task forces in order to combat human trafficking through digital forensics and analysis. Her area of expertise lies in GDPR/HIPAA/regulatory compliance and medical device security.

=== Chad Holmes ===
'''Security Innovation''' 
Chad Holmes is a Product Marketing Manager for Security Innovation with a focus on educating customers on emerging Cyber Range technologies and how they can improve security education within organizations. Prior to joining Security Innovation Chad was a Penetration Tester, Product Manager, Security Program Manager and team lead at Cigital, Veracode and Red Hat.

=== Kitty Huang ===
'''Communications Trainer and Relationship Coach''' 
Kitty Huang is an award-winning speaker who has led several fun and effective communication workshops at MIT, Harvard University, and corporate training events. She has worked as a copywriter at advertising agencies, a screenwriter for a television situation comedy, and a newspaper journalist. Her perceptive mind and creative approaches have successfully helped many individuals to solve problems in professional relationships and personal relationships.

=== Robert Hurlbut ===
'''Bank of America''' 
Robert Hurlbut, is a Threat Modeling Architect / Lead at Bank of America. Robert is a Microsoft MVP for Developer Security and Technologies and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure security, software architecture, and software development. He speaks at user groups, national and international conferences, and has provided training for many companies in the past. Robert is also a co-host of the Application Security Podcast (Twitter - @AppSecPodcast). Follow Robert on Twitter at @RobertHurlbut.

=== Prateek Jain ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Prateek Jain is a UX researcher currently pursuing Ph.D. in Innovation with User Experience at Worcester Polytechnic Institute. His Ph.D. research focuses on User Experience. His research interests are augmented reality, internet of things (IoT), accessibility and persona development. He is working on multiple research projects focusing on the use of augmented reality and IoT to improve the user experience of products and services. Along with that, he is also working on developing and testing different persona frameworks to help organizations make effective design decisions.

=== Artie Jurgenson ===
'''Sonatype''' 
Artie Jurgenson is a Solution Architect at Sonatype. He spends his day to day working with companies small and large to apply the principles of DevSecOps and automation to their software development supply chains. This stems from an intense distaste of performing the same procedures more than once. Artie looks to resolve such redundancies both inside and out of his professional life which has led him down pursuits including: implementation of CI/CD toolchains and workflows from completely manual build/deploy processes, development and automation of crypto/forex trading algorithms, front-end test and deployment automation, container orchestration, API development, and computational scientific research optimized for supercomputer clusters. Artie is happy to talk about any of the above at the reception.

=== Aanand Krishnan ===
'''Tala Security''' 
Aanand Krishnan is the CEO and Founder of Tala Security. Most recently he held senior technical roles at Symantec. Aanand spent several years in M&A and investment banking at Morgan Stanley and Dolby Labs acting as an adviser to leading security software, semiconductor and clean-tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and a Bachelors in Electrical Engineering with Honors from BITS, Pilani.

=== Ryan LaMarche ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Ryan LaMarche is a digital transformation and design thinking expert that brings ideas to life with a focus on user experience, and smart system design. When Ryan isn’t building systems, he spends his time as a dual-enrolled Bachelor’s and Master’s student at Worcester Polytechnic Institute studying Computer Science and Innovation with UX. Ryan is also a founding member and CTO of Seldom Technologies where he works with companies to develop systems, applications, and websites and consult on process improvement in the ITSM space.

=== Rami McCarthy ===
'''NCC Group''' 
Rami McCarthy is a Security Consultant with NCC Group, joining with the acquisition of VSR in 2016. He's spent the past three years performing security assessments of all kinds, from SaaS products to cloud IoT platforms. In addition to client work, Rami has published research into misspelled security headers and Chromebook security. Rami got his start in security as an intern at a deep web threat analysis startup, and has a BS in CS from Northeastern University, with a concentration in cyber operations. He's currently working towards an MS from Brandeis University.

=== Tal Melamed ===
'''Protego Labs''' 
In the past two years, Tal Melamed has been experimenting in offensive and defensive security for the serverless technology, as Head of Security Research at Protego Labs. He specializes in AppSec with more than 15 years of experience in security research and vulnerability assessment. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects, and is a frequent speaker at security conferences, including DefCon, DerbyCon, OWASP, BSides and more. Follow Tal on Twitter at @_nu11p0inter

=== Omid Mirzaei ===
'''Northeastern University''' 
Omid Mirzaei is a postdoctoral research associate in the Systems Security (SecLab) and the Research in Software and Systems Security (RiS3) Labs at Northeastern University, working with Prof. Engin Kirda and Dr. Long Lu. Prior to this, Omid was an assistant professor in Universidad Carlos III de Madrid. Also, he spent around 4 years at COmputer SECurity lab (COSEC) as a PhD student and he received his PhD degree in Computer Science from the same university. Omid's thesis was mainly focused on Android malware analysis and triage. Generally speaking, Omid is working and conducting research in computer and cyber security. However, he is particularly interested in mobile security, malware analysis, reverse engineering and applied machine learning in security. In addition, he is eager to tackle security issues from a multi-objective perspective, i.e. trying to deal with such problems by consuming the least possible amount of in hand resources. Previously and as an undergraduate student, Omid worked in a wide range of areas, from advanced software engineering to Artificial Intelligence (AI). Omid also developed several intelligent systems and passed different AI-related courses, including machine learning, pattern mining, fuzzy systems, evolutionary computation and optimization, neural networks and image processing.

=== Carson E. Owlett, OSCP CEH ===
'''Black Mirage''' 
Carson is a graduate of Connecticut College, where he studied Computer Science and Slavic Studies. After graduating, he obtained his OSCP and CEH and did a brief stint doing research for DARPA. He then founded Black Mirage in 2019, where he serves as the CEO and Assessment Team Lead for penetration tests, and he has been working to implement programs for offensive security education.

=== Rashmi Patil ===
'''HCL''' 
Rashmi is passionate about software engineering and applying it to solve complex problems in day to day life. She has a diverse set of work experience through past research, internships and full-time work experience that has really helped others in understanding the broader picture. In her free time, she volunteers and conducts educational workshops to teach young high school girls about the importance of Cybersecurity and encourage them to pursue a career in Computer Engineering.

=== Chris Romeo ===
'''Security Journey''' 
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. Find Chris on Twitter, @edgeroute, or on LinkedIN, https://www.linkedin.com/in/securityjourney/

=== Allison Schoenfield ===
'''Autodesk Inc.''' 
Allison Schoenfield is from Berkeley and also attended UC Berkeley, but is now a San Franciscan. She works as an Application Security Engineer at Autodesk. She enjoys threat modeling and working in partnership with developers to secure applications. Previously, she worked as a security consultant in penetration testing. In her free time, she likes to play social deduction games, bake and eat cupcakes, and mentor.

=== Izar Tarandach ===
'''Autodesk Inc.''' 
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he’s willing to admit to in the information security arena, he is a member of SAFECode Technical Leadership Council and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served
as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon.

=== Luke Tucker ===
'''HackerOne''' 
Luke Tucker is the Senior Director of Community at HackerOne — the leading hacker-powered security platform with the largest community of hackers in the world. A seasoned community engagement professional, he is passionate about helping identify and nurture what makes people and communities tick, so understanding how hackers feel and how they are seen is his bread and butter. He is the Creator and Editor of the Zero Daily Newsletter, which provides daily application security, hacker and bug bounty news. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development for the growing community of hackers. Prior to HackerOne, he served in several creative roles including Captricity and Sultan Ventures.

=== Paulina Valdivieso ===
'''Bennington College''' 
Paulina Valdivieso is a senior undergrad in Computer Science and Public Policy, studying the intersections between Cybersecurity, Law and Politics. Interested in hacking, information security, programming and general electronic shenanigans, she recently started to apply all of this knowledge into the workplace, centering on network and application security. She is an advocate for open access and privacy, using and committing to open source tools whenever possible and making sure people understand the implications and dark side of the tools they use everyday.

=== Roy Wattanasin ===
'''Information Security Professional''' 
Roy Wattanasin is a healthcare information security professional. You can find him on @wr0

{{2019_BASC:Footer_Template | Speakers/Trainers}}

2019 BASC Homepage

2019-09-27T13:28:15Z

Laberdale: Add Registration Link

{{2019_BASC:Header_Template | Home}}

__NOTOC__
== Welcome ==
This is the homepage for the 2019 Boston Application Security Conference (BASC). Conference will take place 8:30am to 6:30pm on Saturday, October 19th at
* Location: [https://goo.gl/maps/MErChZ3cX5B2 5 Wayside Road Burlington, MA]

The BASC will be a free*, one day, informal conference, aimed at increasing awareness and knowledge of application security in the greater Boston area. While many of the presentations will cover state-of-the-art application security concepts, the BASC is intended to appeal to a wide-array of attendees. Application security professionals, professional software developers, software quality engineers, computer science students, and security software vendors should be able to come to the BASC, learn, and hopefully enjoy themselves at the same time.

NOTE: * Some workshops and training may have a separate fee.


== Registration ==

[https://www.eventbrite.com/e/boston-application-security-conference-basc-2019-tickets-71803643631 Register Here]

Registration is required for breakfast, lunch, and the evening social time. We will do everything possible to accommodate late registrants but the facility and food are limited.

You may also register for one or more workshops, but workshop tickets are limited. Please be considerate of others and '''only register for a workshop if you plan to attend'''. If your plans change, please cancel your ticket to free the space up for others. Do not sign up for more than one session of the same workshop, or for workshops whose times overlap. If you do, conference organizers will cancel your ticket orders.

== Keynotes ==

'''The Internet Sucks. Should we replace it?'''

'''Andy Ellis,''' Akamai

[[File:Andy-ellis_0532_1-2.jpg|left|frameless]]

50 years into the Internet, it’s become very clear that there are virtually no security goals designed into the underpinnings of the Internet, and even higher level protocols suffer from this lack. As a result, existing on the Internet makes the Wild West look like a tame environment. Should we attempt to redesign the Internet, and make it secure by default? Let’s explore the dystopian world of an alternate Internet, and see why the Internet we have might actually be the best Internet we could hope for.

Andy Ellis is Akamai’s Chief Security Officer, and his mission is “making the Internet suck less.” Governing cybersecurity, compliance, and safety for Akamai’s planetary-scale cloud platform since 2000, he has also designed and brought to market Akamai’s TLS acceleration network, its DDoS defense offerings, and several of the core technologies behind its security solutions. Andy has also guided Akamai’s IT transformation from a flat password-based network to a distributed, zero-trust enterprise based on strong authentication.

Andy is a graduate of MIT with a degree in computer science, and has served as an officer in the United States Air Force with the 609th Information Warfare Squadron and the Electronic Systems Center.

Also active in Internet policy and governance circles, Andy has supported past and present Akamai CEOs in roles on the NIAC and NSTAC, as well as serving on the FCC’s Communications Security, Reliability, and Interoperability Council. He is an affiliate of Harvard’s Berkman Klein Center, and a guest lecturer in executive education at MIT and the Harvard Kennedy School. He is a frequent speaker on topics of Internet security, anthropocentric risk management, and security governance; and occasionally blogs at www.csoandy.com. He can be found on Twitter as @csoandy, where he discusses security, wine, American football, and hairstyling.

Andy is also an Advisor to YL Ventures’ YLV3 Fund, Uptycs, and Vulcan Cyber.

Andy has received The Spirit of Disneyland Award, The Wine Spectator’s Award of Excellence (as The Arlington Inn), the US Air Force Commendation Medal, and the CSO Compass Award.

'''Sandcastles in a Storm: Application Vulnerabilities and how they weaken our organizations'''

'''Kevin Johnson,''' Secure Ideas

[[File:KevinJohnson.jpg|175px|left|frameless]]

In this presentation Kevin will walk through some of the issues we face as we move more and more of our life into applications and the Internet of Things. We will explore the vulnerabilities, how they are attacked, and what it means to all of us.

Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is a faculty member at IANS and was an instructor and author for the SANS Institute.

In his free time, Kevin enjoys spending time with his family and is an avid Star Wars fan and member of the 501st Legion (Star Wars charity group)

Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer.

== Details ==

* Only Silver Sponsorships Remain [https://www.owasp.org/images/9/94/BASCSponsorship2019.pdf Sponsorship Kit]
* [[2019_BASC_Presentations | Presentations]]
* [[2019_BASC_Workshops | Workshops]]
* [[2019_BASC_Speakers | Speakers]]
* [[2019_BASC_Agenda | Agenda]]
* Twitter: Follow [https://twitter.com/BASConf @BASConf] @[https://twitter.com/owaspboston OWASPBoston] HashTag: #basc2019

== OWASP Boston Chapter ==
BASC is presented by the [https://www.owasp.org/index.php/Boston OWASP Boston] chapter.

{{2019_BASC:Footer_Template | Welcome}}

2019 BASC Speakers

2019-09-23T15:20:30Z

Laberdale: Add Chad Holmes

{{2019_BASC:Header_Template | Speakers/Trainers}}

=== Mansour Ahmadi ===
'''Northeastern University''' 
Mansour Ahmadi is a research associate at Northeastern University. Before coming to Northeastern, he obtained a PhD in Computer Engineering from the University of Cagliari in 2017. His research is mainly focused in applying machine learning methods for systems security problems, especially malware detection and classification, and vulnerability discovery. He co-authored over 10 scientific papers. Also, He is the lead developer of IntelliAV, which is the first on-device machine learning-based mobile malware detector.

=== Joel Carlson ===
'''Secure Code Warrior''' 
Joel Carlson is a security professional with 15 years of experience in the security industry. Joel has a long history of connecting businesses with security tools to help them ensure a secure environment. He joined Secure Code Warrior earlier this year after previous success at Veracode, Dell and Bitsight.

=== Chris Chagnon ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Chris Chagnon is an ITSM Architect and developer who designs, develops, and maintains award-winning experiences for managing and carrying out the ITSM process. Chris has a Master of Science in Information Technology, and a bachelor’s degree in Visual Communications. In addition, Chris is a PhD Candidate studying Information Systems with a focus on user and service experience. As A Top 25 Thought Leader in ITSM, and an ALE IT Vanguard, Chris speaks nationally about the future of ITSM, practical applications of artificial intelligence and machine learning, gamification, continual service improvement, and customer service/experience. Follow Chris on Twitter @Chagn0n.

=== Madison Cool ===
'''TraceLink''' 
Madison Cool is an associate AppSec engineer at TraceLink, delivering a secure platform for the Pharmaceutical Supply Chain. She works with the TraceLink team to make "TraceLink = Trusted" by ensuring that customers, partners and internal engineering can meet and exceed best security practices. Their goal is to make security accessible and understandable by both the security-minded and the security-unaware.

=== Kristin Dahl ===
'''IBM X-Force IRIS''' 
Kristin Dahl is a cyber security consultant with IBM X-Force IRIS and former research staff member at MIT Lincoln Laboratory. Kristin’s experience includes investigative research, policy development, threat assessment, and security operations across the defense sectors, critical systems, academia, and private industry. Kristin has worked collaboratively with multiple stakeholders and federal agencies, including the Department of Defense, the Department of Homeland Security, and the Department of Energy.

=== Joshua Dow ===
'''NCC Group''' 
Joshua Dow is a Security Consultant with NCC Group, joining the organization in Spring of 2019. Joshua has made contributions in his career as both a blue team practitioner and a red team operator. Joshua specializes in web application penetration testing, network penetration testing, and cloud security auditing. Joshua worked as a Senior Software Engineer prior to getting his start in Information Security.

=== Kristofer Duer ===
'''HCL''' 
Kristofer Duer is the Lead Cognitive Researcher for AppScan Source. He has worked in the application security field for the last 8 years in the world of Static Application Security Testing (SAST) and researching language specific attack surfaces. His particular specialty deals with applying machine learning to solve some of the impossible problems which occur naturally in the world of SAST - namely Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

Outside of work he enjoys the gym, Disc Golf (super fun!) and spending time with his wife and two kids.

=== Reza Mirzazade Farkhani ===
'''Northeastern University''' 
Reza Mirzazade Farkhani is pursuing a PhD in Cybersecurity at Northeastern University. His research interests span a wide range of topics in systems security with a particular focus on software vulnerability detection, exploit mitigation techniques and binary analysis. Currently, Reza is focusing on developing novel techniques to protect applications against memory safety vulnerabilities. He is especially interested in new security features in ARM architecture to accelerate the performance and security of the current systems.

=== Gabrielle E. Hempel, CHTI ===
'''Black Mirage''' 
Gabrielle is a graduate of the University of Cincinnati, where she studied Neuroscience and Psychology. She worked for an institutional review board in regulatory pharmaceutical and medical device compliance, and led specialized committees targeting Phase I research and emergency research. She moved to IT consulting in 2018, and currently works as a penetration tester for Black Mirage while pursuing a certificate in Advanced Computer Security at Stanford. She continues to serve as a genetic scientist for NIH-regulated recombinant genetic studies, and serves as an instructor and mentor for a student cohort of cybersecurity analysts through Cybrary. She recently obtained her Certified Human Trafficking Investigator (CHTI) credentials through the McAfee Institute, and works with various law enforcement groups and task forces in order to combat human trafficking through digital forensics and analysis. Her area of expertise lies in GDPR/HIPAA/regulatory compliance and medical device security.

=== Chad Holmes ===
'''Security Innovation''' 
Chad Holmes is a Product Marketing Manager for Security Innovation with a focus on educating customers on emerging Cyber Range technologies and how they can improve security education within organizations. Prior to joining Security Innovation Chad was a Penetration Tester, Product Manager, Security Program Manager and team lead at Cigital, Veracode and Red Hat.

=== Kitty Huang ===
'''Communications Trainer and Relationship Coach''' 
Kitty Huang is an award-winning speaker who has led several fun and effective communication workshops at MIT, Harvard University, and corporate training events. She has worked as a copywriter at advertising agencies, a screenwriter for a television situation comedy, and a newspaper journalist. Her perceptive mind and creative approaches have successfully helped many individuals to solve problems in professional relationships and personal relationships.

=== Robert Hurlbut ===
'''Bank of America''' 
Robert Hurlbut, is a Threat Modeling Architect / Lead at Bank of America. Robert is a Microsoft MVP for Developer Security and Technologies and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure security, software architecture, and software development. He speaks at user groups, national and international conferences, and has provided training for many companies in the past. Robert is also a co-host of the Application Security Podcast (Twitter - @AppSecPodcast). Follow Robert on Twitter at @RobertHurlbut.

=== Prateek Jain ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Prateek Jain is a UX researcher currently pursuing Ph.D. in Innovation with User Experience at Worcester Polytechnic Institute. His Ph.D. research focuses on User Experience. His research interests are augmented reality, internet of things (IoT), accessibility and persona development. He is working on multiple research projects focusing on the use of augmented reality and IoT to improve the user experience of products and services. Along with that, he is also working on developing and testing different persona frameworks to help organizations make effective design decisions.

=== Artie Jurgenson ===
'''Sonatype''' 
Artie Jurgenson is a Solution Architect at Sonatype. He spends his day to day working with companies small and large to apply the principles of DevSecOps and automation to their software development supply chains. This stems from an intense distaste of performing the same procedures more than once. Artie looks to resolve such redundancies both inside and out of his professional life which has led him down pursuits including: implementation of CI/CD toolchains and workflows from completely manual build/deploy processes, development and automation of crypto/forex trading algorithms, front-end test and deployment automation, container orchestration, API development, and computational scientific research optimized for supercomputer clusters. Artie is happy to talk about any of the above at the reception.

=== Aanand Krishnan ===
'''Tala Security''' 
Aanand Krishnan is the CEO and Founder of Tala Security. Most recently he held senior technical roles at Symantec. Aanand spent several years in M&A and investment banking at Morgan Stanley and Dolby Labs acting as an adviser to leading security software, semiconductor and clean-tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and a Bachelors in Electrical Engineering with Honors from BITS, Pilani.

=== Ryan LaMarche ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Ryan LaMarche is a digital transformation and design thinking expert that brings ideas to life with a focus on user experience, and smart system design. When Ryan isn’t building systems, he spends his time as a dual-enrolled Bachelor’s and Master’s student at Worcester Polytechnic Institute studying Computer Science and Innovation with UX. Ryan is also a founding member and CTO of Seldom Technologies where he works with companies to develop systems, applications, and websites and consult on process improvement in the ITSM space.

=== Rami McCarthy ===
'''NCC Group''' 
Rami McCarthy is a Security Consultant with NCC Group, joining with the acquisition of VSR in 2016. He's spent the past three years performing security assessments of all kinds, from SaaS products to cloud IoT platforms. In addition to client work, Rami has published research into misspelled security headers and Chromebook security. Rami got his start in security as an intern at a deep web threat analysis startup, and has a BS in CS from Northeastern University, with a concentration in cyber operations. He's currently working towards an MS from Brandeis University.

=== Tal Melamed ===
'''Protego Labs''' 
In the past two years, Tal Melamed has been experimenting in offensive and defensive security for the serverless technology, as Head of Security Research at Protego Labs. He specializes in AppSec with more than 15 years of experience in security research and vulnerability assessment. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects, and is a frequent speaker at security conferences, including DefCon, DerbyCon, OWASP, BSides and more. Follow Tal on Twitter at @_nu11p0inter

=== Omid Mirzaei ===
'''Northeastern University''' 
Omid Mirzaei is a postdoctoral research associate in the Systems Security (SecLab) and the Research in Software and Systems Security (RiS3) Labs at Northeastern University, working with Prof. Engin Kirda and Dr. Long Lu. Prior to this, Omid was an assistant professor in Universidad Carlos III de Madrid. Also, he spent around 4 years at COmputer SECurity lab (COSEC) as a PhD student and he received his PhD degree in Computer Science from the same university. Omid's thesis was mainly focused on Android malware analysis and triage. Generally speaking, Omid is working and conducting research in computer and cyber security. However, he is particularly interested in mobile security, malware analysis, reverse engineering and applied machine learning in security. In addition, he is eager to tackle security issues from a multi-objective perspective, i.e. trying to deal with such problems by consuming the least possible amount of in hand resources. Previously and as an undergraduate student, Omid worked in a wide range of areas, from advanced software engineering to Artificial Intelligence (AI). Omid also developed several intelligent systems and passed different AI-related courses, including machine learning, pattern mining, fuzzy systems, evolutionary computation and optimization, neural networks and image processing.

=== Carson E. Owlett, OSCP CEH ===
'''Black Mirage''' 
Carson is a graduate of Connecticut College, where he studied Computer Science and Slavic Studies. After graduating, he obtained his OSCP and CEH and did a brief stint doing research for DARPA. He then founded Black Mirage in 2019, where he serves as the CEO and Assessment Team Lead for penetration tests, and he has been working to implement programs for offensive security education.

=== Rashmi Patil ===
'''HCL''' 
Rashmi is passionate about software engineering and applying it to solve complex problems in day to day life. She has a diverse set of work experience through past research, internships and full-time work experience that has really helped others in understanding the broader picture. In her free time, she volunteers and conducts educational workshops to teach young high school girls about the importance of Cybersecurity and encourage them to pursue a career in Computer Engineering.

=== Chris Romeo ===
'''Security Journey''' 
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. Find Chris on Twitter, @edgeroute, or on LinkedIN, https://www.linkedin.com/in/securityjourney/

=== Allison Schoenfield ===
'''Autodesk Inc.''' 
Allison Schoenfield is from Berkeley and also attended UC Berkeley, but is now a San Franciscan. She works as an Application Security Engineer at Autodesk. She enjoys threat modeling and working in partnership with developers to secure applications. Previously, she worked as a security consultant in penetration testing. In her free time, she likes to play social deduction games, bake and eat cupcakes, and mentor.

=== Izar Tarandach ===
'''Autodesk Inc.''' 
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he’s willing to admit to in the information security arena, he is a member of SAFECode Technical Leadership Council and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served
as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon.

=== Luke Tucker ===
'''HackerOne''' 
Luke Tucker is the Senior Director of Community at HackerOne — the leading hacker-powered security platform with the largest community of hackers in the world. A seasoned community engagement professional, he is passionate about helping identify and nurture what makes people and communities tick, so understanding how hackers feel and how they are seen is his bread and butter. He is the Creator and Editor of the Zero Daily Newsletter, which provides daily application security, hacker and bug bounty news. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development for the growing community of hackers. Prior to HackerOne, he served in several creative roles including Captricity and Sultan Ventures.

=== Paulina Valdivieso ===
'''Bennington College''' 
Paulina Valdivieso is a senior undergrad in Computer Science and Public Policy, studying the intersections between Cybersecurity, Law and Politics. Interested in hacking, information security, programming and general electronic shenanigans, she recently started to apply all of this knowledge into the workplace, centering on network and application security. She is an advocate for open access and privacy, using and committing to open source tools whenever possible and making sure people understand the implications and dark side of the tools they use everyday.

=== Roy Wattanasin ===
'''Information Security Professional''' 
Roy Wattanasin is a healthcare information security professional. You can find him on @wr0

{{2019_BASC:Footer_Template | Speakers/Trainers}}

2019 BASC Workshops

2019-09-23T15:12:05Z

Laberdale: Add CMD+CTRL

{{2019_BASC:Header_Template | Workshops}}

__FORCETOC__
We would like to thank our workshop leaders for donating their time and effort to help make this conference successful.

== All-Day Workshop ==
{{2019_BASC:Presentaton_Info_Template|CMD+CTRL Cyber Range|Chad Holmes| | | }}
Want to test your skills in identifying web app vulnerabilities? Join OWASP Boston and Security Innovation as members compete in [https://www.securityinnovation.com/training/cmd-ctrl-cyber-range-security-training/ CMD+CTRL] a web application cyber range where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet.

For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs.

When you register for BASC and select to attend this CMD+CTRL Cyber Range workshop, a link will be provided so you can reserve your spot with Security Innovation. Spaces are limited. Register early to reserve your spot!

== Morning Workshops ==

{{2019_BASC:Presentaton_Info_Template|The Ultimate Secure Coding Showdown|Joel Carlson| | | }}
Are. You. Ready? Head to the AppSec battlefield and prove that you are the ultimate secure coding champion. Go head-to-head with your peers as you test your web application security knowledge of the OWASP Top 10. Strut your skills. Crush the competition. Score excellent prizes and take home the title of Secure Code Warrior!

Players will be presented with a series of vulnerable code challenges that will ask them to identify the problem, locate the insecure code, and fix the vulnerability. Select from a range of software languages to complete the tournament, including Java EE, Java Spring, C# MVC, C# WebForms, Ruby on Rails, Python Django, Scala Play & Node.JS. It’s gamified, it’s relevant, but most of all - it’s fun.

Watch as you earn points and climb to the top of the real-time leaderboard during the event. Prizes will be awarded to the top 3 point scorers, with one security superhero being crowned the ultimate Secure Code Warrior. Will it be you?

Psst: Want to test your secure coding skills at your own pace, without the competition? You’re welcome to come along and join the fun.

'''''Participants must bring a laptop.'''''

{{2019_BASC:Presentaton_Info_Template|Zero to Hero: Intro to Web App Pentesting|Carson Owlett and Gabrielle Hempel| | | }}
As more information and functionality moves to the internet, the interface between end users and web application servers becomes increasingly vulnerable. Because of these visible vulnerabilities, penetration testing skills are in high demand; however, courses catering to beginners and those wanting to get a “foot in the door” are scarce. In this workshop, you can utilize a custom environment and expertise in order to begin your journey into offensive security. We will focus on four areas of web application penetration testing: injection, XSS, XXE, and insecure deserialization. This course welcomes total beginners and will be largely oriented towards those wanting to build a foundation in web application pentesting.

'''''Users should have a laptop equipped with BurpSuite.'''''

{{2019_BASC:Presentaton_Info_Template|Capture Ever-Evolving Security Needs of Users with IKE and Proto-Research Persona Development|Prateek Jain and Ryan Lamarche| | | }}
In this workshop, grounded in design thinking approach, we demonstrate the software platform IKE and its process framework for persona development, which facilitate a fast, effective, and relatively inexpensive way to inform design decisions, such as those needed to encourage and enable users to effectively utilize security features. The IKE software platform not only facilitates a deeper understanding of user needs but also provides a Key performance Indicator (KPI) that can measure an organizations’ performance in gauging its target market evolving security needs.

Understanding customers and what their needs are is paramount to the success of any organization. In security and privacy industry, users and their needs vary drastically depending on various factors like age, education, technology use, etc. Persona development is one of the useful tools to capture these needs. It can reveal security needs, pain points, habits, security challenges, etc. of the user base. The traditional approach to persona development is rigorous but time-consuming and resource-intensive. It doesn't account for fast changes in the technological world of privacy and security. These personas become outdated as soon as they are developed. At UXDM lab, we created a unique approach to persona development. We also developed a software platform called IKE for developing and managing personas. IKE treats personas as living documents to make effective design decisions and to follow evolving user needs over time.

{{2019_BASC:Presentaton_Info_Template|How to Talk to Humans|Kitty Huang and Roy Wattanasin| | | }}
Do you feel frustrated sometimes trying to help non-technical users? Do you find it challenging asking for more resources from management? Effective communication can help IT professionals to be more productive and be heard. This workshop demonstrates communication skills through scenarios that IT security engineers encounter regularly. We will decode written and verbal scripts by technical engineers and translate them into a communication style that non-technical people can understand and appreciate. These cases include asking for more resources from upper management, making a suggestion to implement better security, and verifying the legitimacy of an email with an employee. Excessive workload, pressing deadlines and the lack of support can make IT engineers feel exhausted, hopeless and frustrated. This workshop provides perspectives on viewing various work situations in a different light.

== Afternoon Workshops ==

{{2019_BASC:Presentaton_Info_Template|Threat Modeling Workshop|Robert Hurlbut| | | }}

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. Threat modeling should be part of your secure software design process. Using threat modeling and some principals of risk management, you can design software in a way that makes security one of the top goals, along with performance, scalability, reliability, and maintenance.

Objective: In this workshop, attendees will be introduced to Threat Modeling, learn how to conduct a Threat Modeling session, learn how to use practical strategies in finding Threats and proposing Countermeasures, and learn how to apply Risk Management in dealing with the threats. Depending on time, we will go through 1 or 2 Real World Threat Modeling case studies. Finally, we will end the day with the latest updates in Threat Modeling process, tools, etc.

'''''Laptop recommended for some labs, but not required.'''''

{{2019_BASC:Presentaton_Info_Template|Effective Threat Modeling with CTM|Izar Tarandach and Allison Schoenfield| | | }}
Recently Autodesk open-sourced our Continuous Threat Modeling methodology, which aims to enable product teams to threat model every story in a quick and focused manner in order to scale the ability of an organization to keep up with rapid product changes, and enable developers to acquire a security "muscle memory" ability to really infuse their practices with security design capabilities.

In this course you will learn how to perform and enable Continuous Threat Modeling in your organization and provide support to the learning curve of your product teams as a security SME.

CTM is available at https://github.com/Autodesk/continuous-threat-modeling
A threat-modeling-as-code tool will also be introduced, available at https://github.com/izar/pytm

'''''If you are new to the discipline of Threat Modeling we highly advise participating in the earlier Threat Modeling Workshop by Robert Hurlbut in order to solidify your understanding of the subject.'''''

{{2019_BASC:Presentaton_Info_Template|AWS Cloud Security Fundamentals|Joshua Dow and Rami McCarthy | | | }}
As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. In this workshop, we will take participants through a baseline understanding of cloud security - with a focus on AWS security fundamentals.

First, we will briefly outline the cloud security model, the similarities across platforms, and the shared responsibility model that Amazon employs. From there, we will introduce participants to open-source tooling for AWS account auditing and hardening, including NCC's own ScoutSuite. We will provide access to an intentionally vulnerable AWS environment, to allow workshop attendees to follow along and explore misconfigurations with their own eyes. We also will support attendees who want to immediately dive into auditing their own AWS accounts/environments.

Next, we'll highlight easy wins for AWS security, that the audience will be able to immediately apply to their own environments. Following that, we'll speak to Amazon's built-in security tooling, including:

* Security Hub
* Trusted Advisor
* CloudTrail
* Inspector
* GuardDuty
* Macie (and why it's probably wrong for you!)

We'll focus on actionable guidance to walk away and be able to use these tools to harden your own posture. Subsequently, we'll work with attendees through the misconfigurations that led to the Capital One breach, via the CloudGoat scenario. Wrapping up, we'll provide a easy to follow cheatsheet of best practices, easy wins, and open source tools that attendees can reference to improve their own environments.

'''''Users should bring a laptop having: administrator privileges, at least 8GB of RAM, 10GB of free disk space, the latest version of 64-bit Virtualbox installed, and USB ports for copying data.'''''



{{2019_BASC:Footer_Template|Workshops}}

2019 BASC Speakers

2019-09-20T20:50:35Z

Laberdale: Added Krishnan

{{2019_BASC:Header_Template | Speakers/Trainers}}

=== Mansour Ahmadi ===
'''Northeastern University''' 
Mansour Ahmadi is a research associate at Northeastern University. Before coming to Northeastern, he obtained a PhD in Computer Engineering from the University of Cagliari in 2017. His research is mainly focused in applying machine learning methods for systems security problems, especially malware detection and classification, and vulnerability discovery. He co-authored over 10 scientific papers. Also, He is the lead developer of IntelliAV, which is the first on-device machine learning-based mobile malware detector.

=== Joel Carlson ===
'''Secure Code Warrior''' 
Joel Carlson is a security professional with 15 years of experience in the security industry. Joel has a long history of connecting businesses with security tools to help them ensure a secure environment. He joined Secure Code Warrior earlier this year after previous success at Veracode, Dell and Bitsight.

=== Chris Chagnon ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Chris Chagnon is an ITSM Architect and developer who designs, develops, and maintains award-winning experiences for managing and carrying out the ITSM process. Chris has a Master of Science in Information Technology, and a bachelor’s degree in Visual Communications. In addition, Chris is a PhD Candidate studying Information Systems with a focus on user and service experience. As A Top 25 Thought Leader in ITSM, and an ALE IT Vanguard, Chris speaks nationally about the future of ITSM, practical applications of artificial intelligence and machine learning, gamification, continual service improvement, and customer service/experience. Follow Chris on Twitter @Chagn0n.

=== Madison Cool ===
'''TraceLink''' 
Madison Cool is an associate AppSec engineer at TraceLink, delivering a secure platform for the Pharmaceutical Supply Chain. She works with the TraceLink team to make "TraceLink = Trusted" by ensuring that customers, partners and internal engineering can meet and exceed best security practices. Their goal is to make security accessible and understandable by both the security-minded and the security-unaware.

=== Kristin Dahl ===
'''IBM X-Force IRIS''' 
Kristin Dahl is a cyber security consultant with IBM X-Force IRIS and former research staff member at MIT Lincoln Laboratory. Kristin’s experience includes investigative research, policy development, threat assessment, and security operations across the defense sectors, critical systems, academia, and private industry. Kristin has worked collaboratively with multiple stakeholders and federal agencies, including the Department of Defense, the Department of Homeland Security, and the Department of Energy.

=== Joshua Dow ===
'''NCC Group''' 
Joshua Dow is a Security Consultant with NCC Group, joining the organization in Spring of 2019. Joshua has made contributions in his career as both a blue team practitioner and a red team operator. Joshua specializes in web application penetration testing, network penetration testing, and cloud security auditing. Joshua worked as a Senior Software Engineer prior to getting his start in Information Security.

=== Kristofer Duer ===
'''HCL''' 
Kristofer Duer is the Lead Cognitive Researcher for AppScan Source. He has worked in the application security field for the last 8 years in the world of Static Application Security Testing (SAST) and researching language specific attack surfaces. His particular specialty deals with applying machine learning to solve some of the impossible problems which occur naturally in the world of SAST - namely Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

Outside of work he enjoys the gym, Disc Golf (super fun!) and spending time with his wife and two kids.

=== Reza Mirzazade Farkhani ===
'''Northeastern University''' 
Reza Mirzazade Farkhani is pursuing a PhD in Cybersecurity at Northeastern University. His research interests span a wide range of topics in systems security with a particular focus on software vulnerability detection, exploit mitigation techniques and binary analysis. Currently, Reza is focusing on developing novel techniques to protect applications against memory safety vulnerabilities. He is especially interested in new security features in ARM architecture to accelerate the performance and security of the current systems.

=== Gabrielle E. Hempel, CHTI ===
'''Black Mirage''' 
Gabrielle is a graduate of the University of Cincinnati, where she studied Neuroscience and Psychology. She worked for an institutional review board in regulatory pharmaceutical and medical device compliance, and led specialized committees targeting Phase I research and emergency research. She moved to IT consulting in 2018, and currently works as a penetration tester for Black Mirage while pursuing a certificate in Advanced Computer Security at Stanford. She continues to serve as a genetic scientist for NIH-regulated recombinant genetic studies, and serves as an instructor and mentor for a student cohort of cybersecurity analysts through Cybrary. She recently obtained her Certified Human Trafficking Investigator (CHTI) credentials through the McAfee Institute, and works with various law enforcement groups and task forces in order to combat human trafficking through digital forensics and analysis. Her area of expertise lies in GDPR/HIPAA/regulatory compliance and medical device security.

=== Kitty Huang ===
'''Communications Trainer and Relationship Coach''' 
Kitty Huang is an award-winning speaker who has led several fun and effective communication workshops at MIT, Harvard University, and corporate training events. She has worked as a copywriter at advertising agencies, a screenwriter for a television situation comedy, and a newspaper journalist. Her perceptive mind and creative approaches have successfully helped many individuals to solve problems in professional relationships and personal relationships.

=== Robert Hurlbut ===
'''Bank of America''' 
Robert Hurlbut, is a Threat Modeling Architect / Lead at Bank of America. Robert is a Microsoft MVP for Developer Security and Technologies and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure security, software architecture, and software development. He speaks at user groups, national and international conferences, and has provided training for many companies in the past. Robert is also a co-host of the Application Security Podcast (Twitter - @AppSecPodcast). Follow Robert on Twitter at @RobertHurlbut.

=== Prateek Jain ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Prateek Jain is a UX researcher currently pursuing Ph.D. in Innovation with User Experience at Worcester Polytechnic Institute. His Ph.D. research focuses on User Experience. His research interests are augmented reality, internet of things (IoT), accessibility and persona development. He is working on multiple research projects focusing on the use of augmented reality and IoT to improve the user experience of products and services. Along with that, he is also working on developing and testing different persona frameworks to help organizations make effective design decisions.

=== Artie Jurgenson ===
'''Sonatype''' 
Artie Jurgenson is a Solution Architect at Sonatype. He spends his day to day working with companies small and large to apply the principles of DevSecOps and automation to their software development supply chains. This stems from an intense distaste of performing the same procedures more than once. Artie looks to resolve such redundancies both inside and out of his professional life which has led him down pursuits including: implementation of CI/CD toolchains and workflows from completely manual build/deploy processes, development and automation of crypto/forex trading algorithms, front-end test and deployment automation, container orchestration, API development, and computational scientific research optimized for supercomputer clusters. Artie is happy to talk about any of the above at the reception.

=== Aanand Krishnan ===
'''Tala Security''' 
Aanand Krishnan is the CEO and Founder of Tala Security. Most recently he held senior technical roles at Symantec. Aanand spent several years in M&A and investment banking at Morgan Stanley and Dolby Labs acting as an adviser to leading security software, semiconductor and clean-tech companies. He started his career building high-speed optical networking products at Agilent Technologies. Aanand holds an MBA from Berkeley where he was a recipient of CJ White Fellowship, a Masters in Photonics and Optoelectronics from UC Santa Barbara where he was a QUEST Fellow and a Bachelors in Electrical Engineering with Honors from BITS, Pilani.

=== Ryan LaMarche ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Ryan LaMarche is a digital transformation and design thinking expert that brings ideas to life with a focus on user experience, and smart system design. When Ryan isn’t building systems, he spends his time as a dual-enrolled Bachelor’s and Master’s student at Worcester Polytechnic Institute studying Computer Science and Innovation with UX. Ryan is also a founding member and CTO of Seldom Technologies where he works with companies to develop systems, applications, and websites and consult on process improvement in the ITSM space.

=== Rami McCarthy ===
'''NCC Group''' 
Rami McCarthy is a Security Consultant with NCC Group, joining with the acquisition of VSR in 2016. He's spent the past three years performing security assessments of all kinds, from SaaS products to cloud IoT platforms. In addition to client work, Rami has published research into misspelled security headers and Chromebook security. Rami got his start in security as an intern at a deep web threat analysis startup, and has a BS in CS from Northeastern University, with a concentration in cyber operations. He's currently working towards an MS from Brandeis University.

=== Tal Melamed ===
'''Protego Labs''' 
In the past two years, Tal Melamed has been experimenting in offensive and defensive security for the serverless technology, as Head of Security Research at Protego Labs. He specializes in AppSec with more than 15 years of experience in security research and vulnerability assessment. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects, and is a frequent speaker at security conferences, including DefCon, DerbyCon, OWASP, BSides and more. Follow Tal on Twitter at @_nu11p0inter

=== Omid Mirzaei ===
'''Northeastern University''' 
Omid Mirzaei is a postdoctoral research associate in the Systems Security (SecLab) and the Research in Software and Systems Security (RiS3) Labs at Northeastern University, working with Prof. Engin Kirda and Dr. Long Lu. Prior to this, Omid was an assistant professor in Universidad Carlos III de Madrid. Also, he spent around 4 years at COmputer SECurity lab (COSEC) as a PhD student and he received his PhD degree in Computer Science from the same university. Omid's thesis was mainly focused on Android malware analysis and triage. Generally speaking, Omid is working and conducting research in computer and cyber security. However, he is particularly interested in mobile security, malware analysis, reverse engineering and applied machine learning in security. In addition, he is eager to tackle security issues from a multi-objective perspective, i.e. trying to deal with such problems by consuming the least possible amount of in hand resources. Previously and as an undergraduate student, Omid worked in a wide range of areas, from advanced software engineering to Artificial Intelligence (AI). Omid also developed several intelligent systems and passed different AI-related courses, including machine learning, pattern mining, fuzzy systems, evolutionary computation and optimization, neural networks and image processing.

=== Carson E. Owlett, OSCP CEH ===
'''Black Mirage''' 
Carson is a graduate of Connecticut College, where he studied Computer Science and Slavic Studies. After graduating, he obtained his OSCP and CEH and did a brief stint doing research for DARPA. He then founded Black Mirage in 2019, where he serves as the CEO and Assessment Team Lead for penetration tests, and he has been working to implement programs for offensive security education.

=== Rashmi Patil ===
'''HCL''' 
Rashmi is passionate about software engineering and applying it to solve complex problems in day to day life. She has a diverse set of work experience through past research, internships and full-time work experience that has really helped others in understanding the broader picture. In her free time, she volunteers and conducts educational workshops to teach young high school girls about the importance of Cybersecurity and encourage them to pursue a career in Computer Engineering.

=== Chris Romeo ===
'''Security Journey''' 
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. Find Chris on Twitter, @edgeroute, or on LinkedIN, https://www.linkedin.com/in/securityjourney/

=== Allison Schoenfield ===
'''Autodesk Inc.''' 
Allison Schoenfield is from Berkeley and also attended UC Berkeley, but is now a San Franciscan. She works as an Application Security Engineer at Autodesk. She enjoys threat modeling and working in partnership with developers to secure applications. Previously, she worked as a security consultant in penetration testing. In her free time, she likes to play social deduction games, bake and eat cupcakes, and mentor.

=== Izar Tarandach ===
'''Autodesk Inc.''' 
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he’s willing to admit to in the information security arena, he is a member of SAFECode Technical Leadership Council and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served
as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon.

=== Luke Tucker ===
'''HackerOne''' 
Luke Tucker is the Senior Director of Community at HackerOne — the leading hacker-powered security platform with the largest community of hackers in the world. A seasoned community engagement professional, he is passionate about helping identify and nurture what makes people and communities tick, so understanding how hackers feel and how they are seen is his bread and butter. He is the Creator and Editor of the Zero Daily Newsletter, which provides daily application security, hacker and bug bounty news. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development for the growing community of hackers. Prior to HackerOne, he served in several creative roles including Captricity and Sultan Ventures.

=== Paulina Valdivieso ===
'''Bennington College''' 
Paulina Valdivieso is a senior undergrad in Computer Science and Public Policy, studying the intersections between Cybersecurity, Law and Politics. Interested in hacking, information security, programming and general electronic shenanigans, she recently started to apply all of this knowledge into the workplace, centering on network and application security. She is an advocate for open access and privacy, using and committing to open source tools whenever possible and making sure people understand the implications and dark side of the tools they use everyday.

=== Roy Wattanasin ===
'''Information Security Professional''' 
Roy Wattanasin is a healthcare information security professional. You can find him on @wr0

{{2019_BASC:Footer_Template | Speakers/Trainers}}

2019 BASC Presentations

2019-09-20T20:47:50Z

Laberdale: Add Krishnan talk

{{2019_BASC:Header_Template|Presentations}}

__FORCETOC__
We would like to thank our speakers for donating their time and effort to help make this conference successful.

{{2019_BASC:Presentaton_Info_Template|An Intelligent Approach to Upgrading OSS Libraries|Madison Cool| | | }}
Maintaining secure versions of third-party libraries is a repetitive and tedious task at best. At worst, with many interdependent internal projects (think microservices) and dozens of layers of transitive dependencies, it is a logistical nightmare. A top-down, ad hoc approach is often used to resolve vulnerable third-party libraries, prioritizing high-severity vulnerabilities or internal projects critical to business functions, but failing to address the larger impact of vulnerabilities. TraceLink is taking a different approach, utilizing the graph structure of interconnected projects to perform security upgrades in an informed order from the bottom up. This process aims to automate third-party library version maintenance as much as possible, aiding in the completion of vital security upgrades and compounding the effects of each individual upgrade to reduce overall work done.

{{2019_BASC:Presentaton_Info_Template|OWASP Serverless Top 10|Tal Melamed| | | }}
In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. Attackers are thinking differently, and developers must do so as well to gain the upper hand.

In this talk, I will dive into the Top 10 risks of the OWASP Serverless Top 10 project. I will discuss why these risks are different from traditional attacks and how we should protect our application against them. I will also introduce OWASP DVSA, a deliberately vulnerable tool, aiming to assist both security professionals and developers to better understand the implications and processes of serverless security.

{{2019_BASC:Presentaton_Info_Template|Security Culture Hacking: Disrupting the Security Status Quo|Chris Romeo| | | }}
This session is an exploration into the world of security culture hacking. In the wake of the “data breach of the day”, organizations claim they are more serious about security. The truth is that many still have weak security cultures. At the end of the day, how much actual security culture change occurs post-breach? The answer is not enough. This session describes how to change security culture from the inside out, utilizing best practices and real-world examples. With security culture disruption, the security team attempts to impact employees through positive security learning and experience.

The session begins by introducing the audience to the concepts of security culture and security culture hacking, and then explains the security status quo. Security culture hacking is the skills and creativity necessary to disrupt an existing culture and redirect it towards a more secure future. Security status quo is the idea that companies move in a herd mentality and believe that their security must only be an average of their peers. To prove this point, we profile some anonymous organizations based on their external security story versus reality. Next, we’ll discuss what makes a good security culture hacker, including the skills required for success in this type of endeavor.

The middle of this session includes a how-to of hacking security culture. Each section includes various tips and stories from real life experience about how to influence security culture. The phases of security culture improvement are explored, including awareness, big learning, and community. In addition, a discussion of organizational reach, marketing, rewards, recognition, and metrics surrounding security culture improvement are explored. It’s time to make security fun.

At the conclusion, a plan is laid out for how a learner could put true security culture change into practice in their organization. Audience members receive a 30-60-90-1-year plan for how to implement true security culture change.

{{2019_BASC:Presentaton_Info_Template|Critical Thinking in Cybersecurity|Kristin Dahl| | | }}
Security's most important skill is overlooked – critical thinking. Keeping up with the latest technical tools and trends is only one contributor to success. Security is a constantly evolving field. Long-term success requires that we think on our feet—regardless of technology—to understand tools and how to apply them to the changing landscape.

We often do not think about critical thinking. What does it feel like? How is "critical" thinking different from "normal" thinking? How do you develop these skills? And how do you apply them to security?

Critical thinking is part art, part science. It takes a combination of intuition, logic, and creativity to understand the 'why' and not just the 'how.' It should help us address the root cause of an issue and not just the symptoms. In security it means decomposing a problem, analyzing objectively, evaluating a hypothesis, and recognizing context. This session will explore how to apply critical thinking in your day-to-day job pulling from my experience and observations across academia, industry, and government.

{{2019_BASC:Presentaton_Info_Template|Defending against the Acceleration of Client-Side Website Attacks|Aanand Krishnan| | | }}
The acceleration of attacks leading to the theft of private customer information, financial transaction data and disruptions to user experience are the number one threat to digital commerce. These attacks include first and third-party JavaScript/supply chain compromises, cross-site scripting (XSS), ad injections and other forms of client-side attacks. Client-side website attacks like Magecart have mostly targeted eCommerce sites with the sole purpose of stealing credit card info. Unfortunately, the reality is that the same attack vector – malicious JavaScript supply chain attacks – could be used to steal user banking credentials, PII data, healthcare data, or just about any information that users enter into a browser. Nearly every website is vulnerable.
Key Takeaways: Learn about the myriad of attack vectors threat-actors can leverage to compromise a website;
Learn about the standards-based, native website security controls most often recommended by security practitioners to secure your customer’s website experience; Learn about the compliance standards that require consideration for the website experience you provide to your customers.

{{2019_BASC:Presentaton_Info_Template|Open Source Security on a Shoestring|Paulina Valdivieso| | | }}
Securing assets is a difficult job without the appropriate support, be it from your superiors or having access to resources: getting what you need can be challenging, but that is no excuse to not securing it. In small and medium companies where technology departments are service oriented, security is often overlooked in favor of ease of access, forcing IT to compromise on solutions and, potentially, leave the organization vulnerable.

This talk will explore the open source and open access tools available to the public, their pros and cons, the elements to consider when implementing and the hurdles along the way, covering basic aspects of security in a company: incident response, application security, network security, training, risk & compliance, among others. Analysts, engineers and technicians whose many hats may result in security holes benefit from the implementation of these tools… and managers from knowing alternatives to the increasingly costly solutions in the market.

{{2019_BASC:Presentaton_Info_Template|Put that Cease and Desist Down: How to Train Your Org to Work with Hackers|Luke Tucker| | | }}
Before that hacker slides into your brand’s DMs, how do you prepare your organization to talk to researchers and spot vulnerability disclosure? Today, poorly handled disclosures can cause the same reputational damage as a public security incident. As security continues to climb the ranks of importance, more decision makers and stakeholders are involved in interactions that were once solely owned by security teams. The vulnerability reports are coming. Ready or not. Everyone is on the front lines of security and this includes researcher interactions. Are your executives, legal, PR, and social media teams prepared?

Based on hundreds of hacker and company mediation request, this talk will look at common and extreme scenarios many are seeing for the first time. We will cover real-world communication failures, as well as the success stories you will never read about. Attendees will walk away with armed with practical tips to prepare their colleagues for the inevitable vulnerability report, starting with hacker motivations, what disclosure success looks like, and de-escalation tips. This talk will cover: Responding to vulnerabilities reported via social media; How to minimize the chances of your vulnerabilities ending up on Twitter; Tips for keeping the press out of your bug reporting workflow; Prepare your company to talk to a hacker who is requesting cash; De-escalation tips to find a happy f@%#&$* ending when tempers flare and you are caught in the middle; and How to advocate for security researchers without losing friends or your job.

{{2019_BASC:Presentaton_Info_Template|Identifying Malicious Android Applications in the Presence of Adversaries: A Cat-and-Mouse Game|Omid Mirzaei| | | }}
Android is by far the leading operating system in smartphones. As of March 2019, 51% of US smartphone subscribers were using a Google Android device. This percentage is much higher in an international scale. Also, there are currently more than 2 million Android applications on the official Google Market, known as Google Play. As most of the functionalities of smartphones are provided to users via applications, this huge market with billions of users is tempting for attackers to develop and distribute their malicious applications (or malware).

Mobile malware has raised explosively since 2009. Symantec reported an increase of 54% in the new mobile malware variants in 2017 as compared to the previous year. This rise has happened for Android malware as well since only 20% of devices are running the newest major version of Android OS based on Symantec report in 2018. Thus, detecting malicious and potentially risky applications in the Android platform is of the utmost importance. During this talk, I will summarize different automated techniques proposed for Android malware detection and risk assessment. Along with this, I will discuss how adversaries have tried to bypass these mechanisms.

{{2019_BASC:Presentaton_Info_Template|Automate or Die - DevSecOps in the Age of Software Supply Chain Attacks|Artie Jurgenson| | | }}
As nimble organizations deliver new innovations, adversaries are also upping their game; something we’ve seen in recent high profile and devastating cyber attacks. Bad actors have the intent and ability to exploit security vulnerabilities in the software supply chain - and in some cases plant vulnerabilities themselves. They have increased scale through automation and improved breach success through precision targeting. If we don’t fight back by doing the same - automating security directly in the DevOps pipeline - then we’ll always be at the hackers’ mercy. This session will provide new research on the above, and details on how to get started.

Key takeaways: Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks; Key insights from the 2019 DevSecOps community report - including the top investments for automated security; A walkthrough of how security principles have been automated into a CICD pipeline and what standards for implementation are beginning to follow suite; Why DevSecOps is more than a buzzword, and why it’s vital to protecting your software supply chain; How automating security of policies makes it harder to ignore.

{{2019_BASC:Presentaton_Info_Template|Finding Bugs Using Your Own Code: Machine Learning-based Inconsistent Code Detection|Mansour Ahmadi and Reza Mirzazade Farkhani| | | }}
Machine learning has shown success in detecting known types of software vulnerabilities in recent years, but they mostly need extensive specimens to train their models.

As a new alternative to such approaches, we present a learning-based technique that can identify potentially buggy code snippets which deviate from most of the code snippets implementing similar functionalities. Our approach learns from a codebase itself without the need for the cumbersome task of gathering and cleansing training samples. The core idea is that various kinds of bugs can be viewed as inconsistencies that deviate from non-buggy code that implement the same or similar logic.

More specifically, we design a two-step clustering technique to find functionally-similar yet inconsistent code in software. We implemented our system on top of LLVM, which makes our approach language-agnostic.

We evaluated our tool on 4 popular open source security software codebases, such as OpenSSL, OpenSSH, WolfSSL, and Mbedtls. Our tool discovered 10 new unique deep bugs (some are exploitable), despite that some of these codebases are constantly undergoing vulnerability scans. All of the bugs have been confirmed by their developers and later fixed by either our pull requests or the developers.

How does the system work really? How easy to find bugs by our approach and how much manual effort does it need? What is a proper code granularity for detecting inconsistencies?

{{2019_BASC:Presentaton_Info_Template|SAST Triage Tricks of the Trade - How to Triage Before the Universe Dies Out|Kristofer Duer and Rashmi Patil| | | }}
Ever gotten a pile of SAST findings and wondered - what now? How do you possibly trim the fat of uninteresting findings down to a manageable set and get to work making the world a safer place? We will talk about some easy tips on how to prioritize and isolate those results which matter the most to your organization.

{{2019_BASC:Presentaton_Info_Template|The User Experience of Information Security|Chris Chagnon and Ryan LaMarche| | | }}
Targeted and increasingly sophisticated attacks are growing in popularity. With spear-phishing, ransomware, and a slew of other user-oriented attacks, our information security, particularly our operational security, relies on having our users on board. But training end-users can be difficult, and our response to mitigating these attacks can sometimes come at a great expense to UX. This session delves into the User Experience of Information Security, and provides attendees with insights into how some of our best laid security measures might actually increase our vulnerability to future attacks.

{{2019_BASC:Footer_Template|Presentations}}

Template:2019 BASC:Sponsor Bar Template

2019-09-19T21:53:25Z

Laberdale: Added Gold Netsparker

Template:2019 BASC:Sponsor Bar Template

2019-09-19T20:52:49Z

Laberdale: Added Platinum WhiteHat Security

File:WhiteHat Primary Logo 2COLOR HIRES.jpg

2019-09-19T20:50:40Z

Laberdale:

File:WhiteHat Logo Primary PANTONE for White Bkgrd.eps

2019-09-19T13:32:24Z

Laberdale:

Template:2019 BASC:Sponsor Bar Template

2019-09-19T13:26:04Z

Laberdale: Added Platinum Ordr Logo

File:Ordr Logo Tag.jpg

2019-09-19T13:22:13Z

Laberdale:

2019 BASC Speakers

2019-09-17T20:25:05Z

Laberdale: Changed Artie Jurgenson to 3rd person.

{{2019_BASC:Header_Template | Speakers/Trainers}}

=== Mansour Ahmadi ===
'''Northeastern University''' 
Mansour Ahmadi is a research associate at Northeastern University. Before coming to Northeastern, he obtained a PhD in Computer Engineering from the University of Cagliari in 2017. His research is mainly focused in applying machine learning methods for systems security problems, especially malware detection and classification, and vulnerability discovery. He co-authored over 10 scientific papers. Also, He is the lead developer of IntelliAV, which is the first on-device machine learning-based mobile malware detector.

=== Joel Carlson ===
'''Secure Code Warrior''' 
Joel Carlson is a security professional with 15 years of experience in the security industry. Joel has a long history of connecting businesses with security tools to help them ensure a secure environment. He joined Secure Code Warrior earlier this year after previous success at Veracode, Dell and Bitsight.

=== Chris Chagnon ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Chris Chagnon is an ITSM Architect and developer who designs, develops, and maintains award-winning experiences for managing and carrying out the ITSM process. Chris has a Master of Science in Information Technology, and a bachelor’s degree in Visual Communications. In addition, Chris is a PhD Candidate studying Information Systems with a focus on user and service experience. As A Top 25 Thought Leader in ITSM, and an ALE IT Vanguard, Chris speaks nationally about the future of ITSM, practical applications of artificial intelligence and machine learning, gamification, continual service improvement, and customer service/experience. Follow Chris on Twitter @Chagn0n.

=== Madison Cool ===
'''TraceLink''' 
Madison Cool is an associate AppSec engineer at TraceLink, delivering a secure platform for the Pharmaceutical Supply Chain. She works with the TraceLink team to make "TraceLink = Trusted" by ensuring that customers, partners and internal engineering can meet and exceed best security practices. Their goal is to make security accessible and understandable by both the security-minded and the security-unaware.

=== Kristin Dahl ===
'''IBM X-Force IRIS''' 
Kristin Dahl is a cyber security consultant with IBM X-Force IRIS and former research staff member at MIT Lincoln Laboratory. Kristin’s experience includes investigative research, policy development, threat assessment, and security operations across the defense sectors, critical systems, academia, and private industry. Kristin has worked collaboratively with multiple stakeholders and federal agencies, including the Department of Defense, the Department of Homeland Security, and the Department of Energy.

=== Joshua Dow ===
'''NCC Group''' 
Joshua Dow is a Security Consultant with NCC Group, joining the organization in Spring of 2019. Joshua has made contributions in his career as both a blue team practitioner and a red team operator. Joshua specializes in web application penetration testing, network penetration testing, and cloud security auditing. Joshua worked as a Senior Software Engineer prior to getting his start in Information Security.

=== Kristofer Duer ===
'''HCL''' 
Kristofer Duer is the Lead Cognitive Researcher for AppScan Source. He has worked in the application security field for the last 8 years in the world of Static Application Security Testing (SAST) and researching language specific attack surfaces. His particular specialty deals with applying machine learning to solve some of the impossible problems which occur naturally in the world of SAST - namely Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

Outside of work he enjoys the gym, Disc Golf (super fun!) and spending time with his wife and two kids.

=== Reza Mirzazade Farkhani ===
'''Northeastern University''' 
Reza Mirzazade Farkhani is pursuing a PhD in Cybersecurity at Northeastern University. His research interests span a wide range of topics in systems security with a particular focus on software vulnerability detection, exploit mitigation techniques and binary analysis. Currently, Reza is focusing on developing novel techniques to protect applications against memory safety vulnerabilities. He is especially interested in new security features in ARM architecture to accelerate the performance and security of the current systems.

=== Gabrielle E. Hempel, CHTI ===
'''Black Mirage''' 
Gabrielle is a graduate of the University of Cincinnati, where she studied Neuroscience and Psychology. She worked for an institutional review board in regulatory pharmaceutical and medical device compliance, and led specialized committees targeting Phase I research and emergency research. She moved to IT consulting in 2018, and currently works as a penetration tester for Black Mirage while pursuing a certificate in Advanced Computer Security at Stanford. She continues to serve as a genetic scientist for NIH-regulated recombinant genetic studies, and serves as an instructor and mentor for a student cohort of cybersecurity analysts through Cybrary. She recently obtained her Certified Human Trafficking Investigator (CHTI) credentials through the McAfee Institute, and works with various law enforcement groups and task forces in order to combat human trafficking through digital forensics and analysis. Her area of expertise lies in GDPR/HIPAA/regulatory compliance and medical device security.

=== Kitty Huang ===
'''Communications Trainer and Relationship Coach''' 
Kitty Huang is an award-winning speaker who has led several fun and effective communication workshops at MIT, Harvard University, and corporate training events. She has worked as a copywriter at advertising agencies, a screenwriter for a television situation comedy, and a newspaper journalist. Her perceptive mind and creative approaches have successfully helped many individuals to solve problems in professional relationships and personal relationships.

=== Robert Hurlbut ===
'''Bank of America''' 
Robert Hurlbut, is a Threat Modeling Architect / Lead at Bank of America. Robert is a Microsoft MVP for Developer Security and Technologies and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure security, software architecture, and software development. He speaks at user groups, national and international conferences, and has provided training for many companies in the past. Robert is also a co-host of the Application Security Podcast (Twitter - @AppSecPodcast). Follow Robert on Twitter at @RobertHurlbut.

=== Prateek Jain ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Prateek Jain is a UX researcher currently pursuing Ph.D. in Innovation with User Experience at Worcester Polytechnic Institute. His Ph.D. research focuses on User Experience. His research interests are augmented reality, internet of things (IoT), accessibility and persona development. He is working on multiple research projects focusing on the use of augmented reality and IoT to improve the user experience of products and services. Along with that, he is also working on developing and testing different persona frameworks to help organizations make effective design decisions.

=== Artie Jurgenson ===
'''Sonatype''' 
Artie Jurgenson is a Solution Architect at Sonatype. He spends his day to day working with companies small and large to apply the principles of DevSecOps and automation to their software development supply chains. This stems from an intense distaste of performing the same procedures more than once. Artie looks to resolve such redundancies both inside and out of his professional life which has led him down pursuits including: implementation of CI/CD toolchains and workflows from completely manual build/deploy processes, development and automation of crypto/forex trading algorithms, front-end test and deployment automation, container orchestration, API development, and computational scientific research optimized for supercomputer clusters. Artie is happy to talk about any of the above at the reception.

=== Ryan LaMarche ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Ryan LaMarche is a digital transformation and design thinking expert that brings ideas to life with a focus on user experience, and smart system design. When Ryan isn’t building systems, he spends his time as a dual-enrolled Bachelor’s and Master’s student at Worcester Polytechnic Institute studying Computer Science and Innovation with UX. Ryan is also a founding member and CTO of Seldom Technologies where he works with companies to develop systems, applications, and websites and consult on process improvement in the ITSM space.

=== Rami McCarthy ===
'''NCC Group''' 
Rami McCarthy is a Security Consultant with NCC Group, joining with the acquisition of VSR in 2016. He's spent the past three years performing security assessments of all kinds, from SaaS products to cloud IoT platforms. In addition to client work, Rami has published research into misspelled security headers and Chromebook security. Rami got his start in security as an intern at a deep web threat analysis startup, and has a BS in CS from Northeastern University, with a concentration in cyber operations. He's currently working towards an MS from Brandeis University.

=== Tal Melamed ===
'''Protego Labs''' 
In the past two years, Tal Melamed has been experimenting in offensive and defensive security for the serverless technology, as Head of Security Research at Protego Labs. He specializes in AppSec with more than 15 years of experience in security research and vulnerability assessment. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects, and is a frequent speaker at security conferences, including DefCon, DerbyCon, OWASP, BSides and more. Follow Tal on Twitter at @_nu11p0inter

=== Omid Mirzaei ===
'''Northeastern University''' 
Omid Mirzaei is a postdoctoral research associate in the Systems Security (SecLab) and the Research in Software and Systems Security (RiS3) Labs at Northeastern University, working with Prof. Engin Kirda and Dr. Long Lu. Prior to this, Omid was an assistant professor in Universidad Carlos III de Madrid. Also, he spent around 4 years at COmputer SECurity lab (COSEC) as a PhD student and he received his PhD degree in Computer Science from the same university. Omid's thesis was mainly focused on Android malware analysis and triage. Generally speaking, Omid is working and conducting research in computer and cyber security. However, he is particularly interested in mobile security, malware analysis, reverse engineering and applied machine learning in security. In addition, he is eager to tackle security issues from a multi-objective perspective, i.e. trying to deal with such problems by consuming the least possible amount of in hand resources. Previously and as an undergraduate student, Omid worked in a wide range of areas, from advanced software engineering to Artificial Intelligence (AI). Omid also developed several intelligent systems and passed different AI-related courses, including machine learning, pattern mining, fuzzy systems, evolutionary computation and optimization, neural networks and image processing.

=== Carson E. Owlett, OSCP CEH ===
'''Black Mirage''' 
Carson is a graduate of Connecticut College, where he studied Computer Science and Slavic Studies. After graduating, he obtained his OSCP and CEH and did a brief stint doing research for DARPA. He then founded Black Mirage in 2019, where he serves as the CEO and Assessment Team Lead for penetration tests, and he has been working to implement programs for offensive security education.

=== Rashmi Patil ===
'''HCL''' 
Rashmi is passionate about software engineering and applying it to solve complex problems in day to day life. She has a diverse set of work experience through past research, internships and full-time work experience that has really helped others in understanding the broader picture. In her free time, she volunteers and conducts educational workshops to teach young high school girls about the importance of Cybersecurity and encourage them to pursue a career in Computer Engineering.

=== Chris Romeo ===
'''Security Journey''' 
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. Find Chris on Twitter, @edgeroute, or on LinkedIN, https://www.linkedin.com/in/securityjourney/

=== Allison Schoenfield ===
'''Autodesk Inc.''' 
Allison Schoenfield is from Berkeley and also attended UC Berkeley, but is now a San Franciscan. She works as an Application Security Engineer at Autodesk. She enjoys threat modeling and working in partnership with developers to secure applications. Previously, she worked as a security consultant in penetration testing. In her free time, she likes to play social deduction games, bake and eat cupcakes, and mentor.

=== Izar Tarandach ===
'''Autodesk Inc.''' 
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he’s willing to admit to in the information security arena, he is a member of SAFECode Technical Leadership Council and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served
as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon.

=== Luke Tucker ===
'''HackerOne''' 
Luke Tucker is the Senior Director of Community at HackerOne — the leading hacker-powered security platform with the largest community of hackers in the world. A seasoned community engagement professional, he is passionate about helping identify and nurture what makes people and communities tick, so understanding how hackers feel and how they are seen is his bread and butter. He is the Creator and Editor of the Zero Daily Newsletter, which provides daily application security, hacker and bug bounty news. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development for the growing community of hackers. Prior to HackerOne, he served in several creative roles including Captricity and Sultan Ventures.

=== Paulina Valdivieso ===
'''Bennington College''' 
Paulina Valdivieso is a senior undergrad in Computer Science and Public Policy, studying the intersections between Cybersecurity, Law and Politics. Interested in hacking, information security, programming and general electronic shenanigans, she recently started to apply all of this knowledge into the workplace, centering on network and application security. She is an advocate for open access and privacy, using and committing to open source tools whenever possible and making sure people understand the implications and dark side of the tools they use everyday.

=== Roy Wattanasin ===
'''Information Security Professional''' 
Roy Wattanasin is a healthcare information security professional. You can find him on @wr0

{{2019_BASC:Footer_Template | Speakers/Trainers}}

2019 BASC Speakers

2019-09-17T20:21:21Z

Laberdale: Artie Jurgenson instead of Brian Fox

{{2019_BASC:Header_Template | Speakers/Trainers}}

=== Mansour Ahmadi ===
'''Northeastern University''' 
Mansour Ahmadi is a research associate at Northeastern University. Before coming to Northeastern, he obtained a PhD in Computer Engineering from the University of Cagliari in 2017. His research is mainly focused in applying machine learning methods for systems security problems, especially malware detection and classification, and vulnerability discovery. He co-authored over 10 scientific papers. Also, He is the lead developer of IntelliAV, which is the first on-device machine learning-based mobile malware detector.

=== Joel Carlson ===
'''Secure Code Warrior''' 
Joel Carlson is a security professional with 15 years of experience in the security industry. Joel has a long history of connecting businesses with security tools to help them ensure a secure environment. He joined Secure Code Warrior earlier this year after previous success at Veracode, Dell and Bitsight.

=== Chris Chagnon ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Chris Chagnon is an ITSM Architect and developer who designs, develops, and maintains award-winning experiences for managing and carrying out the ITSM process. Chris has a Master of Science in Information Technology, and a bachelor’s degree in Visual Communications. In addition, Chris is a PhD Candidate studying Information Systems with a focus on user and service experience. As A Top 25 Thought Leader in ITSM, and an ALE IT Vanguard, Chris speaks nationally about the future of ITSM, practical applications of artificial intelligence and machine learning, gamification, continual service improvement, and customer service/experience. Follow Chris on Twitter @Chagn0n.

=== Madison Cool ===
'''TraceLink''' 
Madison Cool is an associate AppSec engineer at TraceLink, delivering a secure platform for the Pharmaceutical Supply Chain. She works with the TraceLink team to make "TraceLink = Trusted" by ensuring that customers, partners and internal engineering can meet and exceed best security practices. Their goal is to make security accessible and understandable by both the security-minded and the security-unaware.

=== Kristin Dahl ===
'''IBM X-Force IRIS''' 
Kristin Dahl is a cyber security consultant with IBM X-Force IRIS and former research staff member at MIT Lincoln Laboratory. Kristin’s experience includes investigative research, policy development, threat assessment, and security operations across the defense sectors, critical systems, academia, and private industry. Kristin has worked collaboratively with multiple stakeholders and federal agencies, including the Department of Defense, the Department of Homeland Security, and the Department of Energy.

=== Joshua Dow ===
'''NCC Group''' 
Joshua Dow is a Security Consultant with NCC Group, joining the organization in Spring of 2019. Joshua has made contributions in his career as both a blue team practitioner and a red team operator. Joshua specializes in web application penetration testing, network penetration testing, and cloud security auditing. Joshua worked as a Senior Software Engineer prior to getting his start in Information Security.

=== Kristofer Duer ===
'''HCL''' 
Kristofer Duer is the Lead Cognitive Researcher for AppScan Source. He has worked in the application security field for the last 8 years in the world of Static Application Security Testing (SAST) and researching language specific attack surfaces. His particular specialty deals with applying machine learning to solve some of the impossible problems which occur naturally in the world of SAST - namely Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

Outside of work he enjoys the gym, Disc Golf (super fun!) and spending time with his wife and two kids.

=== Reza Mirzazade Farkhani ===
'''Northeastern University''' 
Reza Mirzazade Farkhani is pursuing a PhD in Cybersecurity at Northeastern University. His research interests span a wide range of topics in systems security with a particular focus on software vulnerability detection, exploit mitigation techniques and binary analysis. Currently, Reza is focusing on developing novel techniques to protect applications against memory safety vulnerabilities. He is especially interested in new security features in ARM architecture to accelerate the performance and security of the current systems.

=== Gabrielle E. Hempel, CHTI ===
'''Black Mirage''' 
Gabrielle is a graduate of the University of Cincinnati, where she studied Neuroscience and Psychology. She worked for an institutional review board in regulatory pharmaceutical and medical device compliance, and led specialized committees targeting Phase I research and emergency research. She moved to IT consulting in 2018, and currently works as a penetration tester for Black Mirage while pursuing a certificate in Advanced Computer Security at Stanford. She continues to serve as a genetic scientist for NIH-regulated recombinant genetic studies, and serves as an instructor and mentor for a student cohort of cybersecurity analysts through Cybrary. She recently obtained her Certified Human Trafficking Investigator (CHTI) credentials through the McAfee Institute, and works with various law enforcement groups and task forces in order to combat human trafficking through digital forensics and analysis. Her area of expertise lies in GDPR/HIPAA/regulatory compliance and medical device security.

=== Kitty Huang ===
'''Communications Trainer and Relationship Coach''' 
Kitty Huang is an award-winning speaker who has led several fun and effective communication workshops at MIT, Harvard University, and corporate training events. She has worked as a copywriter at advertising agencies, a screenwriter for a television situation comedy, and a newspaper journalist. Her perceptive mind and creative approaches have successfully helped many individuals to solve problems in professional relationships and personal relationships.

=== Robert Hurlbut ===
'''Bank of America''' 
Robert Hurlbut, is a Threat Modeling Architect / Lead at Bank of America. Robert is a Microsoft MVP for Developer Security and Technologies and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure security, software architecture, and software development. He speaks at user groups, national and international conferences, and has provided training for many companies in the past. Robert is also a co-host of the Application Security Podcast (Twitter - @AppSecPodcast). Follow Robert on Twitter at @RobertHurlbut.

=== Prateek Jain ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Prateek Jain is a UX researcher currently pursuing Ph.D. in Innovation with User Experience at Worcester Polytechnic Institute. His Ph.D. research focuses on User Experience. His research interests are augmented reality, internet of things (IoT), accessibility and persona development. He is working on multiple research projects focusing on the use of augmented reality and IoT to improve the user experience of products and services. Along with that, he is also working on developing and testing different persona frameworks to help organizations make effective design decisions.

=== Artie Jurgenson ===
'''Sonatype''' 
I spend my day to day working with companies small and large to apply the principles of DevSecOps and automation to their software development supply chains. This stems from an intense distaste of performing the same procedures more than once. I look to resolve such redundancies both inside and out of my professional life which has led me down pursuits including: implementation of CI/CD toolchains and workflows from completely manual build/deploy processes, development and automation of crypto/forex trading algorithms, front-end test and deployment automation, container orchestration, API development, and computational scientific research optimized for supercomputer clusters. Happy to talk about any of the above at the reception.

=== Ryan LaMarche ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Ryan LaMarche is a digital transformation and design thinking expert that brings ideas to life with a focus on user experience, and smart system design. When Ryan isn’t building systems, he spends his time as a dual-enrolled Bachelor’s and Master’s student at Worcester Polytechnic Institute studying Computer Science and Innovation with UX. Ryan is also a founding member and CTO of Seldom Technologies where he works with companies to develop systems, applications, and websites and consult on process improvement in the ITSM space.

=== Rami McCarthy ===
'''NCC Group''' 
Rami McCarthy is a Security Consultant with NCC Group, joining with the acquisition of VSR in 2016. He's spent the past three years performing security assessments of all kinds, from SaaS products to cloud IoT platforms. In addition to client work, Rami has published research into misspelled security headers and Chromebook security. Rami got his start in security as an intern at a deep web threat analysis startup, and has a BS in CS from Northeastern University, with a concentration in cyber operations. He's currently working towards an MS from Brandeis University.

=== Tal Melamed ===
'''Protego Labs''' 
In the past two years, Tal Melamed has been experimenting in offensive and defensive security for the serverless technology, as Head of Security Research at Protego Labs. He specializes in AppSec with more than 15 years of experience in security research and vulnerability assessment. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects, and is a frequent speaker at security conferences, including DefCon, DerbyCon, OWASP, BSides and more. Follow Tal on Twitter at @_nu11p0inter

=== Omid Mirzaei ===
'''Northeastern University''' 
Omid Mirzaei is a postdoctoral research associate in the Systems Security (SecLab) and the Research in Software and Systems Security (RiS3) Labs at Northeastern University, working with Prof. Engin Kirda and Dr. Long Lu. Prior to this, Omid was an assistant professor in Universidad Carlos III de Madrid. Also, he spent around 4 years at COmputer SECurity lab (COSEC) as a PhD student and he received his PhD degree in Computer Science from the same university. Omid's thesis was mainly focused on Android malware analysis and triage. Generally speaking, Omid is working and conducting research in computer and cyber security. However, he is particularly interested in mobile security, malware analysis, reverse engineering and applied machine learning in security. In addition, he is eager to tackle security issues from a multi-objective perspective, i.e. trying to deal with such problems by consuming the least possible amount of in hand resources. Previously and as an undergraduate student, Omid worked in a wide range of areas, from advanced software engineering to Artificial Intelligence (AI). Omid also developed several intelligent systems and passed different AI-related courses, including machine learning, pattern mining, fuzzy systems, evolutionary computation and optimization, neural networks and image processing.

=== Carson E. Owlett, OSCP CEH ===
'''Black Mirage''' 
Carson is a graduate of Connecticut College, where he studied Computer Science and Slavic Studies. After graduating, he obtained his OSCP and CEH and did a brief stint doing research for DARPA. He then founded Black Mirage in 2019, where he serves as the CEO and Assessment Team Lead for penetration tests, and he has been working to implement programs for offensive security education.

=== Rashmi Patil ===
'''HCL''' 
Rashmi is passionate about software engineering and applying it to solve complex problems in day to day life. She has a diverse set of work experience through past research, internships and full-time work experience that has really helped others in understanding the broader picture. In her free time, she volunteers and conducts educational workshops to teach young high school girls about the importance of Cybersecurity and encourage them to pursue a career in Computer Engineering.

=== Chris Romeo ===
'''Security Journey''' 
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. Find Chris on Twitter, @edgeroute, or on LinkedIN, https://www.linkedin.com/in/securityjourney/

=== Allison Schoenfield ===
'''Autodesk Inc.''' 
Allison Schoenfield is from Berkeley and also attended UC Berkeley, but is now a San Franciscan. She works as an Application Security Engineer at Autodesk. She enjoys threat modeling and working in partnership with developers to secure applications. Previously, she worked as a security consultant in penetration testing. In her free time, she likes to play social deduction games, bake and eat cupcakes, and mentor.

=== Izar Tarandach ===
'''Autodesk Inc.''' 
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he’s willing to admit to in the information security arena, he is a member of SAFECode Technical Leadership Council and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served
as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon.

=== Luke Tucker ===
'''HackerOne''' 
Luke Tucker is the Senior Director of Community at HackerOne — the leading hacker-powered security platform with the largest community of hackers in the world. A seasoned community engagement professional, he is passionate about helping identify and nurture what makes people and communities tick, so understanding how hackers feel and how they are seen is his bread and butter. He is the Creator and Editor of the Zero Daily Newsletter, which provides daily application security, hacker and bug bounty news. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development for the growing community of hackers. Prior to HackerOne, he served in several creative roles including Captricity and Sultan Ventures.

=== Paulina Valdivieso ===
'''Bennington College''' 
Paulina Valdivieso is a senior undergrad in Computer Science and Public Policy, studying the intersections between Cybersecurity, Law and Politics. Interested in hacking, information security, programming and general electronic shenanigans, she recently started to apply all of this knowledge into the workplace, centering on network and application security. She is an advocate for open access and privacy, using and committing to open source tools whenever possible and making sure people understand the implications and dark side of the tools they use everyday.

=== Roy Wattanasin ===
'''Information Security Professional''' 
Roy Wattanasin is a healthcare information security professional. You can find him on @wr0

{{2019_BASC:Footer_Template | Speakers/Trainers}}

2019 BASC Presentations

2019-09-17T20:17:51Z

Laberdale: Brian Fox not avail so Artie Jurgenson in his place.

{{2019_BASC:Header_Template|Presentations}}

__FORCETOC__
We would like to thank our speakers for donating their time and effort to help make this conference successful.

{{2019_BASC:Presentaton_Info_Template|An Intelligent Approach to Upgrading OSS Libraries|Madison Cool| | | }}
Maintaining secure versions of third-party libraries is a repetitive and tedious task at best. At worst, with many interdependent internal projects (think microservices) and dozens of layers of transitive dependencies, it is a logistical nightmare. A top-down, ad hoc approach is often used to resolve vulnerable third-party libraries, prioritizing high-severity vulnerabilities or internal projects critical to business functions, but failing to address the larger impact of vulnerabilities. TraceLink is taking a different approach, utilizing the graph structure of interconnected projects to perform security upgrades in an informed order from the bottom up. This process aims to automate third-party library version maintenance as much as possible, aiding in the completion of vital security upgrades and compounding the effects of each individual upgrade to reduce overall work done.

{{2019_BASC:Presentaton_Info_Template|OWASP Serverless Top 10|Tal Melamed| | | }}
In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. Attackers are thinking differently, and developers must do so as well to gain the upper hand.

In this talk, I will dive into the Top 10 risks of the OWASP Serverless Top 10 project. I will discuss why these risks are different from traditional attacks and how we should protect our application against them. I will also introduce OWASP DVSA, a deliberately vulnerable tool, aiming to assist both security professionals and developers to better understand the implications and processes of serverless security.

{{2019_BASC:Presentaton_Info_Template|Security Culture Hacking: Disrupting the Security Status Quo|Chris Romeo| | | }}
This session is an exploration into the world of security culture hacking. In the wake of the “data breach of the day”, organizations claim they are more serious about security. The truth is that many still have weak security cultures. At the end of the day, how much actual security culture change occurs post-breach? The answer is not enough. This session describes how to change security culture from the inside out, utilizing best practices and real-world examples. With security culture disruption, the security team attempts to impact employees through positive security learning and experience.

The session begins by introducing the audience to the concepts of security culture and security culture hacking, and then explains the security status quo. Security culture hacking is the skills and creativity necessary to disrupt an existing culture and redirect it towards a more secure future. Security status quo is the idea that companies move in a herd mentality and believe that their security must only be an average of their peers. To prove this point, we profile some anonymous organizations based on their external security story versus reality. Next, we’ll discuss what makes a good security culture hacker, including the skills required for success in this type of endeavor.

The middle of this session includes a how-to of hacking security culture. Each section includes various tips and stories from real life experience about how to influence security culture. The phases of security culture improvement are explored, including awareness, big learning, and community. In addition, a discussion of organizational reach, marketing, rewards, recognition, and metrics surrounding security culture improvement are explored. It’s time to make security fun.

At the conclusion, a plan is laid out for how a learner could put true security culture change into practice in their organization. Audience members receive a 30-60-90-1-year plan for how to implement true security culture change.

{{2019_BASC:Presentaton_Info_Template|Critical Thinking in Cybersecurity|Kristin Dahl| | | }}
Security's most important skill is overlooked – critical thinking. Keeping up with the latest technical tools and trends is only one contributor to success. Security is a constantly evolving field. Long-term success requires that we think on our feet—regardless of technology—to understand tools and how to apply them to the changing landscape.

We often do not think about critical thinking. What does it feel like? How is "critical" thinking different from "normal" thinking? How do you develop these skills? And how do you apply them to security?

Critical thinking is part art, part science. It takes a combination of intuition, logic, and creativity to understand the 'why' and not just the 'how.' It should help us address the root cause of an issue and not just the symptoms. In security it means decomposing a problem, analyzing objectively, evaluating a hypothesis, and recognizing context. This session will explore how to apply critical thinking in your day-to-day job pulling from my experience and observations across academia, industry, and government.

{{2019_BASC:Presentaton_Info_Template|Open Source Security on a Shoestring|Paulina Valdivieso| | | }}
Securing assets is a difficult job without the appropriate support, be it from your superiors or having access to resources: getting what you need can be challenging, but that is no excuse to not securing it. In small and medium companies where technology departments are service oriented, security is often overlooked in favor of ease of access, forcing IT to compromise on solutions and, potentially, leave the organization vulnerable.

This talk will explore the open source and open access tools available to the public, their pros and cons, the elements to consider when implementing and the hurdles along the way, covering basic aspects of security in a company: incident response, application security, network security, training, risk & compliance, among others. Analysts, engineers and technicians whose many hats may result in security holes benefit from the implementation of these tools… and managers from knowing alternatives to the increasingly costly solutions in the market.

{{2019_BASC:Presentaton_Info_Template|Put that Cease and Desist Down: How to Train Your Org to Work with Hackers|Luke Tucker| | | }}
Before that hacker slides into your brand’s DMs, how do you prepare your organization to talk to researchers and spot vulnerability disclosure? Today, poorly handled disclosures can cause the same reputational damage as a public security incident. As security continues to climb the ranks of importance, more decision makers and stakeholders are involved in interactions that were once solely owned by security teams. The vulnerability reports are coming. Ready or not. Everyone is on the front lines of security and this includes researcher interactions. Are your executives, legal, PR, and social media teams prepared?

Based on hundreds of hacker and company mediation request, this talk will look at common and extreme scenarios many are seeing for the first time. We will cover real-world communication failures, as well as the success stories you will never read about. Attendees will walk away with armed with practical tips to prepare their colleagues for the inevitable vulnerability report, starting with hacker motivations, what disclosure success looks like, and de-escalation tips. This talk will cover: Responding to vulnerabilities reported via social media; How to minimize the chances of your vulnerabilities ending up on Twitter; Tips for keeping the press out of your bug reporting workflow; Prepare your company to talk to a hacker who is requesting cash; De-escalation tips to find a happy f@%#&$* ending when tempers flare and you are caught in the middle; and How to advocate for security researchers without losing friends or your job.

{{2019_BASC:Presentaton_Info_Template|Identifying Malicious Android Applications in the Presence of Adversaries: A Cat-and-Mouse Game|Omid Mirzaei| | | }}
Android is by far the leading operating system in smartphones. As of March 2019, 51% of US smartphone subscribers were using a Google Android device. This percentage is much higher in an international scale. Also, there are currently more than 2 million Android applications on the official Google Market, known as Google Play. As most of the functionalities of smartphones are provided to users via applications, this huge market with billions of users is tempting for attackers to develop and distribute their malicious applications (or malware).

Mobile malware has raised explosively since 2009. Symantec reported an increase of 54% in the new mobile malware variants in 2017 as compared to the previous year. This rise has happened for Android malware as well since only 20% of devices are running the newest major version of Android OS based on Symantec report in 2018. Thus, detecting malicious and potentially risky applications in the Android platform is of the utmost importance. During this talk, I will summarize different automated techniques proposed for Android malware detection and risk assessment. Along with this, I will discuss how adversaries have tried to bypass these mechanisms.

{{2019_BASC:Presentaton_Info_Template|Automate or Die - DevSecOps in the Age of Software Supply Chain Attacks|Artie Jurgenson| | | }}
As nimble organizations deliver new innovations, adversaries are also upping their game; something we’ve seen in recent high profile and devastating cyber attacks. Bad actors have the intent and ability to exploit security vulnerabilities in the software supply chain - and in some cases plant vulnerabilities themselves. They have increased scale through automation and improved breach success through precision targeting. If we don’t fight back by doing the same - automating security directly in the DevOps pipeline - then we’ll always be at the hackers’ mercy. This session will provide new research on the above, and details on how to get started.

Key takeaways: Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks; Key insights from the 2019 DevSecOps community report - including the top investments for automated security; A walkthrough of how security principles have been automated into a CICD pipeline and what standards for implementation are beginning to follow suite; Why DevSecOps is more than a buzzword, and why it’s vital to protecting your software supply chain; How automating security of policies makes it harder to ignore.

{{2019_BASC:Presentaton_Info_Template|Finding Bugs Using Your Own Code: Machine Learning-based Inconsistent Code Detection|Mansour Ahmadi and Reza Mirzazade Farkhani| | | }}
Machine learning has shown success in detecting known types of software vulnerabilities in recent years, but they mostly need extensive specimens to train their models.

As a new alternative to such approaches, we present a learning-based technique that can identify potentially buggy code snippets which deviate from most of the code snippets implementing similar functionalities. Our approach learns from a codebase itself without the need for the cumbersome task of gathering and cleansing training samples. The core idea is that various kinds of bugs can be viewed as inconsistencies that deviate from non-buggy code that implement the same or similar logic.

More specifically, we design a two-step clustering technique to find functionally-similar yet inconsistent code in software. We implemented our system on top of LLVM, which makes our approach language-agnostic.

We evaluated our tool on 4 popular open source security software codebases, such as OpenSSL, OpenSSH, WolfSSL, and Mbedtls. Our tool discovered 10 new unique deep bugs (some are exploitable), despite that some of these codebases are constantly undergoing vulnerability scans. All of the bugs have been confirmed by their developers and later fixed by either our pull requests or the developers.

How does the system work really? How easy to find bugs by our approach and how much manual effort does it need? What is a proper code granularity for detecting inconsistencies?

{{2019_BASC:Presentaton_Info_Template|SAST Triage Tricks of the Trade - How to Triage Before the Universe Dies Out|Kristofer Duer and Rashmi Patil| | | }}
Ever gotten a pile of SAST findings and wondered - what now? How do you possibly trim the fat of uninteresting findings down to a manageable set and get to work making the world a safer place? We will talk about some easy tips on how to prioritize and isolate those results which matter the most to your organization.

{{2019_BASC:Presentaton_Info_Template|The User Experience of Information Security|Chris Chagnon and Ryan LaMarche| | | }}
Targeted and increasingly sophisticated attacks are growing in popularity. With spear-phishing, ransomware, and a slew of other user-oriented attacks, our information security, particularly our operational security, relies on having our users on board. But training end-users can be difficult, and our response to mitigating these attacks can sometimes come at a great expense to UX. This session delves into the User Experience of Information Security, and provides attendees with insights into how some of our best laid security measures might actually increase our vulnerability to future attacks.

{{2019_BASC:Footer_Template|Presentations}}

Template:2019 BASC:Sponsor Bar Template

2019-09-17T18:55:43Z

Laberdale: Fixed typo

Template:2019 BASC:Sponsor Bar Template

2019-09-17T18:49:59Z

Laberdale: Added Platinum NCC Group

2019 BASC Speakers

2019-09-17T04:12:35Z

Laberdale: Added Tal Melamed's bio.

{{2019_BASC:Header_Template | Speakers/Trainers}}

=== Mansour Ahmadi ===
'''Northeastern University''' 
Mansour Ahmadi is a research associate at Northeastern University. Before coming to Northeastern, he obtained a PhD in Computer Engineering from the University of Cagliari in 2017. His research is mainly focused in applying machine learning methods for systems security problems, especially malware detection and classification, and vulnerability discovery. He co-authored over 10 scientific papers. Also, He is the lead developer of IntelliAV, which is the first on-device machine learning-based mobile malware detector.

=== Joel Carlson ===
'''Secure Code Warrior''' 
Joel Carlson is a security professional with 15 years of experience in the security industry. Joel has a long history of connecting businesses with security tools to help them ensure a secure environment. He joined Secure Code Warrior earlier this year after previous success at Veracode, Dell and Bitsight.

=== Chris Chagnon ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Chris Chagnon is an ITSM Architect and developer who designs, develops, and maintains award-winning experiences for managing and carrying out the ITSM process. Chris has a Master of Science in Information Technology, and a bachelor’s degree in Visual Communications. In addition, Chris is a PhD Candidate studying Information Systems with a focus on user and service experience. As A Top 25 Thought Leader in ITSM, and an ALE IT Vanguard, Chris speaks nationally about the future of ITSM, practical applications of artificial intelligence and machine learning, gamification, continual service improvement, and customer service/experience. Follow Chris on Twitter @Chagn0n.

=== Madison Cool ===
'''TraceLink''' 
Madison Cool is an associate AppSec engineer at TraceLink, delivering a secure platform for the Pharmaceutical Supply Chain. She works with the TraceLink team to make "TraceLink = Trusted" by ensuring that customers, partners and internal engineering can meet and exceed best security practices. Their goal is to make security accessible and understandable by both the security-minded and the security-unaware.

=== Kristin Dahl ===
'''IBM X-Force IRIS''' 
Kristin Dahl is a cyber security consultant with IBM X-Force IRIS and former research staff member at MIT Lincoln Laboratory. Kristin’s experience includes investigative research, policy development, threat assessment, and security operations across the defense sectors, critical systems, academia, and private industry. Kristin has worked collaboratively with multiple stakeholders and federal agencies, including the Department of Defense, the Department of Homeland Security, and the Department of Energy.

=== Joshua Dow ===
'''NCC Group''' 
Joshua Dow is a Security Consultant with NCC Group, joining the organization in Spring of 2019. Joshua has made contributions in his career as both a blue team practitioner and a red team operator. Joshua specializes in web application penetration testing, network penetration testing, and cloud security auditing. Joshua worked as a Senior Software Engineer prior to getting his start in Information Security.

=== Kristofer Duer ===
'''HCL''' 
Kristofer Duer is the Lead Cognitive Researcher for AppScan Source. He has worked in the application security field for the last 8 years in the world of Static Application Security Testing (SAST) and researching language specific attack surfaces. His particular specialty deals with applying machine learning to solve some of the impossible problems which occur naturally in the world of SAST - namely Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

Outside of work he enjoys the gym, Disc Golf (super fun!) and spending time with his wife and two kids.

=== Reza Mirzazade Farkhani ===
'''Northeastern University''' 
Reza Mirzazade Farkhani is pursuing a PhD in Cybersecurity at Northeastern University. His research interests span a wide range of topics in systems security with a particular focus on software vulnerability detection, exploit mitigation techniques and binary analysis. Currently, Reza is focusing on developing novel techniques to protect applications against memory safety vulnerabilities. He is especially interested in new security features in ARM architecture to accelerate the performance and security of the current systems.

=== Brian Fox ===
'''Sonatype''' 
Co-founder and CTO, Brian Fox is a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin, he has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other development related conferences.

=== Gabrielle E. Hempel, CHTI ===
'''Black Mirage''' 
Gabrielle is a graduate of the University of Cincinnati, where she studied Neuroscience and Psychology. She worked for an institutional review board in regulatory pharmaceutical and medical device compliance, and led specialized committees targeting Phase I research and emergency research. She moved to IT consulting in 2018, and currently works as a penetration tester for Black Mirage while pursuing a certificate in Advanced Computer Security at Stanford. She continues to serve as a genetic scientist for NIH-regulated recombinant genetic studies, and serves as an instructor and mentor for a student cohort of cybersecurity analysts through Cybrary. She recently obtained her Certified Human Trafficking Investigator (CHTI) credentials through the McAfee Institute, and works with various law enforcement groups and task forces in order to combat human trafficking through digital forensics and analysis. Her area of expertise lies in GDPR/HIPAA/regulatory compliance and medical device security.

=== Kitty Huang ===
'''Communications Trainer and Relationship Coach''' 
Kitty Huang is an award-winning speaker who has led several fun and effective communication workshops at MIT, Harvard University, and corporate training events. She has worked as a copywriter at advertising agencies, a screenwriter for a television situation comedy, and a newspaper journalist. Her perceptive mind and creative approaches have successfully helped many individuals to solve problems in professional relationships and personal relationships.

=== Robert Hurlbut ===
'''Bank of America''' 
Robert Hurlbut, is a Threat Modeling Architect / Lead at Bank of America. Robert is a Microsoft MVP for Developer Security and Technologies and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure security, software architecture, and software development. He speaks at user groups, national and international conferences, and has provided training for many companies in the past. Robert is also a co-host of the Application Security Podcast (Twitter - @AppSecPodcast). Follow Robert on Twitter at @RobertHurlbut.

=== Prateek Jain ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Prateek Jain is a UX researcher currently pursuing Ph.D. in Innovation with User Experience at Worcester Polytechnic Institute. His Ph.D. research focuses on User Experience. His research interests are augmented reality, internet of things (IoT), accessibility and persona development. He is working on multiple research projects focusing on the use of augmented reality and IoT to improve the user experience of products and services. Along with that, he is also working on developing and testing different persona frameworks to help organizations make effective design decisions.

=== Ryan LaMarche ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Ryan LaMarche is a digital transformation and design thinking expert that brings ideas to life with a focus on user experience, and smart system design. When Ryan isn’t building systems, he spends his time as a dual-enrolled Bachelor’s and Master’s student at Worcester Polytechnic Institute studying Computer Science and Innovation with UX. Ryan is also a founding member and CTO of Seldom Technologies where he works with companies to develop systems, applications, and websites and consult on process improvement in the ITSM space.

=== Rami McCarthy ===
'''NCC Group''' 
Rami McCarthy is a Security Consultant with NCC Group, joining with the acquisition of VSR in 2016. He's spent the past three years performing security assessments of all kinds, from SaaS products to cloud IoT platforms. In addition to client work, Rami has published research into misspelled security headers and Chromebook security. Rami got his start in security as an intern at a deep web threat analysis startup, and has a BS in CS from Northeastern University, with a concentration in cyber operations. He's currently working towards an MS from Brandeis University.

=== Tal Melamed ===
'''Protego Labs''' 
In the past two years, Tal Melamed has been experimenting in offensive and defensive security for the serverless technology, as Head of Security Research at Protego Labs. He specializes in AppSec with more than 15 years of experience in security research and vulnerability assessment. Tal is also the leader and creator of the OWASP Serverless Top 10 and DVSA projects, and is a frequent speaker at security conferences, including DefCon, DerbyCon, OWASP, BSides and more. Follow Tal on Twitter at @_nu11p0inter

=== Omid Mirzaei ===
'''Northeastern University''' 
Omid Mirzaei is a postdoctoral research associate in the Systems Security (SecLab) and the Research in Software and Systems Security (RiS3) Labs at Northeastern University, working with Prof. Engin Kirda and Dr. Long Lu. Prior to this, Omid was an assistant professor in Universidad Carlos III de Madrid. Also, he spent around 4 years at COmputer SECurity lab (COSEC) as a PhD student and he received his PhD degree in Computer Science from the same university. Omid's thesis was mainly focused on Android malware analysis and triage. Generally speaking, Omid is working and conducting research in computer and cyber security. However, he is particularly interested in mobile security, malware analysis, reverse engineering and applied machine learning in security. In addition, he is eager to tackle security issues from a multi-objective perspective, i.e. trying to deal with such problems by consuming the least possible amount of in hand resources. Previously and as an undergraduate student, Omid worked in a wide range of areas, from advanced software engineering to Artificial Intelligence (AI). Omid also developed several intelligent systems and passed different AI-related courses, including machine learning, pattern mining, fuzzy systems, evolutionary computation and optimization, neural networks and image processing.

=== Carson E. Owlett, OSCP CEH ===
'''Black Mirage''' 
Carson is a graduate of Connecticut College, where he studied Computer Science and Slavic Studies. After graduating, he obtained his OSCP and CEH and did a brief stint doing research for DARPA. He then founded Black Mirage in 2019, where he serves as the CEO and Assessment Team Lead for penetration tests, and he has been working to implement programs for offensive security education.

=== Rashmi Patil ===
'''HCL''' 
Rashmi is passionate about software engineering and applying it to solve complex problems in day to day life. She has a diverse set of work experience through past research, internships and full-time work experience that has really helped others in understanding the broader picture. In her free time, she volunteers and conducts educational workshops to teach young high school girls about the importance of Cybersecurity and encourage them to pursue a career in Computer Engineering.

=== Chris Romeo ===
'''Security Journey''' 
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. Find Chris on Twitter, @edgeroute, or on LinkedIN, https://www.linkedin.com/in/securityjourney/

=== Allison Schoenfield ===
'''Autodesk Inc.''' 
Allison Schoenfield is from Berkeley and also attended UC Berkeley, but is now a San Franciscan. She works as an Application Security Engineer at Autodesk. She enjoys threat modeling and working in partnership with developers to secure applications. Previously, she worked as a security consultant in penetration testing. In her free time, she likes to play social deduction games, bake and eat cupcakes, and mentor.

=== Izar Tarandach ===
'''Autodesk Inc.''' 
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he’s willing to admit to in the information security arena, he is a member of SAFECode Technical Leadership Council and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served
as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon.

=== Luke Tucker ===
'''HackerOne''' 
Luke Tucker is the Senior Director of Community at HackerOne — the leading hacker-powered security platform with the largest community of hackers in the world. A seasoned community engagement professional, he is passionate about helping identify and nurture what makes people and communities tick, so understanding how hackers feel and how they are seen is his bread and butter. He is the Creator and Editor of the Zero Daily Newsletter, which provides daily application security, hacker and bug bounty news. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development for the growing community of hackers. Prior to HackerOne, he served in several creative roles including Captricity and Sultan Ventures.

=== Paulina Valdivieso ===
'''Bennington College''' 
Paulina Valdivieso is a senior undergrad in Computer Science and Public Policy, studying the intersections between Cybersecurity, Law and Politics. Interested in hacking, information security, programming and general electronic shenanigans, she recently started to apply all of this knowledge into the workplace, centering on network and application security. She is an advocate for open access and privacy, using and committing to open source tools whenever possible and making sure people understand the implications and dark side of the tools they use everyday.

=== Roy Wattanasin ===
'''Information Security Professional''' 
Roy Wattanasin is a healthcare information security professional. You can find him on @wr0

{{2019_BASC:Footer_Template | Speakers/Trainers}}

2019 BASC Workshops

2019-09-13T20:59:26Z

Laberdale: Created the workshop page.

{{2019_BASC:Header_Template | Workshops}}

__FORCETOC__
We would like to thank our workshop leaders for donating their time and effort to help make this conference successful.

== Morning Workshops ==

{{2019_BASC:Presentaton_Info_Template|The Ultimate Secure Coding Showdown|Joel Carlson| | | }}
Are. You. Ready? Head to the AppSec battlefield and prove that you are the ultimate secure coding champion. Go head-to-head with your peers as you test your web application security knowledge of the OWASP Top 10. Strut your skills. Crush the competition. Score excellent prizes and take home the title of Secure Code Warrior!

Players will be presented with a series of vulnerable code challenges that will ask them to identify the problem, locate the insecure code, and fix the vulnerability. Select from a range of software languages to complete the tournament, including Java EE, Java Spring, C# MVC, C# WebForms, Ruby on Rails, Python Django, Scala Play & Node.JS. It’s gamified, it’s relevant, but most of all - it’s fun.

Watch as you earn points and climb to the top of the real-time leaderboard during the event. Prizes will be awarded to the top 3 point scorers, with one security superhero being crowned the ultimate Secure Code Warrior. Will it be you?

Psst: Want to test your secure coding skills at your own pace, without the competition? You’re welcome to come along and join the fun.

'''''Participants must bring a laptop.'''''

{{2019_BASC:Presentaton_Info_Template|Zero to Hero: Intro to Web App Pentesting|Carson Owlett and Gabrielle Hempel| | | }}
As more information and functionality moves to the internet, the interface between end users and web application servers becomes increasingly vulnerable. Because of these visible vulnerabilities, penetration testing skills are in high demand; however, courses catering to beginners and those wanting to get a “foot in the door” are scarce. In this workshop, you can utilize a custom environment and expertise in order to begin your journey into offensive security. We will focus on four areas of web application penetration testing: injection, XSS, XXE, and insecure deserialization. This course welcomes total beginners and will be largely oriented towards those wanting to build a foundation in web application pentesting.

'''''Users should have a laptop equipped with BurpSuite.'''''

{{2019_BASC:Presentaton_Info_Template|Capture Ever-Evolving Security Needs of Users with IKE and Proto-Research Persona Development|Prateek Jain and Ryan Lamarche| | | }}
In this workshop, grounded in design thinking approach, we demonstrate the software platform IKE and its process framework for persona development, which facilitate a fast, effective, and relatively inexpensive way to inform design decisions, such as those needed to encourage and enable users to effectively utilize security features. The IKE software platform not only facilitates a deeper understanding of user needs but also provides a Key performance Indicator (KPI) that can measure an organizations’ performance in gauging its target market evolving security needs.

Understanding customers and what their needs are is paramount to the success of any organization. In security and privacy industry, users and their needs vary drastically depending on various factors like age, education, technology use, etc. Persona development is one of the useful tools to capture these needs. It can reveal security needs, pain points, habits, security challenges, etc. of the user base. The traditional approach to persona development is rigorous but time-consuming and resource-intensive. It doesn't account for fast changes in the technological world of privacy and security. These personas become outdated as soon as they are developed. At UXDM lab, we created a unique approach to persona development. We also developed a software platform called IKE for developing and managing personas. IKE treats personas as living documents to make effective design decisions and to follow evolving user needs over time.

{{2019_BASC:Presentaton_Info_Template|How to Talk to Humans|Kitty Huang and Roy Wattanasin| | | }}
Do you feel frustrated sometimes trying to help non-technical users? Do you find it challenging asking for more resources from management? Effective communication can help IT professionals to be more productive and be heard. This workshop demonstrates communication skills through scenarios that IT security engineers encounter regularly. We will decode written and verbal scripts by technical engineers and translate them into a communication style that non-technical people can understand and appreciate. These cases include asking for more resources from upper management, making a suggestion to implement better security, and verifying the legitimacy of an email with an employee. Excessive workload, pressing deadlines and the lack of support can make IT engineers feel exhausted, hopeless and frustrated. This workshop provides perspectives on viewing various work situations in a different light.

== Afternoon Workshops ==

{{2019_BASC:Presentaton_Info_Template|Threat Modeling Workshop|Robert Hurlbut| | | }}

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. Threat modeling should be part of your secure software design process. Using threat modeling and some principals of risk management, you can design software in a way that makes security one of the top goals, along with performance, scalability, reliability, and maintenance.

Objective: In this workshop, attendees will be introduced to Threat Modeling, learn how to conduct a Threat Modeling session, learn how to use practical strategies in finding Threats and proposing Countermeasures, and learn how to apply Risk Management in dealing with the threats. Depending on time, we will go through 1 or 2 Real World Threat Modeling case studies. Finally, we will end the day with the latest updates in Threat Modeling process, tools, etc.

'''''Laptop recommended for some labs, but not required.'''''

{{2019_BASC:Presentaton_Info_Template|Effective Threat Modeling with CTM|Izar Tarandach and Allison Schoenfield| | | }}
Recently Autodesk open-sourced our Continuous Threat Modeling methodology, which aims to enable product teams to threat model every story in a quick and focused manner in order to scale the ability of an organization to keep up with rapid product changes, and enable developers to acquire a security "muscle memory" ability to really infuse their practices with security design capabilities.

In this course you will learn how to perform and enable Continuous Threat Modeling in your organization and provide support to the learning curve of your product teams as a security SME.

CTM is available at https://github.com/Autodesk/continuous-threat-modeling
A threat-modeling-as-code tool will also be introduced, available at https://github.com/izar/pytm

'''''If you are new to the discipline of Threat Modeling we highly advise participating in the earlier Threat Modeling Workshop by Robert Hurlbut in order to solidify your understanding of the subject.'''''

{{2019_BASC:Presentaton_Info_Template|AWS Cloud Security Fundamentals|Joshua Dow and Rami McCarthy | | | }}
As comfort and familiarity with cloud computing is now more mainstream, companies are leaning more and more on cloud resources to host and run even their most-sensitive technical assets. With these new technologies/innovations come new (and old!) security concerns. In this workshop, we will take participants through a baseline understanding of cloud security - with a focus on AWS security fundamentals.

First, we will briefly outline the cloud security model, the similarities across platforms, and the shared responsibility model that Amazon employs. From there, we will introduce participants to open-source tooling for AWS account auditing and hardening, including NCC's own ScoutSuite. We will provide access to an intentionally vulnerable AWS environment, to allow workshop attendees to follow along and explore misconfigurations with their own eyes. We also will support attendees who want to immediately dive into auditing their own AWS accounts/environments.

Next, we'll highlight easy wins for AWS security, that the audience will be able to immediately apply to their own environments. Following that, we'll speak to Amazon's built-in security tooling, including:

* Security Hub
* Trusted Advisor
* CloudTrail
* Inspector
* GuardDuty
* Macie (and why it's probably wrong for you!)

We'll focus on actionable guidance to walk away and be able to use these tools to harden your own posture. Subsequently, we'll work with attendees through the misconfigurations that led to the Capital One breach, via the CloudGoat scenario. Wrapping up, we'll provide a easy to follow cheatsheet of best practices, easy wins, and open source tools that attendees can reference to improve their own environments.

'''''Users should bring a laptop having: administrator privileges, at least 8GB of RAM, 10GB of free disk space, the latest version of 64-bit Virtualbox installed, and USB ports for copying data.'''''



{{2019_BASC:Footer_Template|Workshops}}

2019 BASC Speakers

2019-09-13T20:52:26Z

Laberdale: Added almost all the workshop leaders.

{{2019_BASC:Header_Template | Speakers/Trainers}}

=== Mansour Ahmadi ===
'''Northeastern University''' 
Mansour Ahmadi is a research associate at Northeastern University. Before coming to Northeastern, he obtained a PhD in Computer Engineering from the University of Cagliari in 2017. His research is mainly focused in applying machine learning methods for systems security problems, especially malware detection and classification, and vulnerability discovery. He co-authored over 10 scientific papers. Also, He is the lead developer of IntelliAV, which is the first on-device machine learning-based mobile malware detector.

=== Joel Carlson ===
'''Secure Code Warrior''' 
Joel Carlson is a security professional with 15 years of experience in the security industry. Joel has a long history of connecting businesses with security tools to help them ensure a secure environment. He joined Secure Code Warrior earlier this year after previous success at Veracode, Dell and Bitsight.

=== Chris Chagnon ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Chris Chagnon is an ITSM Architect and developer who designs, develops, and maintains award-winning experiences for managing and carrying out the ITSM process. Chris has a Master of Science in Information Technology, and a bachelor’s degree in Visual Communications. In addition, Chris is a PhD Candidate studying Information Systems with a focus on user and service experience. As A Top 25 Thought Leader in ITSM, and an ALE IT Vanguard, Chris speaks nationally about the future of ITSM, practical applications of artificial intelligence and machine learning, gamification, continual service improvement, and customer service/experience. Follow Chris on Twitter @Chagn0n.

=== Madison Cool ===
'''TraceLink''' 
Madison Cool is an associate AppSec engineer at TraceLink, delivering a secure platform for the Pharmaceutical Supply Chain. She works with the TraceLink team to make "TraceLink = Trusted" by ensuring that customers, partners and internal engineering can meet and exceed best security practices. Their goal is to make security accessible and understandable by both the security-minded and the security-unaware.

=== Kristin Dahl ===
'''IBM X-Force IRIS''' 
Kristin Dahl is a cyber security consultant with IBM X-Force IRIS and former research staff member at MIT Lincoln Laboratory. Kristin’s experience includes investigative research, policy development, threat assessment, and security operations across the defense sectors, critical systems, academia, and private industry. Kristin has worked collaboratively with multiple stakeholders and federal agencies, including the Department of Defense, the Department of Homeland Security, and the Department of Energy.

=== Joshua Dow ===
'''NCC Group''' 
Joshua Dow is a Security Consultant with NCC Group, joining the organization in Spring of 2019. Joshua has made contributions in his career as both a blue team practitioner and a red team operator. Joshua specializes in web application penetration testing, network penetration testing, and cloud security auditing. Joshua worked as a Senior Software Engineer prior to getting his start in Information Security.

=== Kristofer Duer ===
'''HCL''' 
Kristofer Duer is the Lead Cognitive Researcher for AppScan Source. He has worked in the application security field for the last 8 years in the world of Static Application Security Testing (SAST) and researching language specific attack surfaces. His particular specialty deals with applying machine learning to solve some of the impossible problems which occur naturally in the world of SAST - namely Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

Outside of work he enjoys the gym, Disc Golf (super fun!) and spending time with his wife and two kids.

=== Reza Mirzazade Farkhani ===
'''Northeastern University''' 
Reza Mirzazade Farkhani is pursuing a PhD in Cybersecurity at Northeastern University. His research interests span a wide range of topics in systems security with a particular focus on software vulnerability detection, exploit mitigation techniques and binary analysis. Currently, Reza is focusing on developing novel techniques to protect applications against memory safety vulnerabilities. He is especially interested in new security features in ARM architecture to accelerate the performance and security of the current systems.

=== Brian Fox ===
'''Sonatype''' 
Co-founder and CTO, Brian Fox is a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin, he has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other development related conferences.

=== Gabrielle E. Hempel, CHTI ===
'''Black Mirage''' 
Gabrielle is a graduate of the University of Cincinnati, where she studied Neuroscience and Psychology. She worked for an institutional review board in regulatory pharmaceutical and medical device compliance, and led specialized committees targeting Phase I research and emergency research. She moved to IT consulting in 2018, and currently works as a penetration tester for Black Mirage while pursuing a certificate in Advanced Computer Security at Stanford. She continues to serve as a genetic scientist for NIH-regulated recombinant genetic studies, and serves as an instructor and mentor for a student cohort of cybersecurity analysts through Cybrary. She recently obtained her Certified Human Trafficking Investigator (CHTI) credentials through the McAfee Institute, and works with various law enforcement groups and task forces in order to combat human trafficking through digital forensics and analysis. Her area of expertise lies in GDPR/HIPAA/regulatory compliance and medical device security.

=== Kitty Huang ===
'''Communications Trainer and Relationship Coach''' 
Kitty Huang is an award-winning speaker who has led several fun and effective communication workshops at MIT, Harvard University, and corporate training events. She has worked as a copywriter at advertising agencies, a screenwriter for a television situation comedy, and a newspaper journalist. Her perceptive mind and creative approaches have successfully helped many individuals to solve problems in professional relationships and personal relationships.

=== Robert Hurlbut ===
'''Bank of America''' 
Robert Hurlbut, is a Threat Modeling Architect / Lead at Bank of America. Robert is a Microsoft MVP for Developer Security and Technologies and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in secure security, software architecture, and software development. He speaks at user groups, national and international conferences, and has provided training for many companies in the past. Robert is also a co-host of the Application Security Podcast (Twitter - @AppSecPodcast). Follow Robert on Twitter at @RobertHurlbut.

=== Prateek Jain ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Prateek Jain is a UX researcher currently pursuing Ph.D. in Innovation with User Experience at Worcester Polytechnic Institute. His Ph.D. research focuses on User Experience. His research interests are augmented reality, internet of things (IoT), accessibility and persona development. He is working on multiple research projects focusing on the use of augmented reality and IoT to improve the user experience of products and services. Along with that, he is also working on developing and testing different persona frameworks to help organizations make effective design decisions.

=== Ryan LaMarche ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Ryan LaMarche is a digital transformation and design thinking expert that brings ideas to life with a focus on user experience, and smart system design. When Ryan isn’t building systems, he spends his time as a dual-enrolled Bachelor’s and Master’s student at Worcester Polytechnic Institute studying Computer Science and Innovation with UX. Ryan is also a founding member and CTO of Seldom Technologies where he works with companies to develop systems, applications, and websites and consult on process improvement in the ITSM space.

=== Rami McCarthy ===
'''NCC Group''' 
Rami McCarthy is a Security Consultant with NCC Group, joining with the acquisition of VSR in 2016. He's spent the past three years performing security assessments of all kinds, from SaaS products to cloud IoT platforms. In addition to client work, Rami has published research into misspelled security headers and Chromebook security. Rami got his start in security as an intern at a deep web threat analysis startup, and has a BS in CS from Northeastern University, with a concentration in cyber operations. He's currently working towards an MS from Brandeis University.

=== Tal Melamed ===
'''Protego Labs''' 

=== Omid Mirzaei ===
'''Northeastern University''' 
Omid Mirzaei is a postdoctoral research associate in the Systems Security (SecLab) and the Research in Software and Systems Security (RiS3) Labs at Northeastern University, working with Prof. Engin Kirda and Dr. Long Lu. Prior to this, Omid was an assistant professor in Universidad Carlos III de Madrid. Also, he spent around 4 years at COmputer SECurity lab (COSEC) as a PhD student and he received his PhD degree in Computer Science from the same university. Omid's thesis was mainly focused on Android malware analysis and triage. Generally speaking, Omid is working and conducting research in computer and cyber security. However, he is particularly interested in mobile security, malware analysis, reverse engineering and applied machine learning in security. In addition, he is eager to tackle security issues from a multi-objective perspective, i.e. trying to deal with such problems by consuming the least possible amount of in hand resources. Previously and as an undergraduate student, Omid worked in a wide range of areas, from advanced software engineering to Artificial Intelligence (AI). Omid also developed several intelligent systems and passed different AI-related courses, including machine learning, pattern mining, fuzzy systems, evolutionary computation and optimization, neural networks and image processing.

=== Carson E. Owlett, OSCP CEH ===
'''Black Mirage''' 
Carson is a graduate of Connecticut College, where he studied Computer Science and Slavic Studies. After graduating, he obtained his OSCP and CEH and did a brief stint doing research for DARPA. He then founded Black Mirage in 2019, where he serves as the CEO and Assessment Team Lead for penetration tests, and he has been working to implement programs for offensive security education.

=== Rashmi Patil ===
'''HCL''' 
Rashmi is passionate about software engineering and applying it to solve complex problems in day to day life. She has a diverse set of work experience through past research, internships and full-time work experience that has really helped others in understanding the broader picture. In her free time, she volunteers and conducts educational workshops to teach young high school girls about the importance of Cybersecurity and encourage them to pursue a career in Computer Engineering.

=== Chris Romeo ===
'''Security Journey''' 
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. Find Chris on Twitter, @edgeroute, or on LinkedIN, https://www.linkedin.com/in/securityjourney/

=== Allison Schoenfield ===
'''Autodesk Inc.''' 
Allison Schoenfield is from Berkeley and also attended UC Berkeley, but is now a San Franciscan. She works as an Application Security Engineer at Autodesk. She enjoys threat modeling and working in partnership with developers to secure applications. Previously, she worked as a security consultant in penetration testing. In her free time, she likes to play social deduction games, bake and eat cupcakes, and mentor.

=== Izar Tarandach ===
'''Autodesk Inc.''' 
Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he’s willing to admit to in the information security arena, he is a member of SAFECode Technical Leadership Council and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served
as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon.

=== Luke Tucker ===
'''HackerOne''' 
Luke Tucker is the Senior Director of Community at HackerOne — the leading hacker-powered security platform with the largest community of hackers in the world. A seasoned community engagement professional, he is passionate about helping identify and nurture what makes people and communities tick, so understanding how hackers feel and how they are seen is his bread and butter. He is the Creator and Editor of the Zero Daily Newsletter, which provides daily application security, hacker and bug bounty news. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development for the growing community of hackers. Prior to HackerOne, he served in several creative roles including Captricity and Sultan Ventures.

=== Paulina Valdivieso ===
'''Bennington College''' 
Paulina Valdivieso is a senior undergrad in Computer Science and Public Policy, studying the intersections between Cybersecurity, Law and Politics. Interested in hacking, information security, programming and general electronic shenanigans, she recently started to apply all of this knowledge into the workplace, centering on network and application security. She is an advocate for open access and privacy, using and committing to open source tools whenever possible and making sure people understand the implications and dark side of the tools they use everyday.

=== Roy Wattanasin ===
'''Information Security Professional''' 
Roy Wattanasin is a healthcare information security professional. You can find him on @wr0

{{2019_BASC:Footer_Template | Speakers/Trainers}}

2019 BASC Speakers

2019-09-13T20:28:17Z

Laberdale: Added Morning Workshop Leaders

{{2019_BASC:Header_Template | Speakers/Trainers}}

=== Mansour Ahmadi ===
'''Northeastern University''' 
Mansour Ahmadi is a research associate at Northeastern University. Before coming to Northeastern, he obtained a PhD in Computer Engineering from the University of Cagliari in 2017. His research is mainly focused in applying machine learning methods for systems security problems, especially malware detection and classification, and vulnerability discovery. He co-authored over 10 scientific papers. Also, He is the lead developer of IntelliAV, which is the first on-device machine learning-based mobile malware detector.

=== Joel Carlson ===
'''Secure Code Warrior''' 
Joel Carlson is a security professional with 15 years of experience in the security industry. Joel has a long history of connecting businesses with security tools to help them ensure a secure environment. He joined Secure Code Warrior earlier this year after previous success at Veracode, Dell and Bitsight.

=== Chris Chagnon ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Chris Chagnon is an ITSM Architect and developer who designs, develops, and maintains award-winning experiences for managing and carrying out the ITSM process. Chris has a Master of Science in Information Technology, and a bachelor’s degree in Visual Communications. In addition, Chris is a PhD Candidate studying Information Systems with a focus on user and service experience. As A Top 25 Thought Leader in ITSM, and an ALE IT Vanguard, Chris speaks nationally about the future of ITSM, practical applications of artificial intelligence and machine learning, gamification, continual service improvement, and customer service/experience. Follow Chris on Twitter @Chagn0n.

=== Madison Cool ===
'''TraceLink''' 
Madison Cool is an associate AppSec engineer at TraceLink, delivering a secure platform for the Pharmaceutical Supply Chain. She works with the TraceLink team to make "TraceLink = Trusted" by ensuring that customers, partners and internal engineering can meet and exceed best security practices. Their goal is to make security accessible and understandable by both the security-minded and the security-unaware.

=== Kristin Dahl ===
'''IBM X-Force IRIS''' 
Kristin Dahl is a cyber security consultant with IBM X-Force IRIS and former research staff member at MIT Lincoln Laboratory. Kristin’s experience includes investigative research, policy development, threat assessment, and security operations across the defense sectors, critical systems, academia, and private industry. Kristin has worked collaboratively with multiple stakeholders and federal agencies, including the Department of Defense, the Department of Homeland Security, and the Department of Energy.

=== Kristofer Duer ===
'''HCL''' 
Kristofer Duer is the Lead Cognitive Researcher for AppScan Source. He has worked in the application security field for the last 8 years in the world of Static Application Security Testing (SAST) and researching language specific attack surfaces. His particular specialty deals with applying machine learning to solve some of the impossible problems which occur naturally in the world of SAST - namely Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).

Outside of work he enjoys the gym, Disc Golf (super fun!) and spending time with his wife and two kids.

=== Reza Mirzazade Farkhani ===
'''Northeastern University''' 
Reza Mirzazade Farkhani is pursuing a PhD in Cybersecurity at Northeastern University. His research interests span a wide range of topics in systems security with a particular focus on software vulnerability detection, exploit mitigation techniques and binary analysis. Currently, Reza is focusing on developing novel techniques to protect applications against memory safety vulnerabilities. He is especially interested in new security features in ARM architecture to accelerate the performance and security of the current systems.

=== Brian Fox ===
'''Sonatype''' 
Co-founder and CTO, Brian Fox is a member of the Apache Software Foundation and former Chair of the Apache Maven project. As a direct contributor to the Maven ecosystem, including the maven-dependency-plugin and maven-enforcer-plugin, he has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other development related conferences.

=== Gabrielle E. Hempel, CHTI ===
'''Black Mirage''' 
Gabrielle is a graduate of the University of Cincinnati, where she studied Neuroscience and Psychology. She worked for an institutional review board in regulatory pharmaceutical and medical device compliance, and led specialized committees targeting Phase I research and emergency research. She moved to IT consulting in 2018, and currently works as a penetration tester for Black Mirage while pursuing a certificate in Advanced Computer Security at Stanford. She continues to serve as a genetic scientist for NIH-regulated recombinant genetic studies, and serves as an instructor and mentor for a student cohort of cybersecurity analysts through Cybrary. She recently obtained her Certified Human Trafficking Investigator (CHTI) credentials through the McAfee Institute, and works with various law enforcement groups and task forces in order to combat human trafficking through digital forensics and analysis. Her area of expertise lies in GDPR/HIPAA/regulatory compliance and medical device security.

=== Kitty Huang ===
'''Communications Trainer and Relationship Coach''' 
Kitty Huang is an award-winning speaker who has led several fun and effective communication workshops at MIT, Harvard University, and corporate training events. She has worked as a copywriter at advertising agencies, a screenwriter for a television situation comedy, and a newspaper journalist. Her perceptive mind and creative approaches have successfully helped many individuals to solve problems in professional relationships and personal relationships.

=== Prateek Jain ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Prateek Jain is a UX researcher currently pursuing Ph.D. in Innovation with User Experience at Worcester Polytechnic Institute. His Ph.D. research focuses on User Experience. His research interests are augmented reality, internet of things (IoT), accessibility and persona development. He is working on multiple research projects focusing on the use of augmented reality and IoT to improve the user experience of products and services. Along with that, he is also working on developing and testing different persona frameworks to help organizations make effective design decisions.

=== Ryan LaMarche ===
'''UXDM Lab at Worcester Polytechnic Institute''' 
Ryan LaMarche is a digital transformation and design thinking expert that brings ideas to life with a focus on user experience, and smart system design. When Ryan isn’t building systems, he spends his time as a dual-enrolled Bachelor’s and Master’s student at Worcester Polytechnic Institute studying Computer Science and Innovation with UX. Ryan is also a founding member and CTO of Seldom Technologies where he works with companies to develop systems, applications, and websites and consult on process improvement in the ITSM space.

=== Tal Melamed ===
'''Protego Labs''' 

=== Omid Mirzaei ===
'''Northeastern University''' 
Omid Mirzaei is a postdoctoral research associate in the Systems Security (SecLab) and the Research in Software and Systems Security (RiS3) Labs at Northeastern University, working with Prof. Engin Kirda and Dr. Long Lu. Prior to this, Omid was an assistant professor in Universidad Carlos III de Madrid. Also, he spent around 4 years at COmputer SECurity lab (COSEC) as a PhD student and he received his PhD degree in Computer Science from the same university. Omid's thesis was mainly focused on Android malware analysis and triage. Generally speaking, Omid is working and conducting research in computer and cyber security. However, he is particularly interested in mobile security, malware analysis, reverse engineering and applied machine learning in security. In addition, he is eager to tackle security issues from a multi-objective perspective, i.e. trying to deal with such problems by consuming the least possible amount of in hand resources. Previously and as an undergraduate student, Omid worked in a wide range of areas, from advanced software engineering to Artificial Intelligence (AI). Omid also developed several intelligent systems and passed different AI-related courses, including machine learning, pattern mining, fuzzy systems, evolutionary computation and optimization, neural networks and image processing.

=== Carson E. Owlett, OSCP CEH ===
'''Black Mirage''' 
Carson is a graduate of Connecticut College, where he studied Computer Science and Slavic Studies. After graduating, he obtained his OSCP and CEH and did a brief stint doing research for DARPA. He then founded Black Mirage in 2019, where he serves as the CEO and Assessment Team Lead for penetration tests, and he has been working to implement programs for offensive security education.

=== Rashmi Patil ===
'''HCL''' 
Rashmi is passionate about software engineering and applying it to solve complex problems in day to day life. She has a diverse set of work experience through past research, internships and full-time work experience that has really helped others in understanding the broader picture. In her free time, she volunteers and conducts educational workshops to teach young high school girls about the importance of Cybersecurity and encourage them to pursue a career in Computer Engineering.

=== Chris Romeo ===
'''Security Journey''' 
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. Find Chris on Twitter, @edgeroute, or on LinkedIN, https://www.linkedin.com/in/securityjourney/

=== Luke Tucker ===
'''HackerOne''' 
Luke Tucker is the Senior Director of Community at HackerOne — the leading hacker-powered security platform with the largest community of hackers in the world. A seasoned community engagement professional, he is passionate about helping identify and nurture what makes people and communities tick, so understanding how hackers feel and how they are seen is his bread and butter. He is the Creator and Editor of the Zero Daily Newsletter, which provides daily application security, hacker and bug bounty news. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development for the growing community of hackers. Prior to HackerOne, he served in several creative roles including Captricity and Sultan Ventures.

=== Paulina Valdivieso ===
'''Bennington College''' 
Paulina Valdivieso is a senior undergrad in Computer Science and Public Policy, studying the intersections between Cybersecurity, Law and Politics. Interested in hacking, information security, programming and general electronic shenanigans, she recently started to apply all of this knowledge into the workplace, centering on network and application security. She is an advocate for open access and privacy, using and committing to open source tools whenever possible and making sure people understand the implications and dark side of the tools they use everyday.

=== Roy Wattanasin ===
'''Information Security Professional''' 
Roy Wattanasin is a healthcare information security professional. You can find him on @wr0

{{2019_BASC:Footer_Template | Speakers/Trainers}}

2019 BASC Speakers

2019-09-13T19:44:16Z

Laberdale:

2019 BASC Presentations

2019-09-13T19:42:20Z

Laberdale: Finished adding all but one presentation (waiting up updated abstract).

{{2019_BASC:Header_Template|Presentations}}

__FORCETOC__
We would like to thank our speakers for donating their time and effort to help make this conference successful.

{{2019_BASC:Presentaton_Info_Template|An Intelligent Approach to Upgrading OSS Libraries|Madison Cool| | | }}
Maintaining secure versions of third-party libraries is a repetitive and tedious task at best. At worst, with many interdependent internal projects (think microservices) and dozens of layers of transitive dependencies, it is a logistical nightmare. A top-down, ad hoc approach is often used to resolve vulnerable third-party libraries, prioritizing high-severity vulnerabilities or internal projects critical to business functions, but failing to address the larger impact of vulnerabilities. TraceLink is taking a different approach, utilizing the graph structure of interconnected projects to perform security upgrades in an informed order from the bottom up. This process aims to automate third-party library version maintenance as much as possible, aiding in the completion of vital security upgrades and compounding the effects of each individual upgrade to reduce overall work done.

{{2019_BASC:Presentaton_Info_Template|OWASP Serverless Top 10|Tal Melamed| | | }}
In moving to serverless, we shift some security responsibilities to the infrastructure provider by eliminating the need to manage servers. Unfortunately, that doesn’t mean we’re entirely absolved of all security duties. Serverless functions still execute code and can still be vulnerable to application-level attacks. As a new type of architecture, serverless presents new security challenges. Some are equal to traditional application development, but some take a new form. Attackers are thinking differently, and developers must do so as well to gain the upper hand.

In this talk, I will dive into the Top 10 risks of the OWASP Serverless Top 10 project. I will discuss why these risks are different from traditional attacks and how we should protect our application against them. I will also introduce OWASP DVSA, a deliberately vulnerable tool, aiming to assist both security professionals and developers to better understand the implications and processes of serverless security.

{{2019_BASC:Presentaton_Info_Template|Security Culture Hacking: Disrupting the Security Status Quo|Chris Romeo| | | }}
This session is an exploration into the world of security culture hacking. In the wake of the “data breach of the day”, organizations claim they are more serious about security. The truth is that many still have weak security cultures. At the end of the day, how much actual security culture change occurs post-breach? The answer is not enough. This session describes how to change security culture from the inside out, utilizing best practices and real-world examples. With security culture disruption, the security team attempts to impact employees through positive security learning and experience.

The session begins by introducing the audience to the concepts of security culture and security culture hacking, and then explains the security status quo. Security culture hacking is the skills and creativity necessary to disrupt an existing culture and redirect it towards a more secure future. Security status quo is the idea that companies move in a herd mentality and believe that their security must only be an average of their peers. To prove this point, we profile some anonymous organizations based on their external security story versus reality. Next, we’ll discuss what makes a good security culture hacker, including the skills required for success in this type of endeavor.

The middle of this session includes a how-to of hacking security culture. Each section includes various tips and stories from real life experience about how to influence security culture. The phases of security culture improvement are explored, including awareness, big learning, and community. In addition, a discussion of organizational reach, marketing, rewards, recognition, and metrics surrounding security culture improvement are explored. It’s time to make security fun.

At the conclusion, a plan is laid out for how a learner could put true security culture change into practice in their organization. Audience members receive a 30-60-90-1-year plan for how to implement true security culture change.

{{2019_BASC:Presentaton_Info_Template|Critical Thinking in Cybersecurity|Kristin Dahl| | | }}
Security's most important skill is overlooked – critical thinking. Keeping up with the latest technical tools and trends is only one contributor to success. Security is a constantly evolving field. Long-term success requires that we think on our feet—regardless of technology—to understand tools and how to apply them to the changing landscape.

We often do not think about critical thinking. What does it feel like? How is "critical" thinking different from "normal" thinking? How do you develop these skills? And how do you apply them to security?

Critical thinking is part art, part science. It takes a combination of intuition, logic, and creativity to understand the 'why' and not just the 'how.' It should help us address the root cause of an issue and not just the symptoms. In security it means decomposing a problem, analyzing objectively, evaluating a hypothesis, and recognizing context. This session will explore how to apply critical thinking in your day-to-day job pulling from my experience and observations across academia, industry, and government.

{{2019_BASC:Presentaton_Info_Template|Open Source Security on a Shoestring|Paulina Valdivieso| | | }}
Securing assets is a difficult job without the appropriate support, be it from your superiors or having access to resources: getting what you need can be challenging, but that is no excuse to not securing it. In small and medium companies where technology departments are service oriented, security is often overlooked in favor of ease of access, forcing IT to compromise on solutions and, potentially, leave the organization vulnerable.

This talk will explore the open source and open access tools available to the public, their pros and cons, the elements to consider when implementing and the hurdles along the way, covering basic aspects of security in a company: incident response, application security, network security, training, risk & compliance, among others. Analysts, engineers and technicians whose many hats may result in security holes benefit from the implementation of these tools… and managers from knowing alternatives to the increasingly costly solutions in the market.

{{2019_BASC:Presentaton_Info_Template|Put that Cease and Desist Down: How to Train Your Org to Work with Hackers|Luke Tucker| | | }}
Before that hacker slides into your brand’s DMs, how do you prepare your organization to talk to researchers and spot vulnerability disclosure? Today, poorly handled disclosures can cause the same reputational damage as a public security incident. As security continues to climb the ranks of importance, more decision makers and stakeholders are involved in interactions that were once solely owned by security teams. The vulnerability reports are coming. Ready or not. Everyone is on the front lines of security and this includes researcher interactions. Are your executives, legal, PR, and social media teams prepared?

Based on hundreds of hacker and company mediation request, this talk will look at common and extreme scenarios many are seeing for the first time. We will cover real-world communication failures, as well as the success stories you will never read about. Attendees will walk away with armed with practical tips to prepare their colleagues for the inevitable vulnerability report, starting with hacker motivations, what disclosure success looks like, and de-escalation tips. This talk will cover: Responding to vulnerabilities reported via social media; How to minimize the chances of your vulnerabilities ending up on Twitter; Tips for keeping the press out of your bug reporting workflow; Prepare your company to talk to a hacker who is requesting cash; De-escalation tips to find a happy f@%#&$* ending when tempers flare and you are caught in the middle; and How to advocate for security researchers without losing friends or your job.

{{2019_BASC:Presentaton_Info_Template|Identifying Malicious Android Applications in the Presence of Adversaries: A Cat-and-Mouse Game|Omid Mirzaei| | | }}
Android is by far the leading operating system in smartphones. As of March 2019, 51% of US smartphone subscribers were using a Google Android device. This percentage is much higher in an international scale. Also, there are currently more than 2 million Android applications on the official Google Market, known as Google Play. As most of the functionalities of smartphones are provided to users via applications, this huge market with billions of users is tempting for attackers to develop and distribute their malicious applications (or malware).

Mobile malware has raised explosively since 2009. Symantec reported an increase of 54% in the new mobile malware variants in 2017 as compared to the previous year. This rise has happened for Android malware as well since only 20% of devices are running the newest major version of Android OS based on Symantec report in 2018. Thus, detecting malicious and potentially risky applications in the Android platform is of the utmost importance. During this talk, I will summarize different automated techniques proposed for Android malware detection and risk assessment. Along with this, I will discuss how adversaries have tried to bypass these mechanisms.

{{2019_BASC:Presentaton_Info_Template|Automate or Die - DevSecOps in the Age of Software Supply Chain Attacks|Brian Fox| | | }}
As nimble organizations deliver new innovations, adversaries are also upping their game; something we’ve seen in recent high profile and devastating cyber attacks. Bad actors have the intent and ability to exploit security vulnerabilities in the software supply chain - and in some cases plant vulnerabilities themselves. They have increased scale through automation and improved breach success through precision targeting. If we don’t fight back by doing the same - automating security directly in the DevOps pipeline - then we’ll always be at the hackers’ mercy. This session will provide new research on the above, and details on how to get started.

Key takeaways: Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks; Key insights from the 2019 DevSecOps community report - including the top investments for automated security; A walkthrough of how security principles have been automated into a CICD pipeline and what standards for implementation are beginning to follow suite; Why DevSecOps is more than a buzzword, and why it’s vital to protecting your software supply chain; How automating security of policies makes it harder to ignore.

{{2019_BASC:Presentaton_Info_Template|Finding Bugs Using Your Own Code: Machine Learning-based Inconsistent Code Detection|Mansour Ahmadi and Reza Mirzazade Farkhani| | | }}
Machine learning has shown success in detecting known types of software vulnerabilities in recent years, but they mostly need extensive specimens to train their models.

As a new alternative to such approaches, we present a learning-based technique that can identify potentially buggy code snippets which deviate from most of the code snippets implementing similar functionalities. Our approach learns from a codebase itself without the need for the cumbersome task of gathering and cleansing training samples. The core idea is that various kinds of bugs can be viewed as inconsistencies that deviate from non-buggy code that implement the same or similar logic.

More specifically, we design a two-step clustering technique to find functionally-similar yet inconsistent code in software. We implemented our system on top of LLVM, which makes our approach language-agnostic.

We evaluated our tool on 4 popular open source security software codebases, such as OpenSSL, OpenSSH, WolfSSL, and Mbedtls. Our tool discovered 10 new unique deep bugs (some are exploitable), despite that some of these codebases are constantly undergoing vulnerability scans. All of the bugs have been confirmed by their developers and later fixed by either our pull requests or the developers.

How does the system work really? How easy to find bugs by our approach and how much manual effort does it need? What is a proper code granularity for detecting inconsistencies?

{{2019_BASC:Presentaton_Info_Template|SAST Triage Tricks of the Trade - How to Triage Before the Universe Dies Out|Kristofer Duer and Rashmi Patil| | | }}
Ever gotten a pile of SAST findings and wondered - what now? How do you possibly trim the fat of uninteresting findings down to a manageable set and get to work making the world a safer place? We will talk about some easy tips on how to prioritize and isolate those results which matter the most to your organization.

{{2019_BASC:Presentaton_Info_Template|The User Experience of Information Security|Chris Chagnon and Ryan LaMarche| | | }}
Targeted and increasingly sophisticated attacks are growing in popularity. With spear-phishing, ransomware, and a slew of other user-oriented attacks, our information security, particularly our operational security, relies on having our users on board. But training end-users can be difficult, and our response to mitigating these attacks can sometimes come at a great expense to UX. This session delves into the User Experience of Information Security, and provides attendees with insights into how some of our best laid security measures might actually increase our vulnerability to future attacks.

{{2019_BASC:Footer_Template|Presentations}}

2019 BASC Speakers

2019-09-13T18:54:26Z

Laberdale: First half of speakers added.

{{2019_BASC:Header_Template | Speakers/Trainers}}

=== Madison Cool ===
'''TraceLink''' 
Madison Cool is an associate AppSec engineer at TraceLink, delivering a secure platform for the Pharmaceutical Supply Chain. She works with the TraceLink team to make "TraceLink = Trusted" by ensuring that customers, partners and internal engineering can meet and exceed best security practices. Their goal is to make security accessible and understandable by both the security-minded and the security-unaware.

=== Kristin Dahl ===
'''IBM X-Force IRIS''' 
Kristin Dahl is a cyber security consultant with IBM X-Force IRIS and former research staff member at MIT Lincoln Laboratory. Kristin’s experience includes investigative research, policy development, threat assessment, and security operations across the defense sectors, critical systems, academia, and private industry. Kristin has worked collaboratively with multiple stakeholders and federal agencies, including the Department of Defense, the Department of Homeland Security, and the Department of Energy.

=== Tal Melamed ===
'''Protego Labs''' 

=== Chris Romeo ===
'''Security Journey''' 
Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. Find Chris on Twitter, @edgeroute, or on LinkedIN, https://www.linkedin.com/in/securityjourney/

=== Luke Tucker ===
'''HackerOne''' 
Luke Tucker is the Senior Director of Community at HackerOne — the leading hacker-powered security platform with the largest community of hackers in the world. A seasoned community engagement professional, he is passionate about helping identify and nurture what makes people and communities tick, so understanding how hackers feel and how they are seen is his bread and butter. He is the Creator and Editor of the Zero Daily Newsletter, which provides daily application security, hacker and bug bounty news. Previously at HackerOne, Luke oversaw all B2B content marketing efforts, brand voice and social media management, and educational content development for the growing community of hackers. Prior to HackerOne, he served in several creative roles including Captricity and Sultan Ventures.

=== Paulina Valdivieso ===
'''Bennington College''' 
Paulina is a senior undergrad in Computer Science and Public Policy, studying the intersections between Cybersecurity, Law and Politics. Interested in hacking, information security, programming and general electronic shenanigans, she recently started to apply all of this knowledge into the workplace, centering on network and application security. She is an advocate for open access and privacy, using and committing to open source tools whenever possible and making sure people understand the implications and dark side of the tools they use everyday.

{{2019_BASC:Footer_Template | Speakers/Trainers}}

2019 BASC Presentations

2019-09-13T18:53:09Z

Laberdale: First half of presentations added.

2019 BASC Speakers

2019-09-13T18:14:22Z

Laberdale: Create Initial 2019 Speakers page

2019 BASC Presentations

2019-09-13T18:12:37Z

Laberdale: Create initial 2019 Presentations page

Template:2019 BASC:Presentaton Info Template

2019-09-13T18:05:26Z

Laberdale: Created page with "<!-- Parameters: 1=title 2=Speaker Name __EXACTLY__ as it appears on the speaker page 3=optional extra such as | Media:2016_BASC_Succeeding_with_Automa..."

==={{{1}}}===
<div style="margin-left: 10px;">'''Presented by:''' [[2019_BASC_Speakers#{{{2}}}|{{{2}}}]]{{{3}}}</div>

Template:2019 BASC:Footer Template

2019-09-13T17:33:15Z

Laberdale:

<center>You can find out more about this conference at the [[2019 BASC Homepage]]</center>
<center>or by emailing [mailto:boston-leaders@owasp.org boston-leaders@owasp.org]</center>
<center>[[Image:twitter_32.png|link=https://twitter.com/@BASConf]]</center>

[[Category:Massachusetts]]
[[Category:2019 BASC]]
[[Category:Boston]]

2019 BASC Homepage

2019-09-13T17:29:47Z

Laberdale: Only Silver Sponsorships remain

{{2019_BASC:Header_Template | Home}}

__NOTOC__
== Welcome ==
This is the homepage for the 2019 Boston Application Security Conference (BASC). Conference will take place 8:30am to 6:30pm on Saturday, October 19th at
* Location: [https://goo.gl/maps/MErChZ3cX5B2 5 Wayside Road Burlington, MA]

The BASC will be a free*, one day, informal conference, aimed at increasing awareness and knowledge of application security in the greater Boston area. While many of the presentations will cover state-of-the-art application security concepts, the BASC is intended to appeal to a wide-array of attendees. Application security professionals, professional software developers, software quality engineers, computer science students, and security software vendors should be able to come to the BASC, learn, and hopefully enjoy themselves at the same time.

NOTE: * Some workshops and training may have a separate fee.


== Registration ==

[https:// COMING SOON]

Registration is required for breakfast, lunch, and the evening social time. We will do everything possible to accommodate late registrants but the facility and food are limited.

You may also register for one or more workshops, but workshop tickets are limited. Please be considerate of others and '''only register for a workshop if you plan to attend'''. If your plans change, please cancel your ticket to free the space up for others. Do not sign up for more than one session of the same workshop, or for workshops whose times overlap. If you do, conference organizers will cancel your ticket orders.

== Keynotes ==

'''The Internet Sucks. Should we replace it?'''

'''Andy Ellis,''' Akamai

[[File:Andy-ellis_0532_1-2.jpg|left|frameless]]

50 years into the Internet, it’s become very clear that there are virtually no security goals designed into the underpinnings of the Internet, and even higher level protocols suffer from this lack. As a result, existing on the Internet makes the Wild West look like a tame environment. Should we attempt to redesign the Internet, and make it secure by default? Let’s explore the dystopian world of an alternate Internet, and see why the Internet we have might actually be the best Internet we could hope for.

Andy Ellis is Akamai’s Chief Security Officer, and his mission is “making the Internet suck less.” Governing cybersecurity, compliance, and safety for Akamai’s planetary-scale cloud platform since 2000, he has also designed and brought to market Akamai’s TLS acceleration network, its DDoS defense offerings, and several of the core technologies behind its security solutions. Andy has also guided Akamai’s IT transformation from a flat password-based network to a distributed, zero-trust enterprise based on strong authentication.

Andy is a graduate of MIT with a degree in computer science, and has served as an officer in the United States Air Force with the 609th Information Warfare Squadron and the Electronic Systems Center.

Also active in Internet policy and governance circles, Andy has supported past and present Akamai CEOs in roles on the NIAC and NSTAC, as well as serving on the FCC’s Communications Security, Reliability, and Interoperability Council. He is an affiliate of Harvard’s Berkman Klein Center, and a guest lecturer in executive education at MIT and the Harvard Kennedy School. He is a frequent speaker on topics of Internet security, anthropocentric risk management, and security governance; and occasionally blogs at www.csoandy.com. He can be found on Twitter as @csoandy, where he discusses security, wine, American football, and hairstyling.

Andy is also an Advisor to YL Ventures’ YLV3 Fund, Uptycs, and Vulcan Cyber.

Andy has received The Spirit of Disneyland Award, The Wine Spectator’s Award of Excellence (as The Arlington Inn), the US Air Force Commendation Medal, and the CSO Compass Award.

'''Sandcastles in a Storm: Application Vulnerabilities and how they weaken our organizations'''

'''Kevin Johnson,''' Secure Ideas

[[File:KevinJohnson.jpg|175px|left|frameless]]

In this presentation Kevin will walk through some of the issues we face as we move more and more of our life into applications and the Internet of Things. We will explore the vulnerabilities, how they are attacked, and what it means to all of us.

Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is a faculty member at IANS and was an instructor and author for the SANS Institute.

In his free time, Kevin enjoys spending time with his family and is an avid Star Wars fan and member of the 501st Legion (Star Wars charity group)

Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer.

== Details ==

* Only Silver Sponsorships Remain [https://www.owasp.org/images/9/94/BASCSponsorship2019.pdf Sponsorship Kit]
* [[2019_BASC_Presentations | Presentations]]
* [[2019_BASC_Workshops | Workshops]]
* [[2019_BASC_Speakers | Speakers]]
* [[2019_BASC_Agenda | Agenda]]
* Twitter: Follow [https://twitter.com/BASConf @BASConf] @[https://twitter.com/owaspboston OWASPBoston] HashTag: #basc2019

== OWASP Boston Chapter ==
BASC is presented by the [https://www.owasp.org/index.php/Boston OWASP Boston] chapter.

{{2019_BASC:Footer_Template | Welcome}}

2019 BASC Homepage

2019-09-04T01:47:58Z

Laberdale: Andy's Abstract was missing.

{{2019_BASC:Header_Template | Home}}

__NOTOC__
== Welcome ==
This is the homepage for the 2019 Boston Application Security Conference (BASC). Conference will take place 8:30am to 6:30pm on Saturday, October 19th at
* Location: [https://goo.gl/maps/MErChZ3cX5B2 5 Wayside Road Burlington, MA]

The BASC will be a free*, one day, informal conference, aimed at increasing awareness and knowledge of application security in the greater Boston area. While many of the presentations will cover state-of-the-art application security concepts, the BASC is intended to appeal to a wide-array of attendees. Application security professionals, professional software developers, software quality engineers, computer science students, and security software vendors should be able to come to the BASC, learn, and hopefully enjoy themselves at the same time.

NOTE: * Some workshops and training may have a separate fee.

== Call for Papers/Workshops ==

[https://www.owasp.org/index.php/BASC_2019_Call_For_Papers CFP/CFW link]

== Registration ==

[https:// COMING SOON]

Registration is required for breakfast, lunch, and the evening social time. We will do everything possible to accommodate late registrants but the facility and food are limited.

You may also register for one or more workshops, but workshop tickets are limited. Please be considerate of others and '''only register for a workshop if you plan to attend'''. If your plans change, please cancel your ticket to free the space up for others. Do not sign up for more than one session of the same workshop, or for workshops whose times overlap. If you do, conference organizers will cancel your ticket orders.

== Keynotes ==

'''The Internet Sucks. Should we replace it?'''

'''Andy Ellis,''' Akamai

[[File:Andy-ellis_0532_1-2.jpg|left|frameless]]

50 years into the Internet, it’s become very clear that there are virtually no security goals designed into the underpinnings of the Internet, and even higher level protocols suffer from this lack. As a result, existing on the Internet makes the Wild West look like a tame environment. Should we attempt to redesign the Internet, and make it secure by default? Let’s explore the dystopian world of an alternate Internet, and see why the Internet we have might actually be the best Internet we could hope for.

Andy Ellis is Akamai’s Chief Security Officer, and his mission is “making the Internet suck less.” Governing cybersecurity, compliance, and safety for Akamai’s planetary-scale cloud platform since 2000, he has also designed and brought to market Akamai’s TLS acceleration network, its DDoS defense offerings, and several of the core technologies behind its security solutions. Andy has also guided Akamai’s IT transformation from a flat password-based network to a distributed, zero-trust enterprise based on strong authentication.

Andy is a graduate of MIT with a degree in computer science, and has served as an officer in the United States Air Force with the 609th Information Warfare Squadron and the Electronic Systems Center.

Also active in Internet policy and governance circles, Andy has supported past and present Akamai CEOs in roles on the NIAC and NSTAC, as well as serving on the FCC’s Communications Security, Reliability, and Interoperability Council. He is an affiliate of Harvard’s Berkman Klein Center, and a guest lecturer in executive education at MIT and the Harvard Kennedy School. He is a frequent speaker on topics of Internet security, anthropocentric risk management, and security governance; and occasionally blogs at www.csoandy.com. He can be found on Twitter as @csoandy, where he discusses security, wine, American football, and hairstyling.

Andy is also an Advisor to YL Ventures’ YLV3 Fund, Uptycs, and Vulcan Cyber.

Andy has received The Spirit of Disneyland Award, The Wine Spectator’s Award of Excellence (as The Arlington Inn), the US Air Force Commendation Medal, and the CSO Compass Award.

'''Sandcastles in a Storm: Application Vulnerabilities and how they weaken our organizations'''

'''Kevin Johnson,''' Secure Ideas

[[File:KevinJohnson.jpg|175px|left|frameless]]

In this presentation Kevin will walk through some of the issues we face as we move more and more of our life into applications and the Internet of Things. We will explore the vulnerabilities, how they are attacked, and what it means to all of us.

Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is a faculty member at IANS and was an instructor and author for the SANS Institute.

In his free time, Kevin enjoys spending time with his family and is an avid Star Wars fan and member of the 501st Legion (Star Wars charity group)

Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer.

== Details ==


* [https://www.owasp.org/images/9/94/BASCSponsorship2019.pdf Sponsorship Kit]
* [[2019_BASC_Presentations | Presentations]]
* [[2019_BASC_Workshops | Workshops]]
* [[2019_BASC_Speakers | Speakers]]
* [[2019_BASC_Agenda | Agenda]]
* Twitter: Follow [https://twitter.com/BASConf @BASConf] @[https://twitter.com/owaspboston OWASPBoston] HashTag: #basc2019

== OWASP Boston Chapter ==
BASC is presented by the [https://www.owasp.org/index.php/Boston OWASP Boston] chapter.

{{2019_BASC:Footer_Template | Welcome}}

BASC 2019 Call For Papers

2019-08-16T15:23:26Z

Laberdale: Updated deadline at bottom of page

{{2019_BASC:Header_Template | Home}}

== Submit Your Proposal ==

Please use [https://docs.google.com/forms/d/e/1FAIpQLSef_pgvIUZtXl7wpiCUmx93ZKog9BQPk9fkX100TaG7ynBO4g/viewform?usp=sf_link this form] to submit your proposal for a presentation.

Please use [https://forms.gle/6tJgrmxqt8sWkKbMA this form] to submit your proposal for a workshop.

Deadline for proposals: Midnight on August 25, 2019

Conference date: October 19, 2019

== About BASC ==

The [[Boston | OWASP Boston chapter]] would like to announce a call for papers and free workshops for the Boston Application Security Conference. This our 9th annual conference.

The OWASP BASC (Boston Application Security Conference) will be a free*, one day, informal conference, aimed at increasing awareness and knowledge of application security in the greater Boston area. While many of the presentations will cover state-of-the-art application security concepts, the BASC is intended to appeal to a wide range of attendees. Application security professionals, professional software developers, software quality engineers, computer science students, and security software vendors will come to the BASC to learn, interact and hopefully enjoy themselves at the same time. We encourage local students, security professionals and academics to present papers as a way to gain exposure and experience in presenting at security conferences. *Note that some workshops or training may require a fee.

We expect over 200 attendees this year. Publicity includes the OWASP Boston wiki site (run by OWASP Foundation), OWASP Boston Meetup, OWASP Boston Linkedin group, OWASP Boston mailing list, Eventbrite and Twitter.
==Past conference presentations==
[[2018 BASC Presentations]] · [[2017 BASC Presentations]] ·[[2016 BASC Presentations]] · [[2015 BASC Presentations]] · [[2014 BASC Presentations]] · [[2012 BASC Presentations]] · [[2011 BASC Presentations]] · [[2010 BASC Presentations]]

==Guidelines==
Last year, there were two tracks:

Track 1 - Basic/Current Application Security

Track 2 - Information Security/Frameworks/Professional Development

Each presentation will be 45 minutes.

We attract both people who are new to application security as well as people who are experienced in application security.

We encourage first time presenters: students, researchers, working application security folks etc. to submit presentations.

==Some Suggested Topics==
<div style="column-count:3;-moz-column-count:3;-webkit-column-count:3">
*Mobile app security, forensics

*Javascript servers, apps, frameworks: Node.js, Angular

*Language Framework (in)security – Hibernate, Grails, Ruby etc.

*Security for NFC, Bluetooth LE apps

*Google Glass app security

*OWASP ESAPI

*Measurable security - advanced threat modelling

*Web API security REST, JSON

*Application Architecture security

*Web security testing in a DevOps organization

*Building web app security expertise in engineering teams

*Conducting lightweight threat modeling

*Vulnerability Management - Process & Tools

*Developing your own web app security development standard

*Security test automation with OWASP ZAP and Zest scripting language

*Authentication & Enterprise Web Applications (incl. Federation, 2 Factor Auth, SSO)

*Open Source Identity Management

*Open Source Static Analysis

*Security Unit testing with Selenium

*Effective static code analysis tools</div>

==Submit==

Please see above for links.

Deadline for proposals: August 25, 2019

If you have any questions, please email [mailto:boston-leaders@owasp.org boston-leaders@owasp.org].

{{2019_BASC:Footer_Template | Welcome}}