This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Los Angeles/2018 Meetings"

From OWASP
Jump to: navigation, search
(Created page with "January")
 
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
January
+
'''---December 2018'''
 +
 
 +
''Speaker'':
 +
 
 +
''Topic'':
 +
 
 +
'''---November 2018'''
 +
 
 +
''Speaker'':
 +
 
 +
''Topic'':
 +
 
 +
'''---October 25, 2018 Verizon Digital Media Services'''
 +
 
 +
''Speaker'':
 +
 
 +
''Topic'':
 +
 
 +
'''---September 2018 Expert Dojo, Santa Monica'''
 +
 
 +
Opening Talk:  Rafal Los: The Meek [Developers] Have Inherited the Earth
 +
 
 +
''Speaker'': Brian Knopf
 +
 
 +
Focusing on Application Security and IoT Security with a different perspective. While compliance and risk are important to consider, proper protection comes from Threat Modeling environments on a regular basis and layering protection based on threats identified from the model. Putting systems and tools in-place for security requires understanding how an attacker would perform reconnaissance and exploit your environment. This approach allows my teams to operate with smaller budgets that deliver higher quality results while including source code audits, penetration testing, proactive outreach with security researchers, incident response, perimeter protection, and data analytics. This ensures that security products are used together to provide actionable data rather than just purchasing applications to check a protection box. It also reduces the cost of vulnerabilities since they are found earlier in the SDLC, enabling teams to focus more time on features and not fixes.
 +
 
 +
''Topic'': '''[https://www.owasp.org/index.php/Los_Angeles_Presentation_Archive#2018 Hunting for the next IoT - Your Vulns are not a Paradigm Shift]'''
 +
 
 +
We are often told in security that a product is groundbreaking, totally different than previous products, and a complete paradigm shift. These types of statements have been used to describe IoT devices, crypto currencies, and other new technologies. While they are new, the threats facing them are not. How do you move beyond the hype to identify real threats facing your product or environment? How can you maximize the limited resources your InfoSec or AppSec team has to make the best use of time and resources available? Have you assessed your threat model? Let me show you how to identify risk areas that everyone can agree on when laid out.
 +
 
 +
'''---August 2018 Tinder, West Hollywood'''
 +
 
 +
''Speaker'': Jim Manico
 +
 
 +
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/ad visor for Signal Sciences. Jim is a frequent speaker on secure software practices, is a member of the JavaOne rock-star speaker and Java Champion community, and is the author of "Iron-Clad Java: Building Secure Web Applications" from McGraw-Hill and Oracle Press. Jim also volunteers for the OWASP foundation where he helps build application security standards and other documentation.
 +
 
 +
''Topic'': [https://www.owasp.org/images/c/ce/OWASP_LA_The_Last_XSS_Defense_Talk_Jim_Manico_2018_08.pdf '''Why are we still talking about Cross Site Scripting in 2018?''']
 +
 
 +
Why are we still talking about Cross Site Scripting in 2018? Because it's painfully difficult to defend against XSS even to this day. This talk is a fundamental update to the 2011 AppSec USA talk "The Past Present and Future of XSS Defense". We'll address new defensive strategies such as modern JavaScript framework defense in Angular, React and other frameworks. We'll also look at how CSP deployment has changed in the past 7 years illustrating the progressive use of content security which supports CSP v1, v2 and v3 concurrently. We will then look at advances in HTML sanitization on both the client and server and focus on sanitizers and defensive libraries that have stood the test of time in terms of maintenance and security.
 +
 
 +
We'll also look at interesting design topics such as how HTML injection is still critical even in the face of rigorous XSS defense and how HTTPOnly cookies are largely ineffective. This talk should help developers and security professionals alike build a focused and modern strategy to defend against XSS in modern applications
 +
 
 +
'''---July 2018'''
 +
 
 +
''Speaker:'' Kevin Gosschalk
 +
 
 +
''Topic:'' How Bots Decide What You Can Buy and How Much You'll Pay
 +
 
 +
'''---June 2018'''
 +
 
 +
''Speaker''''':''' Anant Kadiyala
 +
 
 +
''Topic:'' Blockchain as Security Mechanism for Real World IoT
 +
 
 +
'''---May 2018''' 
 +
 
 +
''Speaker:'' Pieter Danheiux 
 +
 
 +
''Topic''''':''' Improving Software Security in an Agile Environment
 +
 
 +
'''---April 2018'''
 +
 
 +
''Speaker:'' Jason Patterson 
 +
 
 +
''Topic''''':''' Cloud Security/Containers
 +
 
 +
'''---March 2018'''
 +
 
 +
''Speaker'': Ira Winkler
 +
 
 +
''Topic'': Incorporating Security Practices into Business Processes
 +
 
 +
'''---February 2018'''
 +
 
 +
''Speaker'': Justin Regele
 +
 
 +
''Topic'': Better Git Hacking; Extracting “deleted” secrets from Git databases with Grawler
 +
 
 +
'''---January 28-31, 2018 Annenberg Community Beach House, Santa Monica'''
 +
 
 +
The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County and Santa Barbara chapters to bring you the third annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies. A full day of training on various subjects by expert trainers kicks off the conference on the 23rd. World renown speakers follow on days two and three. [https://2018.appseccalifornia.org/ https://2018.appseccalifornia.org]

Latest revision as of 04:48, 3 October 2018

---December 2018

Speaker:

Topic:

---November 2018

Speaker:

Topic:

---October 25, 2018 Verizon Digital Media Services

Speaker:

Topic:

---September 2018 Expert Dojo, Santa Monica

Opening Talk: Rafal Los: The Meek [Developers] Have Inherited the Earth

Speaker: Brian Knopf

Focusing on Application Security and IoT Security with a different perspective. While compliance and risk are important to consider, proper protection comes from Threat Modeling environments on a regular basis and layering protection based on threats identified from the model. Putting systems and tools in-place for security requires understanding how an attacker would perform reconnaissance and exploit your environment. This approach allows my teams to operate with smaller budgets that deliver higher quality results while including source code audits, penetration testing, proactive outreach with security researchers, incident response, perimeter protection, and data analytics. This ensures that security products are used together to provide actionable data rather than just purchasing applications to check a protection box. It also reduces the cost of vulnerabilities since they are found earlier in the SDLC, enabling teams to focus more time on features and not fixes.

Topic: Hunting for the next IoT - Your Vulns are not a Paradigm Shift

We are often told in security that a product is groundbreaking, totally different than previous products, and a complete paradigm shift. These types of statements have been used to describe IoT devices, crypto currencies, and other new technologies. While they are new, the threats facing them are not. How do you move beyond the hype to identify real threats facing your product or environment? How can you maximize the limited resources your InfoSec or AppSec team has to make the best use of time and resources available? Have you assessed your threat model? Let me show you how to identify risk areas that everyone can agree on when laid out.

---August 2018 Tinder, West Hollywood

Speaker: Jim Manico

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/ad visor for Signal Sciences. Jim is a frequent speaker on secure software practices, is a member of the JavaOne rock-star speaker and Java Champion community, and is the author of "Iron-Clad Java: Building Secure Web Applications" from McGraw-Hill and Oracle Press. Jim also volunteers for the OWASP foundation where he helps build application security standards and other documentation.

Topic: Why are we still talking about Cross Site Scripting in 2018?

Why are we still talking about Cross Site Scripting in 2018? Because it's painfully difficult to defend against XSS even to this day. This talk is a fundamental update to the 2011 AppSec USA talk "The Past Present and Future of XSS Defense". We'll address new defensive strategies such as modern JavaScript framework defense in Angular, React and other frameworks. We'll also look at how CSP deployment has changed in the past 7 years illustrating the progressive use of content security which supports CSP v1, v2 and v3 concurrently. We will then look at advances in HTML sanitization on both the client and server and focus on sanitizers and defensive libraries that have stood the test of time in terms of maintenance and security.

We'll also look at interesting design topics such as how HTML injection is still critical even in the face of rigorous XSS defense and how HTTPOnly cookies are largely ineffective. This talk should help developers and security professionals alike build a focused and modern strategy to defend against XSS in modern applications

---July 2018

Speaker: Kevin Gosschalk

Topic: How Bots Decide What You Can Buy and How Much You'll Pay

---June 2018

Speaker: Anant Kadiyala

Topic: Blockchain as Security Mechanism for Real World IoT

---May 2018

Speaker: Pieter Danheiux

Topic: Improving Software Security in an Agile Environment

---April 2018

Speaker: Jason Patterson

Topic: Cloud Security/Containers

---March 2018

Speaker: Ira Winkler

Topic: Incorporating Security Practices into Business Processes

---February 2018

Speaker: Justin Regele

Topic: Better Git Hacking; Extracting “deleted” secrets from Git databases with Grawler

---January 28-31, 2018 Annenberg Community Beach House, Santa Monica

The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County and Santa Barbara chapters to bring you the third annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies. A full day of training on various subjects by expert trainers kicks off the conference on the 23rd. World renown speakers follow on days two and three. https://2018.appseccalifornia.org