Los Angeles/2017 Meetings - Revision history

Emomartin.owasp at 06:13, 30 October 2017

2017-10-30T06:13:37Z

Emomartin.owasp at 05:59, 30 October 2017

2017-10-30T05:59:46Z

Emomartin.owasp at 05:56, 30 October 2017

2017-10-30T05:56:39Z

Emomartin.owasp at 05:47, 30 October 2017

2017-10-30T05:47:51Z

Emomartin.owasp at 05:16, 30 October 2017

2017-10-30T05:16:05Z

Emomartin.owasp at 06:06, 30 June 2017

2017-06-30T06:06:42Z

Emomartin.owasp: added June monthly meeting details

2017-06-30T06:04:56Z

added June monthly meeting details

Emomartin.owasp at 04:49, 16 June 2017

2017-06-16T04:49:26Z

Emomartin.owasp at 04:47, 16 June 2017

2017-06-16T04:47:36Z

Emomartin.owasp at 20:06, 14 June 2017

2017-06-14T20:06:33Z

@@ Line 21: / Line 21: @@
 Mahesh is responsible for growing Contrast Protect. He takes every opportunity to tell everyone how Contrast has fundamentally changed application security for the first time since he started working in security 10+ years ago. Mahesh has seen the industry evolve as a researcher, consultant, and practitioner within a large bank. He began his career as a security researcher at the CERIAS center at Purdue University. He then went on to build and scale large security & privacy programs a Senior Manager & architect for HSBC Information Security & Risk. He also spent time as a consultant at Deloitte and Booz & Company. Mahesh has a BS in Computer Science and MS in Information Security from Purdue University and an MBA from Duke University.
-<u>''Topic''</u>: '''[https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Struts 2 & You]'''
+<u>''Topic''</u>: '''[https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Struts, OSS & You]'''
 What we are learning from the Equifax breach and recent Struts 2 vulnerabilities and what you can do to step up your assessment & remediation efforts. As you may already know, the root cause of the Equifax breach was a web application security issue tied to a widely used software framework called Apache Struts 2. Teams everywhere continue to see these issues and exploit attempts from all over the world. In this session you will:

@@ Line 11: / Line 11: @@
 Robert E. Lee (Twitter: @robert e lee) is a seasoned leader and solutions-driven professional with over 25 years of experience in information technology and security. He is passionate about using security to enable business, manage risk, and protect assets and privacy.Robert is affiliated with the non-profit ISECOM organization and has contributed to open source projects such as OSSTMM, Unicornscan, and Sockstress. As a Sr Technical Program Manager with Twitter (since July2016), his current focus is on security controls that can help reduce ATO and other unwanted fraud in online applications.
-<u>''Topic''</u>: '''Detect and Contain: Combating Account Takeover'''
+<u>''Topic''</u>: '''[https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Detect and Contain: Combating Account Takeover]'''
 In your environment, do you really know Who is doing What, from Where? How confident are you in your authentication controls and anomalous behavior detection? Does your behavior monitoring solution have the right data to give you relevant actionable findings? Are you overly burdening your users in the name of security,while still leaving them unprotected? This talk will shine a light on very common identity, authentication, and link-analysis practices that inhibit us from properly detecting threats, and ultimately, containing them.It will then introduce Risk Based Authorization as a model for online authentication and authorization.
@@ Line 21: / Line 21: @@
 Mahesh is responsible for growing Contrast Protect. He takes every opportunity to tell everyone how Contrast has fundamentally changed application security for the first time since he started working in security 10+ years ago. Mahesh has seen the industry evolve as a researcher, consultant, and practitioner within a large bank. He began his career as a security researcher at the CERIAS center at Purdue University. He then went on to build and scale large security & privacy programs a Senior Manager & architect for HSBC Information Security & Risk. He also spent time as a consultant at Deloitte and Booz & Company. Mahesh has a BS in Computer Science and MS in Information Security from Purdue University and an MBA from Duke University.
-<u>''Topic''</u>: '''Struts 2 & You'''
+<u>''Topic''</u>: '''[https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Struts 2 & You]'''
 What we are learning from the Equifax breach and recent Struts 2 vulnerabilities and what you can do to step up your assessment & remediation efforts. As you may already know, the root cause of the Equifax breach was a web application security issue tied to a widely used software framework called Apache Struts 2. Teams everywhere continue to see these issues and exploit attempts from all over the world. In this session you will:
@@ Line 33: / Line 33: @@
 Scott Stender is the leader of NCC Group's Cryptography Services practice. Scott co-founded iSEC Partners and joined NCC Group when it was acquired in 2010. Prior to iSEC, Scott worked in software development and security consulting in roles at Microsoft and @stake.Scott has helped organizations around the world create secure systems, including notable projects on major operating systems, cryptographic libraries, and several of the world's most critical applications. He has led projects across the full development lifecycle and throughout the technology stack ranging from requirements to release and hypervisors to hypertext.Scott’s broad research output has advanced both the security analysis of core technologies and the process of secure software engineering. He has contributed papers and talks, on topics ranging from practical attacks against Kerberos to securing legacy technology, to a number of leading security conferences and periodicals.
-<u>''Topic''</u>: '''Securely Deploying TLS 1.3'''
+<u>''Topic''</u>: '''[https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Securely Deploying TLS 1.3]'''
 TLS 1.2 has been putting the S in HTTPS and other protocols since August of 2008. Though TLS is arguably the most successful security protocol in deployment, it has fallen prey to many attacks in the past decade. The Internet Engineering Task Force has been working to make TLS both faster and more secure, and will soon release an updated version to the world. TLS 1.3 is coming and will have a wide range of impacts for enterprises. This talk will help you prepare by providing:
@@ Line 46: / Line 46: @@
 Mike has always loved taking things apart and (usually) putting them back together. Throughout his career in business and government Mike has experienced the breadth of opportunities technology and data intelligence have created. Mike is the Co-Founder and Chief Technology Officer at IMMUNIO, where he gets to focus on building systems to keep the internet secure. Between fighting cybercrime for the Canadian government and working for security agencies overseas, Mike has developed a deep understanding of the global security landscape and how the underground economy dictates hacks and ultimately drives breaches. This unique experience paired with his technical background helped Mike uncover what the next eneration of security software should look like in IMMUNIO. Prior to founding IMMUNIO, Mike was a lead member of the technical staff at Salesforce.com where he gained insight into the business side of web applications. He also served as a software engineer at Canonical, working on the world’s most popular free operating system, Ubuntu, following his time serving both the Canadian and UK Government.
-<u>''Topic''</u>: '''Law & Order: Observing and Protecting Web Applications'''
+<u>''Topic''</u>: '''[https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Law & Order: Observing and Protecting Web Applications]'''
 In the early 90s, two great things happened: The birth of the World Wide Web, and the start ofthe Law & Order TV Series. Both have changed and evolved over time to reflect, and in somecases prompt changes in our society. Law & Order has always been a great show, because it looks at the broader spectrum of howthe law works. In much the same way, we as an industry are paying more attention to the broader field of how to protect the web from attack. It’s not just tools and technology - it’s how the tools and tech fit into a broader security process. This talk looks at how appsec has changed over the years, from the first web sites online, to how things are moving into the future. How new tools and techniques are enabling tighter collaboration between the Law & Order of application security, and enabling new workflows like CI/CD and DevSecOps.

@@ Line 1: / Line 1: @@
----December 2017
+'''---December 13, 2017 Microsoft Office'''
----November 2017
+<u>''Speaker''</u>:
 '''---October 25, 2017 Riot Games'''
@@ Line 15: / Line 27: @@
 * Understand the exploits at a deeper level
 * Get guidance on how to structure your remediation efforts
----September 2017
+'''---September 2017 Symantec Offices, Culver City'''
 '''---August 23, 2017 Riot Games'''

@@ Line 1: / Line 1: @@
----December 2017,
+---December 2017
----November 2017,
+---November 2017
----October 25 2017 Riot Games
+'''---October 25, 2017 Riot Games'''
 <u>''Speaker''</u>: '''Mahesh Babu'''
@@ Line 15: / Line 15: @@
 * Understand the exploits at a deeper level
 * Get guidance on how to structure your remediation efforts
----September 2017,
+---September 2017
----August 2017,
+'''---August 23, 2017 Riot Games'''
----July 2017,
+<u>''Speaker''</u>: Mike Milner
-'''---June 28 2017 Riot Games'''
+Mike has always loved taking things apart and (usually) putting them back together. Throughout his career in business and government Mike has experienced the breadth of opportunities technology and data intelligence have created. Mike is the Co-Founder and Chief Technology Officer at IMMUNIO, where he gets to focus on building systems to keep the internet secure. Between fighting cybercrime for the Canadian government and working for security agencies overseas, Mike has developed a deep understanding of the global security landscape and how the underground economy dictates hacks and ultimately drives breaches. This unique experience paired with his technical background helped Mike uncover what the next eneration of security software should look like in IMMUNIO. Prior to founding IMMUNIO, Mike was a lead member of the technical staff at Salesforce.com where he gained insight into the business side of web applications. He also served as a software engineer at Canonical, working on the world’s most popular free operating system, Ubuntu, following his time serving both the Canadian and UK Government.
 <u>''Panel:''</u> '''Edward Bonver, Stu Schwartz, Aaron Guzman, Tony Trummer -''' moderated by '''Richard Greenberg'''

@@ Line 3: / Line 3: @@
 ---November 2017,
----September 2017,
+---October 25 2017 Riot Games
-−
 ---August 2017,
@@ Line 23: / Line 35: @@
 '''Aaron Guzman''' is a Principal Security Consultant from the Los Angeles area with expertise in web app security, mobile app security, and embedded security. He has spoken at a number of conferences world wide which include Defcon, AppSec EU, AppSec USA, HackFest, Security Fest, HackMiami, AusCERT as well as a number of BSides events. Aaron leads the OWASP Embedded Application Security project; providing practical guidance to address the most common firmware security bugs to the embedded and IoT community. Follow Aaron’s latest research on twitter at @scriptingxss
-'''Topic: [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 What DOES it Take to Produce Secure Software]'''
+<u>''Topic''</u>''': [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 What DOES it Take to Produce Secure Software]'''
 In today's technologically diverse, rapidly evolving and incredibly complex world, software makers face many challenges when it comes to producing secure software offerings. Many software security tools and services vendors want to sell you their silver bullet solutions, that supposedly solve the software security problem. There are a number of security certifications out there which are meant to help you address the problem. There are many security consultants and subject matter experts who will tell you how to do it right; there are books and magazines, podcasts, webinars, security conferences, meetups, YouTube videos aimed at helping you, while confusing you even further! So as a software maker, how do you tackle this problem? Where do you begin? How do you advance? How do you make sense of it all? What DOES it take to produce secure software? This OWASP LA panel consists of people who spent their entire careers in the trenches exploring and being consistently challenged  by this problem space. The panelists will share their success and failure stories, as well as philosophical views based on their individual experiences from operating in diverse environments, trying to figure out that same question: What DOES it take?
@@ Line 35: / Line 47: @@
 Shane MacDougall has over 28 years experience as an information security professional, both as an attacker and a defender. His current focus in on threat intelligence, an area in which he has created, implemented, and run programs for two major Fortune 500 companies. He has lectured at security conferences internationally, and is the owner of two black badges from DEFCON. His book on social engineering is coming out this summer.
-'''Topic: [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Threat Intelligence on the Cheap]'''
+<u>''Topic''</u>''': [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Threat Intelligence on the Cheap]'''
 Threat intelligence is a phrase that these days seems to be one of the buzz words de jour. Throw in IoT, big data, cloud, and Docker, and you pretty much have Infosec Yahtzee. But what is a meaningful threat intelligence program for your company? Why spend six figures for the latest TI feeds from the ultra hackers tracking down APTs, when can you roll your own for pennies on the dollar? In this presentation we’ll discuss how to define threat intelligence, how you can optimize your practice to reduce noise, what sources you can get for free (or close to free), how to automate a lot of the intelligence that you get, and perhaps most important, making that intelligence actionable. We will also discuss mistakes others, including your presenter, have made, and how to avoid these and other common pitfalls.
@@ Line 45: / Line 57: @@
 Jack is the Chief Executive Officer at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium in 2009 to invent new and more efficient ways of protecting software. Jack is an active mobile and wearable security researcher and focuses on creating techniques for making both web and mobile application security scale effectively.
-'''Topic: [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Security In The Land of Microservices]'''
+<u>''Topic''</u>''': [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Security In The Land of Microservices]'''
 Microservices offer a lot of benefits for deploying large-scale applications, but implementing a secure architecture that scales over time can be challenging. Services are highly decoupled from each other as well as producers and consumers of data moving throughout the architecture. Data contracts between services are often blurry, and data sharing between microservices require careful consideration around access patterns and boundaries between related services. New services come, new services go. Some are deployed to containers, some to servers, and some are serverless. Your developers, data scientists, and infrastructure team are all empowered to move quickly and ship new services. Your job is to make sure all of the above happens in a secure and sane way.

@@ Line 9: / Line 9: @@
 ---July 2017,
----June 2017,
+'''---June 28 2017 Riot Games'''
-'''---May 24, 2017 Verizon Digital Media Services'''
+<u>''Panel:''</u> '''Edward Bonver, Stu Schwartz, Aaron Guzman, Tony Trummer -''' moderated by '''Richard Greenberg'''
 <u>Opening Talk</u>:  Stuart Schwartz: [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Security in the News]

@@ Line 13: / Line 13: @@
 '''---May 24, 2017 Verizon Digital Media Services'''
-<u>Opening Talk</u>:  ''Stuart Schwartz'': Security in the News
+<u>Opening Talk</u>:  Stuart Schwartz: [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Security in the News]
 <u>''Speaker:''</u> '''Shane MacDougall'''

@@ Line 17: / Line 17: @@
 Shane MacDougall has over 28 years experience as an information security professional, both as an attacker and a defender. His current focus in on threat intelligence, an area in which he has created, implemented, and run programs for two major Fortune 500 companies. He has lectured at security conferences internationally, and is the owner of two black badges from DEFCON. His book on social engineering is coming out this summer.
-'''Topic: [[Los Angeles Presentation Archive|Threat Intelligence on the Cheap]]'''
+'''Topic: [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Threat Intelligence on the Cheap]'''
 Threat intelligence is a phrase that these days seems to be one of the buzz words de jour. Throw in IoT, big data, cloud, and Docker, and you pretty much have Infosec Yahtzee. But what is a meaningful threat intelligence program for your company? Why spend six figures for the latest TI feeds from the ultra hackers tracking down APTs, when can you roll your own for pennies on the dollar? In this presentation we’ll discuss how to define threat intelligence, how you can optimize your practice to reduce noise, what sources you can get for free (or close to free), how to automate a lot of the intelligence that you get, and perhaps most important, making that intelligence actionable. We will also discuss mistakes others, including your presenter, have made, and how to avoid these and other common pitfalls.
@@ Line 27: / Line 27: @@
 Jack is the Chief Executive Officer at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium in 2009 to invent new and more efficient ways of protecting software. Jack is an active mobile and wearable security researcher and focuses on creating techniques for making both web and mobile application security scale effectively.
-'''Topic: Security In The Land of Microservices'''
+'''Topic: [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Security In The Land of Microservices]'''
 Microservices offer a lot of benefits for deploying large-scale applications, but implementing a secure architecture that scales over time can be challenging. Services are highly decoupled from each other as well as producers and consumers of data moving throughout the architecture. Data contracts between services are often blurry, and data sharing between microservices require careful consideration around access patterns and boundaries between related services. New services come, new services go. Some are deployed to containers, some to servers, and some are serverless. Your developers, data scientists, and infrastructure team are all empowered to move quickly and ship new services. Your job is to make sure all of the above happens in a secure and sane way.
@@ Line 39: / Line 39: @@
 A pioneer in application security, Jeff Williams has more than 20 years of experience in software development and security. He is the co-founder and CTO of Contrast Security, a revolutionary application security product that enhances software with the power to defend itself, check itself for vulnerabilities, and join a security command and control infrastructure. Williams is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff holds a BA from Virginia, an MA from George Mason, and a JD from Georgetown.
-<u>''Topic''</u>: '''Turning Security into Code with Dynamic Binary Instrumentation'''
+<u>''Topic''</u>: '''[https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Turning Security into Code with Dynamic Binary Instrumentation]'''
 AppSec has a serious math problem. We’re introducing vulnerabilities faster than we can find them. And we’re finding them faster than we can fix them. With software development accelerating and 11 billion new lines of code being written in 2017, this won’t end well.  Some organizations have tried using perimeter defenses rather than improving their SDLC, but they don’t know what they’re protecting. A possible improvement is to feed vulnerability information into perimeter defenses, but it’s a correlation nightmare. Fortunately, with dynamic binary instrumentation it’s possible to unify vulnerability and attack detection – providing a high-confidence method of preventing vulnerabilities from being exploited.  In this talk, we’ll get under the hood of this technique and also explore how it affects the math of your application security program.
@@ Line 49: / Line 49: @@
 Eli is an Executive Partner at Independent Security Evaluators, where he manages analyst and client activities, including assessment work and some research initiatives. Prior to joining Independent Security Evaluators, Mr. Mezei managed risk and research operations for one of the largest commodity trading advisors in the world. Mr. Mezei is one of the organizers of IoT Village, the popular new hacking concept focused on connected devices, as well as an organizer of SOHOpelessly Broken, the first ever router hacking contest at esteemed security conference DEF CON. Mr. Mezei holds an M.S. from The Johns Hopkins University.
-<u>''Topic''</u>: '''Hacking Healthcare'''
+<u>''Topic''</u>: '''[https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Hacking Healthcare]'''
 In this session, we present findings from a long term security research study in healthcare, in which we discovered that adversaries can deploy cyber attacks that result in harm or fatality to patients. Over the course of 24 months, we investigated 12 hospitals, 2 healthcare data facilities, 2 medical devices and host of supporting applications and technologies. Our focus was to (a) determine the feasibility of attacks against patient health, (b) determine the contextual is- sues from both technical and business perspectives, and (c) articulate the solution.We discovered that the healthcare industry is pursuing the wrong security mission, with an almost exclusive focus on protecting patient data, yet almost no consideration of protecting patient health. We identified a number of security vulnerabilities which, if exploited, would result in patient harm or fatality. We also identified a very wide range of business and industry shortcomings, which lead to the introduction of such security vulnerabilities. Notably, we also published a blueprint, which is an actionable, step-by-step guide to help a healthcare organization of any size migrate to a more robust defense posture.This session provides a high level analysis of what we did, what we discovered, and what we recommend. The source study data can be found here: https://www.securityevaluators.com/hospitalhack/