Los Angeles/2015 Meetings
---August 26, 2015, Symantec Offices, Culver City
Speaker: Chris Holland
Scourge of the Internet since the late 90s, DDoS attacks have grown in magnitude and sophistication. This talk goes over basic symptoms, motivations, evolving trends in attack vectors and actors, pluggable amplification vectors, DIY hardening and mitigation architectures, and classifications of vendors in the mitigation space.
Speaker: Leif Dreizler
Topic: Inherent differences between the hacker and developer mentality
Abstract: Leif Dreizler, BugCrowd, explores the inherent differences between the hacker and developer mentality. In this discussion, the audience will hear from a former breaker and fixer of security flaws on how developers who acknowledge the existence of ‘The Bogeyman’ come that much closer to being active participants in ensuring their company’s security, rather than passive victims. During his talk you'll learn... how to decrease friction between dev and security teams, how crowdsourced security testing merges into the SDLC, how organizations can increase ROI on security testing with a pay for performance model and more.
Speaker bio: Leif is a Senior Security Engineer at Bugcrowd, the innovator in crowdsourced security testing for the enterprise, where he works to customize and support security testing solutions for Bugcrowd clients. Prior to Bugcrowd, Leif worked as Senior Application Security Engineer at Redspin, performing application security assessments. During his time at Redspin he served as the Application Team Lead, working with clients large and small at the engineering and sales level. Leif is an OWASP speaker and member, and contributes to the Firebug project. Leif attended the University of California where he studied Computer Science. Most recently, Leif spoke at Bsides-SF and invited to be part of the department’s “Array of Talks” panel, a speaker series that he helped develop.
---June 24 2015, Symantec Offices, Culver City
Speaker: Joe Rozner
Topic: Langsec and You
Abstract: Langsec attempts to solve specific vulnerability classes caused by specially crafted user input being accepted by an application that has an undesired or unintended effect. Langsec and You will describe many of these vulnerability classes specifically focusing on XSS and SQL Injection due to their prevalence and relevance to the audience. We will dive into exactly why these vulnerability classes exist and how to use langsec to help solve them. This will involve a brief introduction or refresher to formal language theory before concluding with a survey of some of the tools available to start implementing langsec solutions for yourself.
Speaker bio: As an experienced software engineer with experience across many languages and paradigms Joe has focused his career on rapid prototyping and independent security research. He’s developed custom system call level sandboxes, rich web applications, and applications at all levels between. A strong interest in computer languages and implementation of them has led to a solid foundation and further cultivation in the area of language implementation and language security. This combination of experience has allowed Joe to lead teams in designing and creating truly unique products and solving difficult problems.
---May 27 2015, Symantec Offices, Culver City
Speaker: Kelly Fitzgerald
Topic: Clever: Securing the Savvy Vector
Abstract: Depending on your age you may remember Superman or Office Space and the clever scheme to take the portions of a penny from huge number of transactions in order to un-noticeably get rich quick. What about cybercrime in the real world? In this talk we will look at the clever side of cybercrime. Real world examples, events and protection. This information will help you as a security professional look at your world with a clever view and make you better at securing your world from the clever, savvy vector.
Speaker bio: Kelly has a BS in Computer Science from CSUSB. She was awarded a full academic scholarship from the National Science Foundation. In her senior year of college she took a job at EvidentData doing computer forensics. From there she fell in love with the dark side and purposely went in persuit of a career in computer security looking at the bleedy places where people and technology bruise. Kelly has worked at Symantec since 2003 and has two single-filer patents pending.
---April 29 2015, Symantec Offices, Culver City
Speaker: Kunal Anand
Speaker bio: Kunal is the co-founder and CTO of Prevoty, an application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company’s global Digital Entertainment and Gaming initiatives. Kunal also has several years of experience leading security, data and engineering at Gravity, MySpace and NASA’s Jet Propulsion Laboratory. His work has been featured in Wired Magazine and Fast Company. He continues to develop the patented security technologies that power Prevoty’s core products. Kunal received a B.S. from Babson College.
Topic: Beyond the Perimeter: The reality of the new application security landscape
Abstract: Web applications are dynamic, distributed and perhaps most importantly - the heart of every business in the post-PC era. These applications collect, process and persist information from a myriad of third-party services and users. From an adversary's perspective, the attack surface has never been more tantalizing. Today, a security model entirely predicated on applying controls and pattern-matching at the perimeter is at best a zero-sum game; applying probabilistic logic highlights that pattern matching techniques cannot prevent attacks created by content and SQL fuzzers. This talk will explore an alternative approach to identifying bad actors at runtime via the implementation of language security models to prevent attacks like XSS and SQLi without relying on past definitions and signatures. We’ll cover the tradeoffs, discuss performance and review the challenges of modern application security.
---March 25,2015, Microsoft Office, Playa Del Rey, CA Speaker:Jeff Williams is the founder and CTO of Contrast Security Speaker bio: Jeff Williams is the founder and CTO of Contrast Security, bringing the power of instrumentation and real time analytics to secure your application portfolio. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and may be reached directly at [email protected]
Topic:Why Your AppSec Experts Are Killing You
Software development has been transformed by practices like Continuous Integration and Continuous Integration, while application security has remained trapped in expert-based waterfall mode. In this talk, Jeff will show you how you can evolve into a “Continuous Application Security” organization that generates assurance automatically across an entire application security portfolio. Jeff will show you how to bootstrap the “sensor-model-dashboard” feedback loop that makes real time, continuous application security possible. He will demonstrate the approach with a new *free* tool called Contrast for Eclipse that brings the power of instrumentation-based application security testing directly into the popular IDE. Check out “Application Security at DevOps Speed and Portfolio Scale” for some background.
---March 11,2015, Symantec Offices, Culver City
Speaker: Jerry Hoff, VP of the Static Code Analysis Division at WhiteHat Security Speaker Bio: Jerry Hoff is the Principal Security Strategist at WhiteHat Security. Prior to WhiteHat Security, Jerry co-founded Infrared Security, a specialist in application security and next-generation static analysis technologies. His work experience also includes a number of financial firms including Morgan Stanley Asia where he was on the global Security Architecture team based out of Hong Kong. He has more than a decade of experience in application security consulting, and has taught at Washington University’s CAIT program delivering security and development classes for thousands of developers. Jerry is a frequent speaker at numerous security events around the globe, and is a regular OWASP contributor, where he leads up the OWASP Application Tutorial Series and WebGoat.NET. Jerry holds a Master's degree in Computer Science from Washington University in St. Louis.
Topic: Web Attacks at Scale in 2015 (Alternative Title: Web Security Bootcamp)
This talk is an attacker-centric presentation demonstrating how modern pen-testing tools such as OWASP Zap, Browser Exploitation Framework (BeEF) and sqlmap can be used to automate web attacks at scale. Reenactments of some of the most publicized attacks in recent history will be conducted to ensure participants understand and absorb how these attacks are taking place. Full exploits using these tools and more will be demonstrated, and a discussion of solutions will follow.
---February 25,2015, Symantec Offices, Culver City
Speaker: David Maman Mr. Maman is co-founder and CTO at GreenSQL, a leader in unified database security solutions. He is a recognized international expert in computer security advising companies on threat management, real-time network protection, advanced network design, and security architecture. David has founded a number of high-tech start-up companies, including Vanadium-Soft, Preacos, and Moksai. As a senior technology director for Fortinet, a leading international IT security firm, Mr. Maman provided consulting services to global businesses and opened new international regions. He was the information security manager for Bezeq, a national telecommunications company, and the chief scientist at Ofek, a leading Israeli IT and security consulting firm.
Topic: WAF Isn't Enough. The Multi-Faceted Approach to Defend against SQL Injection Attacks
WAFs are essential security mechanisms used on almost all commercial websites today. Despite the excellent protection they offer against many types of attacks, WAFs are inadequate to protect against today’s sophisticated SQL Injection (SQLi) attacks. This is because, fundamentally, a WAF does not understand database commands or database structure. Its protection is limited to a black list of blocked signatures. Even if a WAF did provide complete protection from web access, it still would be inadequate for database protection, because databases are accessed from many sources, not just from web-based applications. Attendees will learn best practices for defending against SQLi attacks using a comprehensive approach of:
Database firewalls Pattern learning processes Separation of duties Risk-based policies Masking of sensitive information