This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Los Angeles/2018 Meetings"

From OWASP
Jump to: navigation, search
(Created page with "January")
 
Line 1: Line 1:
January
+
'''---December 13, 2018'''
 +
 
 +
''Speaker'':
 +
 
 +
''Topic'':
 +
 
 +
'''---November 29, 2018'''
 +
 
 +
''Speaker'':
 +
 
 +
''Topic'':
 +
 
 +
'''---October 25, 2018 Riot Games'''
 +
 
 +
''Speaker'':
 +
 
 +
''Topic'':
 +
 
 +
'''---September 2018 Expert Dojo, Santa Monica'''
 +
 
 +
''Speaker'': Brian Knopf
 +
 
 +
Scott Stender is the leader of NCC Group's Cryptography Services practice. Scott co-founded iSEC Partners and joined NCC Group when it was acquired in 2010. Prior to iSEC, Scott worked in software development and security consulting in roles at Microsoft and @stake.Scott has helped organizations around the world create secure systems, including notable projects on major operating systems, cryptographic libraries, and several of the world's most critical applications. He has led projects across the full development lifecycle and throughout the technology stack ranging from requirements to release and hypervisors to hypertext.Scott’s broad research output has advanced both the security analysis of core technologies and the process of secure software engineering. He has contributed papers and talks, on topics ranging from practical attacks against Kerberos to securing legacy technology, to a number of leading security conferences and periodicals.
 +
 
 +
''Topic'': '''[https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2018 Hunting for the next IoT - Your Vulns are not a Paradigm Shift]'''
 +
 
 +
We are often told in security that a product is groundbreaking, totally different than previous products, and a complete paradigm shift. These types of statements have been used to describe IoT devices, crypto currencies, and other new technologies. While they are new, the threats facing them are not. How do you move beyond the hype to identify real threats facing your product or environment? How can you maximize the limited resources your InfoSec or AppSec team has to make the best use of time and resources available? Have you assessed your threat model? Let me show you how to identify risk areas that everyone can agree on when laid out.
 +
 
 +
'''---August 2018'''
 +
 
 +
''Speaker'':
 +
 
 +
''Topic'':
 +
 
 +
'''---July 19 2018'''
 +
 
 +
''Speaker:''
 +
 
 +
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching web application security in colleges, conferences and for many government agencies over the last decade.
 +
 
 +
''Topic:'' '''The New and Improved OWASP Top 10'''
 +
 
 +
First released in 2003, the OWASP Top 10 has since become OWASP's main flagship project. With minor updates in 2004 and 2007 followed by major releases in 2010 and 2013, the Top 10 was due for a revision in 2018 that would better reflect the current web application security risks. This new release lives up to the expectations by improving the classification of application vulnerabilities while focusing more on the lack of protections, often highlighted in vulnerability assessments and penetration tests.This presentation about the new and improved top 10 most critical web application security risks will cover all 10 items while focusing on the improvements from the previous version.
 +
 
 +
'''---June 28, 2018 Riot Games'''
 +
 
 +
''Panel:'' '''Edward Bonver, Stu Schwartz, Aaron Guzman, Tony Trummer -''' moderated by '''Richard Greenberg'''
 +
 
 +
'''Richard Greenberg''' is the OWASP Los Angeles Chapter Leader and the President of ISSA-Los Angeles. He has worked diligently to bring together the various Southern California IT and InfoSec organizations to enhance their collaboration efforts, to help reach new IT and InfoSec professionals. His day job is the Information Security Officer for LA County Public Health.
 +
 
 +
'''Edward Bonver''' is OWASP Los Angeles chapter board member and lead, and is a co-organizer of OWASP California regional application security conferences and summits, and a frequent speaker at global security events and conferences. His security community contributions include active participation in groups like OWASP, SAFECode, (ISC)2, IEEE Center for Secure Design, and more. He CISSP and CSSLP certifications, a master’s degree in computer science from California State University, Northridge, and a bachelor’s degree in computer science from Rochester Institute of Technology.
 +
 
 +
'''Stu Schwartz''' has over 20 years experience as a programmer and over 10 years as an application security practitioner. As part of the product security team, Stu worked with application teams across the company promoting application software security.  His responsibilities include teaching secure coding and security testing classes, working with various security tools and coordinating external penetration tests. Stu holds certifications in CISSP & CSSLP. He is also between gigs and would be a valuable assist to your organization.
 +
 
 +
'''Tony Trummer''' currently leads the Security team at '''''Tinder''''' in West Hollywood. As a penetration tester, Tony previously helped to start LinkedIn's AppSec program and later led their IR team. Tony has spoken at conferences around the world, including DefCon, BlackHat, AppSec Cali, AppSec USA and Hack In the Box.
 +
 
 +
'''Aaron Guzman''' is a Principal Security Consultant from the Los Angeles area with expertise in web app security, mobile app security, and embedded security. He has spoken at a number of conferences world wide which include Defcon, AppSec EU, AppSec USA, HackFest, Security Fest, HackMiami, AusCERT as well as a number of BSides events. Aaron leads the OWASP Embedded Application Security project; providing practical guidance to address the most common firmware security bugs to the embedded and IoT community. Follow Aaron’s latest research on twitter at @scriptingxss
 +
 
 +
''Topic''''': [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 What DOES it Take to Produce Secure Software]'''
 +
 
 +
In today's technologically diverse, rapidly evolving and incredibly complex world, software makers face many challenges when it comes to producing secure software offerings. Many software security tools and services vendors want to sell you their silver bullet solutions, that supposedly solve the software security problem. There are a number of security certifications out there which are meant to help you address the problem. There are many security consultants and subject matter experts who will tell you how to do it right; there are books and magazines, podcasts, webinars, security conferences, meetups, YouTube videos aimed at helping you, while confusing you even further! So as a software maker, how do you tackle this problem? Where do you begin? How do you advance? How do you make sense of it all? What DOES it take to produce secure software? This OWASP LA panel consists of people who spent their entire careers in the trenches exploring and being consistently challenged  by this problem space. The panelists will share their success and failure stories, as well as philosophical views based on their individual experiences from operating in diverse environments, trying to figure out that same question: What DOES it take?
 +
 
 +
'''---May 24, 2018 Verizon Digital Media Services'''
 +
 
 +
Opening Talk:  Stuart Schwartz: [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Security in the News]
 +
 
 +
''Speaker:'' '''Shane MacDougall'''
 +
 
 +
Shane MacDougall has over 28 years experience as an information security professional, both as an attacker and a defender. His current focus in on threat intelligence, an area in which he has created, implemented, and run programs for two major Fortune 500 companies. He has lectured at security conferences internationally, and is the owner of two black badges from DEFCON. His book on social engineering is coming out this summer.
 +
 
 +
''Topic''''': [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Threat Intelligence on the Cheap]'''
 +
 
 +
Threat intelligence is a phrase that these days seems to be one of the buzz words de jour. Throw in IoT, big data, cloud, and Docker, and you pretty much have Infosec Yahtzee. But what is a meaningful threat intelligence program for your company? Why spend six figures for the latest TI feeds from the ultra hackers tracking down APTs, when can you roll your own for pennies on the dollar? In this presentation we’ll discuss how to define threat intelligence, how you can optimize your practice to reduce noise, what sources you can get for free (or close to free), how to automate a lot of the intelligence that you get, and perhaps most important, making that intelligence actionable. We will also discuss mistakes others, including your presenter, have made, and how to avoid these and other common pitfalls.
 +
 
 +
'''---April 26, 2018 Riot Games HQ, Los Angeles'''
 +
 
 +
''Speaker:'' '''Jack Mannino'''
 +
 
 +
Jack is the Chief Executive Officer at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium in 2009 to invent new and more efficient ways of protecting software. Jack is an active mobile and wearable security researcher and focuses on creating techniques for making both web and mobile application security scale effectively.
 +
 
 +
''Topic''''': [https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Security In The Land of Microservices]'''
 +
 
 +
Microservices offer a lot of benefits for deploying large-scale applications, but implementing a secure architecture that scales over time can be challenging. Services are highly decoupled from each other as well as producers and consumers of data moving throughout the architecture. Data contracts between services are often blurry, and data sharing between microservices require careful consideration around access patterns and boundaries between related services. New services come, new services go. Some are deployed to containers, some to servers, and some are serverless. Your developers, data scientists, and infrastructure team are all empowered to move quickly and ship new services. Your job is to make sure all of the above happens in a secure and sane way.
 +
 
 +
In this presentation, we will discuss the challenges with securing microservices and present solutions to make security a seamless and frictionless part of scaling your architecture. Using real-world examples of successes and failures while building a microservice architecture, we will discuss what translates well from monolithic design to microservices, and the bad habits you should leave behind. We will demonstrate how to build authentication into a microservice architecture and how to implement a granular authorization scheme that will work effectively as you introduce new services. At the end of this presentation, you’ll understand what separates microservices from traditional monolithic applications and understand the problem space from a secure architectural perspective.
 +
 
 +
'''---March 22, 2018 Symantec Offices, Culver City'''
 +
 
 +
''Speaker'': '''Jeff Williams'''
 +
 
 +
A pioneer in application security, Jeff Williams has more than 20 years of experience in software development and security. He is the co-founder and CTO of Contrast Security, a revolutionary application security product that enhances software with the power to defend itself, check itself for vulnerabilities, and join a security command and control infrastructure. Williams is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff holds a BA from Virginia, an MA from George Mason, and a JD from Georgetown.
 +
 
 +
''Topic'': '''[https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Turning Security into Code with Dynamic Binary Instrumentation]'''
 +
 
 +
AppSec has a serious math problem. We’re introducing vulnerabilities faster than we can find them. And we’re finding them faster than we can fix them. With software development accelerating and 11 billion new lines of code being written in 2018, this won’t end well.  Some organizations have tried using perimeter defenses rather than improving their SDLC, but they don’t know what they’re protecting. A possible improvement is to feed vulnerability information into perimeter defenses, but it’s a correlation nightmare. Fortunately, with dynamic binary instrumentation it’s possible to unify vulnerability and attack detection – providing a high-confidence method of preventing vulnerabilities from being exploited.  In this talk, we’ll get under the hood of this technique and also explore how it affects the math of your application security program.
 +
 
 +
'''---February 22, 2018 Symantec Offices, Culver City'''
 +
 
 +
''Speaker'': '''Eli Mezei'''
 +
 
 +
Eli is an Executive Partner at Independent Security Evaluators, where he manages analyst and client activities, including assessment work and some research initiatives. Prior to joining Independent Security Evaluators, Mr. Mezei managed risk and research operations for one of the largest commodity trading advisors in the world. Mr. Mezei is one of the organizers of IoT Village, the popular new hacking concept focused on connected devices, as well as an organizer of SOHOpelessly Broken, the first ever router hacking contest at esteemed security conference DEF CON. Mr. Mezei holds an M.S. from The Johns Hopkins University.
 +
 
 +
''Topic'': '''[https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2017 Hacking Healthcare]'''
 +
 
 +
In this session, we present findings from a long term security research study in healthcare, in which we discovered that adversaries can deploy cyber attacks that result in harm or fatality to patients. Over the course of 24 months, we investigated 12 hospitals, 2 healthcare data facilities, 2 medical devices and host of supporting applications and technologies. Our focus was to (a) determine the feasibility of attacks against patient health, (b) determine the contextual is- sues from both technical and business perspectives, and (c) articulate the solution.We discovered that the healthcare industry is pursuing the wrong security mission, with an almost exclusive focus on protecting patient data, yet almost no consideration of protecting patient health. We identified a number of security vulnerabilities which, if exploited, would result in patient harm or fatality. We also identified a very wide range of business and industry shortcomings, which lead to the introduction of such security vulnerabilities. Notably, we also published a blueprint, which is an actionable, step-by-step guide to help a healthcare organization of any size migrate to a more robust defense posture.This session provides a high level analysis of what we did, what we discovered, and what we recommend. The source study data can be found here: https://www.securityevaluators.com/hospitalhack/
 +
 
 +
'''---January 23-25, 2018 Annenberg Community Beach House, Santa Monica'''
 +
 
 +
The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County and Santa Barbara chapters to bring you the third annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies. A full day of training on various subjects by expert trainers kicks off the conference on the 23rd. World renown speakers follow on days two and three. [https://2017.appseccalifornia.org/ https://2018.][[appseccalifornia.org]]/

Revision as of 04:30, 3 October 2018

---December 13, 2018

Speaker:

Topic:

---November 29, 2018

Speaker:

Topic:

---October 25, 2018 Riot Games

Speaker:

Topic:

---September 2018 Expert Dojo, Santa Monica

Speaker: Brian Knopf

Scott Stender is the leader of NCC Group's Cryptography Services practice. Scott co-founded iSEC Partners and joined NCC Group when it was acquired in 2010. Prior to iSEC, Scott worked in software development and security consulting in roles at Microsoft and @stake.Scott has helped organizations around the world create secure systems, including notable projects on major operating systems, cryptographic libraries, and several of the world's most critical applications. He has led projects across the full development lifecycle and throughout the technology stack ranging from requirements to release and hypervisors to hypertext.Scott’s broad research output has advanced both the security analysis of core technologies and the process of secure software engineering. He has contributed papers and talks, on topics ranging from practical attacks against Kerberos to securing legacy technology, to a number of leading security conferences and periodicals.

Topic: Hunting for the next IoT - Your Vulns are not a Paradigm Shift

We are often told in security that a product is groundbreaking, totally different than previous products, and a complete paradigm shift. These types of statements have been used to describe IoT devices, crypto currencies, and other new technologies. While they are new, the threats facing them are not. How do you move beyond the hype to identify real threats facing your product or environment? How can you maximize the limited resources your InfoSec or AppSec team has to make the best use of time and resources available? Have you assessed your threat model? Let me show you how to identify risk areas that everyone can agree on when laid out.

---August 2018

Speaker:

Topic:

---July 19 2018

Speaker:

David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching web application security in colleges, conferences and for many government agencies over the last decade.

Topic: The New and Improved OWASP Top 10

First released in 2003, the OWASP Top 10 has since become OWASP's main flagship project. With minor updates in 2004 and 2007 followed by major releases in 2010 and 2013, the Top 10 was due for a revision in 2018 that would better reflect the current web application security risks. This new release lives up to the expectations by improving the classification of application vulnerabilities while focusing more on the lack of protections, often highlighted in vulnerability assessments and penetration tests.This presentation about the new and improved top 10 most critical web application security risks will cover all 10 items while focusing on the improvements from the previous version.

---June 28, 2018 Riot Games

Panel: Edward Bonver, Stu Schwartz, Aaron Guzman, Tony Trummer - moderated by Richard Greenberg

Richard Greenberg is the OWASP Los Angeles Chapter Leader and the President of ISSA-Los Angeles. He has worked diligently to bring together the various Southern California IT and InfoSec organizations to enhance their collaboration efforts, to help reach new IT and InfoSec professionals. His day job is the Information Security Officer for LA County Public Health.

Edward Bonver is OWASP Los Angeles chapter board member and lead, and is a co-organizer of OWASP California regional application security conferences and summits, and a frequent speaker at global security events and conferences. His security community contributions include active participation in groups like OWASP, SAFECode, (ISC)2, IEEE Center for Secure Design, and more. He CISSP and CSSLP certifications, a master’s degree in computer science from California State University, Northridge, and a bachelor’s degree in computer science from Rochester Institute of Technology.

Stu Schwartz has over 20 years experience as a programmer and over 10 years as an application security practitioner. As part of the product security team, Stu worked with application teams across the company promoting application software security.  His responsibilities include teaching secure coding and security testing classes, working with various security tools and coordinating external penetration tests. Stu holds certifications in CISSP & CSSLP. He is also between gigs and would be a valuable assist to your organization.

Tony Trummer currently leads the Security team at Tinder in West Hollywood. As a penetration tester, Tony previously helped to start LinkedIn's AppSec program and later led their IR team. Tony has spoken at conferences around the world, including DefCon, BlackHat, AppSec Cali, AppSec USA and Hack In the Box.

Aaron Guzman is a Principal Security Consultant from the Los Angeles area with expertise in web app security, mobile app security, and embedded security. He has spoken at a number of conferences world wide which include Defcon, AppSec EU, AppSec USA, HackFest, Security Fest, HackMiami, AusCERT as well as a number of BSides events. Aaron leads the OWASP Embedded Application Security project; providing practical guidance to address the most common firmware security bugs to the embedded and IoT community. Follow Aaron’s latest research on twitter at @scriptingxss

Topic: What DOES it Take to Produce Secure Software

In today's technologically diverse, rapidly evolving and incredibly complex world, software makers face many challenges when it comes to producing secure software offerings. Many software security tools and services vendors want to sell you their silver bullet solutions, that supposedly solve the software security problem. There are a number of security certifications out there which are meant to help you address the problem. There are many security consultants and subject matter experts who will tell you how to do it right; there are books and magazines, podcasts, webinars, security conferences, meetups, YouTube videos aimed at helping you, while confusing you even further! So as a software maker, how do you tackle this problem? Where do you begin? How do you advance? How do you make sense of it all? What DOES it take to produce secure software? This OWASP LA panel consists of people who spent their entire careers in the trenches exploring and being consistently challenged  by this problem space. The panelists will share their success and failure stories, as well as philosophical views based on their individual experiences from operating in diverse environments, trying to figure out that same question: What DOES it take?

---May 24, 2018 Verizon Digital Media Services

Opening Talk: Stuart Schwartz: Security in the News

Speaker: Shane MacDougall

Shane MacDougall has over 28 years experience as an information security professional, both as an attacker and a defender. His current focus in on threat intelligence, an area in which he has created, implemented, and run programs for two major Fortune 500 companies. He has lectured at security conferences internationally, and is the owner of two black badges from DEFCON. His book on social engineering is coming out this summer.

Topic: Threat Intelligence on the Cheap

Threat intelligence is a phrase that these days seems to be one of the buzz words de jour. Throw in IoT, big data, cloud, and Docker, and you pretty much have Infosec Yahtzee. But what is a meaningful threat intelligence program for your company? Why spend six figures for the latest TI feeds from the ultra hackers tracking down APTs, when can you roll your own for pennies on the dollar? In this presentation we’ll discuss how to define threat intelligence, how you can optimize your practice to reduce noise, what sources you can get for free (or close to free), how to automate a lot of the intelligence that you get, and perhaps most important, making that intelligence actionable. We will also discuss mistakes others, including your presenter, have made, and how to avoid these and other common pitfalls.

---April 26, 2018 Riot Games HQ, Los Angeles

Speaker: Jack Mannino

Jack is the Chief Executive Officer at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium in 2009 to invent new and more efficient ways of protecting software. Jack is an active mobile and wearable security researcher and focuses on creating techniques for making both web and mobile application security scale effectively.

Topic: Security In The Land of Microservices

Microservices offer a lot of benefits for deploying large-scale applications, but implementing a secure architecture that scales over time can be challenging. Services are highly decoupled from each other as well as producers and consumers of data moving throughout the architecture. Data contracts between services are often blurry, and data sharing between microservices require careful consideration around access patterns and boundaries between related services. New services come, new services go. Some are deployed to containers, some to servers, and some are serverless. Your developers, data scientists, and infrastructure team are all empowered to move quickly and ship new services. Your job is to make sure all of the above happens in a secure and sane way.

In this presentation, we will discuss the challenges with securing microservices and present solutions to make security a seamless and frictionless part of scaling your architecture. Using real-world examples of successes and failures while building a microservice architecture, we will discuss what translates well from monolithic design to microservices, and the bad habits you should leave behind. We will demonstrate how to build authentication into a microservice architecture and how to implement a granular authorization scheme that will work effectively as you introduce new services. At the end of this presentation, you’ll understand what separates microservices from traditional monolithic applications and understand the problem space from a secure architectural perspective.

---March 22, 2018 Symantec Offices, Culver City

Speaker: Jeff Williams

A pioneer in application security, Jeff Williams has more than 20 years of experience in software development and security. He is the co-founder and CTO of Contrast Security, a revolutionary application security product that enhances software with the power to defend itself, check itself for vulnerabilities, and join a security command and control infrastructure. Williams is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff holds a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

Topic: Turning Security into Code with Dynamic Binary Instrumentation

AppSec has a serious math problem. We’re introducing vulnerabilities faster than we can find them. And we’re finding them faster than we can fix them. With software development accelerating and 11 billion new lines of code being written in 2018, this won’t end well. Some organizations have tried using perimeter defenses rather than improving their SDLC, but they don’t know what they’re protecting. A possible improvement is to feed vulnerability information into perimeter defenses, but it’s a correlation nightmare. Fortunately, with dynamic binary instrumentation it’s possible to unify vulnerability and attack detection – providing a high-confidence method of preventing vulnerabilities from being exploited. In this talk, we’ll get under the hood of this technique and also explore how it affects the math of your application security program.

---February 22, 2018 Symantec Offices, Culver City

Speaker: Eli Mezei

Eli is an Executive Partner at Independent Security Evaluators, where he manages analyst and client activities, including assessment work and some research initiatives. Prior to joining Independent Security Evaluators, Mr. Mezei managed risk and research operations for one of the largest commodity trading advisors in the world. Mr. Mezei is one of the organizers of IoT Village, the popular new hacking concept focused on connected devices, as well as an organizer of SOHOpelessly Broken, the first ever router hacking contest at esteemed security conference DEF CON. Mr. Mezei holds an M.S. from The Johns Hopkins University.

Topic: Hacking Healthcare

In this session, we present findings from a long term security research study in healthcare, in which we discovered that adversaries can deploy cyber attacks that result in harm or fatality to patients. Over the course of 24 months, we investigated 12 hospitals, 2 healthcare data facilities, 2 medical devices and host of supporting applications and technologies. Our focus was to (a) determine the feasibility of attacks against patient health, (b) determine the contextual is- sues from both technical and business perspectives, and (c) articulate the solution.We discovered that the healthcare industry is pursuing the wrong security mission, with an almost exclusive focus on protecting patient data, yet almost no consideration of protecting patient health. We identified a number of security vulnerabilities which, if exploited, would result in patient harm or fatality. We also identified a very wide range of business and industry shortcomings, which lead to the introduction of such security vulnerabilities. Notably, we also published a blueprint, which is an actionable, step-by-step guide to help a healthcare organization of any size migrate to a more robust defense posture.This session provides a high level analysis of what we did, what we discovered, and what we recommend. The source study data can be found here: https://www.securityevaluators.com/hospitalhack/

---January 23-25, 2018 Annenberg Community Beach House, Santa Monica

The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County and Santa Barbara chapters to bring you the third annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies. A full day of training on various subjects by expert trainers kicks off the conference on the 23rd. World renown speakers follow on days two and three. https://2018.appseccalifornia.org/