Los Angeles/2014 Meetings

---December 2014

David Perry, Threat Strategist at F-Secure, has been working in computer security since 1990. He has presented all over the world, at conferences like Infosec Europe, RSA, Virus Bulletin, AVAR and EICAR. He is a research fellow of the Anti Phishing Work Group and was chosen a SUPERSTAR of Cyber SECURITY by CRN magazine. He has worked in the White House (under four different presidents) in the pentagon and in NATO. David is a frequent media expert on security issues. He lives in Huntington Beach, California.

Speaker: David Perry

---November 19th, 2014

Android Wear and Google Glass

Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.

Many of the same issues we’re familiar with from past Android experiences are still relevant, while some issues are less impactful or not (currently) possible within existing wearables. At the same time, extending the app’s trust boundaries introduces new points of exposure for developers to be aware of in order to proactively defend against attacks. We want to highlight these areas, which developers may not be aware of when adding a wearable component to an existing app.

In this presentation, we will explore how Android Wear and Glass work underneath the hood. We will examine their methods of communication, data replication, and persistence options. We will examine how they fit into the Android development ecosystem and the new risks to privacy and security that need to be considered. Our goal is to deter developers from building wearable apps, but to enable them to make strong security decisions throughout development.

Speaker: Jack Mannino

Jack is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android. He’s also an optimistic Mets fan, although that optimism slowly fades away every summer.

---October 22, 2014

Breaking the Security of a SaaS Offering

During the course of this presentation we will examine the results of a penetration-test/vulnerability assessment of a SaaS performed a few months ago. We won't just discuss the results; I will SHOW you how unprotected iframes can lead to clickjacking, what attackers can learn from decompiling your Java code, and how a Java RMI architecture probably isn't suited for a SaaS of this type. We'll discuss the vulnerabilities that come from sloppy HTML/CSS code and developing your own "encryption" algorithm, plus what certificate protection a keystore does and doesn't provide.

Speaker: Stan Borinski, CISSP, CISA

---September 17, 2014 (Joint Meeting with Issa-LA)

Securing the SDLC in the real world

The earlier you address security in the engineering of software, the less expensive it will be for your organization. There are many who will tell you that you need to change all of your current processes around building software so it is more secure. Many of those forces are consultants charging high rates to help you deeply modify what you are doing today. This talk will will take the opposite approach. How can you add a few reasonable and mostly lightweight processes to how you build software today to make it more secure? Software development is like driving a boat. You need to look ahead make small changes to steer effectively.

Speaker: Jim Manico

---August 27, 2014

Securing Complex Forms

The heart of how users interact with a web application is the HTML form submission. A great deal of very sensitive data flows over HTML forms. Securing web form submissions is critical for the construction of a secure web application. Multi-form workflows make securing form submissions even more complicated! This presentation will take you on a journey as untrusted data flows from a form submission into the many layers of a secure web application.

• Review some of the basic threats against web forms
• Learn some of the most important defense categories for building secure web forms
• Discuss some of the more complex aspects to form construction, such as workflow

Speaker: Jim Manico

Jim Manico is an author and educator of developer security awareness trainings. He is also a frequent speaker on secure software practices and is a member of the JavaOne "rockstar hall of fame". He has a 17 year history building software as a developer and architect. Jim is also one of the members of the Global Board of Directors for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and several secure coding projects. Jim is currently working on a book with McGraw-Hill and Oracle-Press on Java Security.

---July 23, 2014

Aviator Secure Browser Presentation and Demo

The tradeoffs required to make a secure browser are often largely poorly understood even amongst the best of security people. It makes sense since so few people actually work on browsers. There is little knowledge about what it requires to make a browser safe enough to use when viewing hostile websites - against all known adversaries. In this presentation we will cover how browsers are critically insecure, how they can be made to be secure, and what consumers forfeit in order to gain that extra level of security. Lastly, the presentation will cover how to think about tradeoffs and what customers can live without.

Speaker: Nick Schilbe, Director, Solutions Architecture, WhiteHat Security

Nick Schilbe is currently the Sr. Director of Solutions Architecture at WhiteHat Security. Nick began his career at WhiteHat as a security engineer who verified vulnerability data, managed services for his customers, and provided manual penetration testing on over 500 web applications. He eventually became the Manager of the Threat Research Center where he developed, refined, and implemented new processes and workflows for the WhiteHat Sentinel family of website risk management solutions. His WhiteHat Security Engineering team provided service to more than 6000 web applications – primarily production e-commerce, financial services, and healthcare websites, including those owned by many Fortune 500 companies. Afterwards he created the Research & Development division which focused on improving the Sentinel testing methodology, researching new types of attack techniques, responding to zero day issues, and making the overall assessment process more efficient.

---June 2014

Cashing Out – How Malware is Used to Attack ATMs

Recently a group of 10 criminals were arrested in Mexico for infecting ATMs with malware and, like a scene from a movie, emptying the ATMs of cash. A group of Ukrainian hackers were also arrested in China using another ATM infecting scheme. This talk will discuss recent ATM malware that has been discovered, how it works and how the attackers are leveraging infected ATMs.

Since the proof is in the pudding, Liam will bring a physical, one tonne, ATM for a demonstration of how these threats work in the real world, by dispensing cash via a text message!

Speaker: Liam O'Murchu

Liam manages a team of reverse engineers investigating the latest malicious attacks and analyzing cutting edge malware. He was formerly Manager of Security Response Operations for North America at Symantec, where he had responsibility for ensuring immediate response to computer security incidents of all size involving malicious software.

---May 28, 2014, Symantec Offices, Culver City

Cloud Security Through Threat Modeling

One of the most effective tools developers can implement in their security development lifecycle programs is threat modeling. Robert will discuss how effective threat modeling techniques enable developers to uncover security vulnerabilities before code is even written. Together they will reveal how threat modeling also applies to cloud environments. Whether building a hybrid model, purely commodity cloud, or Virtual Private Cloud (VPC) environment, threat modeling helps identify the attack surface area and likely threat vectors. Finally, they will explain to attendees that threat modeling allows developers and operations personnel to address vulnerabilities as enterprises migrate to the cloud.

Speaker: Robert Zigweid

Robert Zigweid As an IOActive Director of Services, Robert Zigweid is responsible to both perform and ensure quality on engagements, working with clients to discover and solve network and application problems that threaten their business goals and assets. Mr. Zigweid is an accomplished developer and application tester, with advanced skills in the creation and analysis of systems architecture and threat modeling.

In addition to his direct efforts on penetration tests, security reviews, and network and application audits, Mr. Zigweid frequently contributes to the advancement of more stable, secure systems through his research and development. His research‹and the resultant presentations at top industry conferences‹furthers the formal understanding of application and network security for audiences at varying levels of technical fluency.

Mr. Zigweid also helped develop IOActive's secure coding and Software Development Lifecycle training courses, sharing his deep understanding of industry best practices and guidelines to help our clients develop applications capable of resisting both internal and external threats.

---April 23, 2014, Symantec Offices, Culver City

Stop Chasing Vulnerabilities – Getting Started with Continuous Application Security

For too long, application security has been “experts-only” and practiced one-app-at-a-time. But modern software development, both technology and process, is mostly incompatible with this old approach and legacy appsec tools. Software development has been transformed by practices like Continuous Integration and Continuous Integration, and the time has come to bring these efficiencies to security. In this talk, Jeff will show you how you can transition to a “Continuous Application Security” approach that generates assurance automatically across an entire application security portfolio. Jeff will demonstrate how both open-source and commercial tools (including OWASP ZAP, Mozilla’s Minion, Gauntlt, and others) can be integrated to provide a comprehensive real time application security dashboard. With this approach, we can leverage the power of big data analytics to gain unprecedented insight into enterprise application security and finally focus on enterprise application security strategy rather than simply chasing the next XSS.

Speaker: Jeff Williams

Jeff Williams has over 20 years of experience in software development and security. Jeff is a founder and CTO of Contrast Security, offering a revolutionary application security technology that accurately identifies vulnerabilities at portfolio scale without requiring experts. Prior to founding Contrast, Jeff was a founder and CEO at Aspect Security. In addition, Jeff helped found the OWASP Foundation where he served as the Global Chair for 8 years and created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten.

---March 26, 2014, Symantec Offices, Culver City

Monitoring and protecting Windows Web Servers with OMENS

OMENS is a utility that monitors and protects Windows web servers from attackers. It is a practical system designed by someone directly responsible for defending high value public facing web servers. In this talk D0n Quix0te will discuss why he took the unique approaches that OMENS uses. He will also demo installing and using this relatively simple but effective piece of free software.

Speaker: D0n Quix0te is the author and creator of OMENS.

D0n Quix0te is the author and creator of OMENS. He has more than 25 years of experience in architecting, installing, maintaining, and defending high value targets. Currently he is an Incident Response Analyst for a Fortune 500 entertainment company. Prior to that he spent more than 20 years architecting and securing systems for NASA and Lockheed.

---February 19, 2014, Symantec Offices, Culver City

Building a shield of security - Vulnerability Management by the numbers and dumb robots

This presentation discusses how builders, breakers and defenders should look at vulnerability management when attempting to keep hackers at bay?? We shall discuss the most common vulnerabilities which are not detected by security tools nor automation but nevertheless are common and can be used to commit real fraud resulting in financial loss. We will look at some real world examples from the trenches, discuss business logic and authorisation testing, how we approach these and why automation does not work to detect such critical issues. We will see that Web Application Firewalls are ineffective against such attacks and why the only practical solution is to apply a layered approach across the SDLC and by focusing on the application as a logical state machine.

Speaker: Rahim Jina - BCC Risk Advisory

Rahim has been an active member of OWASP since 2008 and has contributed to many projects such as the OWASP Security Code Review Guide and is an ex-board member of the Irish Chapter. Previously Rahim was a senior security consultant at a ?big 4? professional services firm and more recently, the head of security for Fonality Inc, a VoIP service provider based in Los Angeles. Rahim is currently a director for BCC Risk Advisory (bccriskadvisory.com), based in Dublin, Ireland. He is also responsible for the security architecture of the edgescan.com vulnerability management solution.

---January 2014, Symantec Offices, Culver City

Speaker: