Loading…
LASCON 2014 has ended
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Thursday, October 23
 

9:00am

Historical Lessons for Improving Cyber Security
When Whit Diffie, Ralph Merkle and I first started working in cryptography, people thought we were crazy. The fact that our invention of public key cryptography now protects literally trillions of dollars in financial transactions every day indicates that we should pay more attention to seemingly foolish ideas. Another historical lesson involves the role of outsiders in making key advances in cryptography. Finally, lessons I learned from my efforts to reduce the risk of a disaster involving nuclear weapons will be applied to that same goal in cryptography.

Speakers
MH

Martin Hellman

Professor Emeritus of Electrical Engineering, Stanford University
Stanford Professor Martin E. Hellman is best known for his invention of public key cryptography, the technology that enables secure Internet transactions and is used to transfer literally trillions of dollars every day. His work has been recognized by a number of honors and awards... Read More →


Thursday October 23, 2014 9:00am - 9:45am
Red Oak Ballroom Norris Conference Center, http://lascon.org/venue/

10:00am

Top 10 Web Hacking Techniques of 2013
Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its eighth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work. 

In this talk, We will do a technical deep dive and take you through the Top 10 Web Hacks of 2013 as picked by an expert panel of judges. 

This year’s winners are: 
1 - Mario Heiderich – Mutation XSS 
2 - Angelo Prado, Neal Harris, Yoel Gluck – BREACH 
3 - Pixel Perfect Timing Attacks with HTML5 
4 - Lucky 13 Attack 
5 - Weaknesses in RC4 
6 - Timur Yunusov and Alexey Osipov – XML Out of Band Data Retrieval 
7 - Million Browser Botnet 
8 - Large Scale Detection of DOM based XSS 
9 - Tor Hidden-Service Passive De-Cloaking 
10 - HTML5 Hard Disk Filler™ API

Speakers
avatar for Matt Johansen

Matt Johansen

Senior Manager, WhiteHat Security
Matt Johansen is a Sr. Manager for the Threat Research Center at WhiteHat Security where he manages a team of Application Security Specialists, Engineers and Supervisors to prevent website security attacks and protect companies’ and their customers’ data. Before this he was an Application Security Engineer where he oversaw and assessed more than 35,000 web... Read More →
avatar for Jonathan Kuskos

Jonathan Kuskos

Senior Application Security Engineer, WhiteHat Security
@JohnathanKuskos is a Manager for WhiteHat Security where he is charged with the expansion of their Belfast, Northern Ireland Threat Research Center. After personally hacking hundreds of web applications over several years he moved into a managerial role so that he could contribute... Read More →


Thursday October 23, 2014 10:00am - 10:45am
Cypress Room Norris Conference Center, http://lascon.org/venue/

10:00am

Building a Security Engineering Organization for the Modern World
Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering:

  • Practical advice for building and scaling modern AppSec and NetSec programs
  • Lessons learned for organizations seeking to launch a bug bounty program
  • How to run realistic attack simulations and learn the signals of compromise in your environment

Speakers
avatar for Zane Lackey

Zane Lackey

Chief Security Officer, Signal Sciences
 Zane Lackey is the Founder/Chief Security Officer at Signal Sciences and serves on multiple Advisory Boards including the National Technology Security Coalition, the Internet Bug Bounty Program, and the US State Department-backed Open Technology Fund. Prior to Signal Sciences, Zane... Read More →


Thursday October 23, 2014 10:00am - 10:45am
Red Oak Ballroom Norris Conference Center, http://lascon.org/venue/

10:00am

Seven Grades of Perfect Forward Secrecy
Perfect Forward Secrecy (PFS) becomes popular and its adoption rate is growing. An importance of implementing it becomes even more obvious after recent attacks on SSL such as Heartbleed. 

In Hartbleed case an impact could have been leveled down if PFS had been implemented by affected parties, since compromising private SSL key would not necessary lead to a possibility of decrypting SSL traffic. 

To understand an adoption rate of PFS by different sectors of economy, the first question that we would need to answer is: "What does PFS adoption mean?" It turned out that it's not a "Yes" or "No" question and should be formulated in terms of maturity rather than in the simple "implemented"/"not implemented" terms. 

Come to this presentation to learn more about the suggested grades, the levels of PFS adoption in different sectors of the economy and how to test the level of PFS maturity in your own organization.

Speakers
avatar for Oleg Gryb

Oleg Gryb

Chief Security Architect, Visa Inc
Oleg Gryb is Chief Security Architect at Visa Inc. working in security architecture and security engineering domains. He was previously Sr. Manager and de-facto CISO of Samsung’s IoT platform called Artik Cloud.  Before that he worked as Security Architect at Intuit, where he was... Read More →


Thursday October 23, 2014 10:00am - 10:45am
Magnolia Room Norris Conference Center, http://lascon.org/venue/

10:00am

Understanding and Implementing Rugged
Let's address the plague of complacency that is infecting organizations and individuals in our industry. We cannot evolve without understanding and implementing the new paradigm that is Rugged. Rugged is a call for all software professionals to commit to quality and excellence in everything we do, to commit to an intensely collaborative and transparent approach to teamwork for the benefit of our customers, our end users, and our stakeholders. Anything less than excellent is just failure in disguise.

I will step through the ever-growing list of Rugged attributes one-by-one and give specific pragmatic examples of how to embrace the Rugged approach in our every day lives, both personal or professional. This presentation will call people out for being lazy and unprofessional. Too many of us are complacent and creating work that is half-baked and, in doing so, creating more work for ourselves and others. It's time to step up or step aside!

Speakers
avatar for Lance Vaughn

Lance Vaughn

CTO, Total Control Financial, Inc.
Lance Vaughn is the Founder/CEO of CabForward, a web and mobile development company, and President of the LoneStarRuby Foundation, a nonprofit with a mission of building a stronger software development community. He graduated from Purdue University in 1993 with a major in Information... Read More →


Thursday October 23, 2014 10:00am - 10:45am
Pecan Room Norris Conference Center, http://lascon.org/venue/

11:00am

OWASP Top 10 Proactive Controls
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind.
The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important. This document was written by developers for developers to assist those new to secure development.

    •    1: Parameterize Queries
    •    2: Encode Data
    •    3: Validate All Inputs
    •    4: Implement Appropriate Access Controls
    •    5: Establish Identity and Authentication Controls
    •    6: Protect Data and Privacy
    •    7: Implement Logging, Error Handling and Intrusion Detection
    •    8: Leverage Security Features of Frameworks and Security Libraries
    •    9: Include Security-Specific Requirements
    •    10: Design and Architect Security In

Speakers

Thursday October 23, 2014 11:00am - 11:45am
Cypress Room Norris Conference Center, http://lascon.org/venue/

11:00am

DNS-Based Authentication of Named Entities (DANE): Can we fix our broken CA model?
In this talk we take an exploratory look at DNS-Based Authentication by Named Entities (DANE), and consider how it could change the landscape of web security. The method of trusting a Certificate Authority to provide encryption and authentication for web sites has been seen to be weak at best, and due to multiple security incidents many consider this model to be completely broken. Mounting evidence supporting the risks of placing trust solely in the hands of a CA leaves many people with the question “Is there an alternative?” 

Built on top of DNSSEC, DANE allows us to not rely solely on the CA for trust and instead places the trust of the TLS session on the DNS server: Are we just swapping one evil for another? In this session we will provide an introductory examination of the DANE and DNSSEC protocols, highlighting how the use of DANE could modify the current ways in which we use Certificate Authorities, as well as considering possible new attack vectors adoption may introduce. 

This talk is a must-see for anyone interested in the future of Internet Security and emerging technologies that may change the way we gain security assurance for our lives online. 

Speakers

Thursday October 23, 2014 11:00am - 11:45am
Magnolia Room Norris Conference Center, http://lascon.org/venue/

11:00am

Be Mean to Your Code - Rugged Development & You
Writing code that works is hard. Writing rugged code that can stand the test of time is even harder. This difficulty is often compounded by crunched timelines and fast cycles that prioritize new features. Add in evolving business needs and new technology and it becomes confusing to know what to do and how to integrate security into your application. 

This talk brings some advice/tools of the top developers and application security practitioners to help you ruggedize your end-to-end development lifecycle from code commit to running system. You will learn pragmatic approaches and tooling that will affect your development processes, delivery pipelines and even the operational runtime. You will walk away with solutions you can put into practice right away and you will also be armed with rugged anti-patterns to help you identify what to change.

Speakers
avatar for Matt Johansen

Matt Johansen

Senior Manager, WhiteHat Security
Matt Johansen is a Sr. Manager for the Threat Research Center at WhiteHat Security where he manages a team of Application Security Specialists, Engineers and Supervisors to prevent website security attacks and protect companies’ and their customers’ data. Before this he was an Application Security Engineer where he oversaw and assessed more than 35,000 web... Read More →
avatar for James Wickett

James Wickett

Sr. Engineer, Signal Sciences Corp
James is an innovative thought leader in the DevOps and InfoSec communities and has a passion for helping big companies work like startups to deliver products in the cloud. He got his start in technology when he ran a Web startup company as a student at University of Oklahoma and... Read More →


Thursday October 23, 2014 11:00am - 11:45am
Pecan Room Norris Conference Center, http://lascon.org/venue/

11:30am

Lunch

Thursday October 23, 2014 11:30am - 1:30pm
Red Oak Ballroom Norris Conference Center, http://lascon.org/venue/

12:00pm

Security from Inception
In this talk, we will explore case studies that illustrate process strategies that have worked well in bringing security to application projects.

From a developer’s perspective, security is much more than tools and technical knowledge – it comes down to trade-offs, stakeholder priorities, process support and communication. When you address these concerns, you have a chance of building a relatively secure application while maintaining positive relationships between Builders and Breakers.


Speakers
avatar for Matt Konda

Matt Konda

Founder, Jemurai
Matt Konda is a developer and application security expert. He founded Jemurai to focus on working with teams to deliver secure software. Jemurai works with clients on security automation, training, strategy, building AppSec teams and more. Matt is on the global board of OWASP... Read More →


Thursday October 23, 2014 12:00pm - 12:45pm
Cypress Room Norris Conference Center, http://lascon.org/venue/

12:00pm

The State of Crypto in Python
Python has a complex past with cryptography. There are half a dozen major frameworks built on at least three separate C implementations, each with their own strengths and weaknesses and in various states of maintenance. In our development of an open source key management system for OpenStack (Barbican), our team has spent time investigating the major options. This presentation will review the current state of the art and discuss the future of crypto in Python including a new library being developed by a group of Python devs aimed at unifying and expanding the support for modern crypto in the Python ecosystem. Additional advice will be provided for developers and security professional around which libraries provide the best support for an application particular crypto needs.

Speakers
avatar for Jarret Raim

Jarret Raim

Rackspace
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace?s internal software teams as well as defined strategy for building secure systems on Rackspace?s OpenStack Cloud implementation. Through... Read More →


Thursday October 23, 2014 12:00pm - 12:45pm
Magnolia Room Norris Conference Center, http://lascon.org/venue/

12:00pm

Threat Modeling for Linux Containers (LXC), Docker and the Cloud
Traditional threat modeling has utilized data flow diagrams to model the software or system in question. How well does that methodology work for complex and interconnected systems? During 3 years of threat modeling work at Rackspace, the authors have found the limitations of data flow diagrams and other threat modeling methodologies when conducting threat models of OpenStack, Linux Containers, Docker and other recent cloud technologies. In this presentation, the author review the lessons learned and demonstrate how to interconnect the multiple systems which make up a typical OpenStack deployment into something useful for the developers, operations, security team and more.

Speakers

Thursday October 23, 2014 12:00pm - 12:45pm
Pecan Room Norris Conference Center, http://lascon.org/venue/

1:00pm

Intro to GPG and the Web of Trust
GPG is an open source suite of cryptographic software that allows you to encrypt and sign your data and communications. This is an introductory talk for users with little or no experience with GPG. We'll talk about how GPG works at a high level, what you need to know to create your own GPG Key, and how GPG can be used to encrypt your data, as well as securing your email. 

We'll also talk about the Web of Trust, and how this decentralized trust model is used in GPG to help establish the authenticity of a GPG Key and its owner. We'll talk about key concepts of the Web of Trust, and how you can get started in the Web of Trust by attending Key signing parties. 

Speakers
avatar for Douglas Mendizábal

Douglas Mendizábal

PTL Barbican, Rackspace
Douglas is a Racker, and the current PTL for the Key Management (Barbican) project.  Before being involved in OpenStack, Douglas was a software development consultant specializing in secure development of mobile and web applications.  Douglas also helps organize the Alamo City Python... Read More →


Thursday October 23, 2014 1:00pm - 1:45pm
Magnolia Room Norris Conference Center, http://lascon.org/venue/

1:00pm

DevOps, CI, APIs, Oh My!: Security Gone Agile
As the world of system and application deployment continues to change, the sys admins and security community are having to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. After adding in Dev/Ops and cloud, the traditional sys admin and security processes just don’t work anymore. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. When you are deploying multiple times a day, there is no time to fit in your traditional week long security assessment. 

A new concept of Test Driven Security, which is loosely based on the tenants of Test Driven Development, is beginning to emerge in the application security community. This talk will cover how Matt is putting the practices in place currently at Rackspace and how you can architect your security work to be agile enough to keep up with the pace of change today. The talk will cover agile methods for securing infrastructure, apps & APIs and source code. Even if you are not there today, you will be soon enough. Its time to embrace the change and say "Challenge Accepted".

Speakers
avatar for Matt Tesauro

Matt Tesauro

Senior AppSec Engineer, Duo Security
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was... Read More →


Thursday October 23, 2014 1:00pm - 1:45pm
Pecan Room Norris Conference Center, http://lascon.org/venue/

2:00pm

Keynote: Chris Nickerson
Speakers
avatar for Chris Nickerson

Chris Nickerson

CEO, LARES
Chris Nickerson, CEO of LARES, is just another “Security guy” with a whole bunch of certs whose main area of expertise is focused on Real world Attack Modeling, Red Team Testing and InfoSec Testing. At Lares, Chris leads a team of security professional who conduct Risk Assessments... Read More →


Thursday October 23, 2014 2:00pm - 2:45pm
Red Oak Ballroom Norris Conference Center, http://lascon.org/venue/

3:00pm

OpenStack API Security Testing Automation in Action
Traditional API security testing is a manual process by security engineers using various tools such as Burp Suite, Zap Proxy, SQLMap, etc. The testing process is challenging, time-consuming, inconsistent and difficult to duplicate or audit. It is difficult to integrate the security testing with Agile development or Continuous Integration / Continuous Delivery (CI/CD). Lack of security resources makes the matter worse. In this talk, we will show how Rackspace tackles this problem. 

In this talk, we will show the open source testing framework created by Rackspace, the security plugin, and the progress of creating security testing cases for all OpenStack API. We will discuss about the challenges and lessons that we have learn thus far. Some bad practices or security defects that we identified will be discussed. In the end, we will demonstrate how to leverage our process and framework to improve OpenStack API security testing. 

In Rackspace, security engineers have been working with quality engineers to build an automation process for security testing of OpenStack API. Based on the open source testing framework created by the Rackspace quality engineering team, the teams created a security testing plugin which can automatically detect common security vulnerabilities; such as SQL injection, command injection, improper authentication/authorization, inadequate user input validation, transport security, etc. The security testing plugin has been built to meet the needs of the security and quality engineers. Security engineers can use “fuzzing” and “data generator” features to identify any potential security defects and create test cases for new security defects. Quality engineers can also create security test cases and integrate security testing with functional testing. By integrating security testing into our SDLC, it is possible to detect security defects and fix them earlier in the development process. The engineering teams have been working on building security test cases for all OpenStack projects. Once the code is finished and ready, we will make both the security plug-in and all tests cases open source and share with the community. 

Speakers
NB

Nathan Buckner

Software Developer in Test III, Rackspace
Nathan Buckner is Currently a Senior Software Developer at Rackspace. He has had a passion for computers and technology since before he learned about them in the army while serving as a Signal Support System Specialist. Following his Army Career, he moved on to pursue his passion... Read More →
avatar for Jim Freeman

Jim Freeman

Director, Quality and Security Engineering, Rackspace Hosting
Jim is a Director of Quality and Security Engineering at Rackspace. Jim has successfully built a team of specialized security engineers that is part of the development, quality, and delivery process at Rackspace. Jim felt that the best way to interconnect and ensure security testing... Read More →
avatar for Michael Xin

Michael Xin

Manager, Security Engineering, Rackspace
Michael Xin is working as a manager of security engineering in Rackspace. Before that, he worked as a senior application security engineer in Scottrade Inc. Michael is interested in web application / web service / API security, mobile application security and cloud security. Michael... Read More →


Thursday October 23, 2014 3:00pm - 3:45pm
Cypress Room Norris Conference Center, http://lascon.org/venue/

3:00pm

DevOops, I did it again
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure. 

Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is brand new research to bring awareness to those responsible for securing a DevOps environment.

Speakers
avatar for Chris Gates

Chris Gates

Sr. Security Engineer
Chris Gates has extensive experience in network and web application penetration testing, Red Teaming and Purple Teaming. Chris is currently learning to be a part time fixer instead of full time breaker. In the past he has spoken at the United States Military Academy, BlackHat, DefCon... Read More →
avatar for Ken Johnson

Ken Johnson

CTO, nVisium
Ken Johnson, CTO of nVisium, has been hacking web applications professionally for 8 years. Ken is both a breaker and builder and currently leads the nVisium product team. Previously, Ken has spoken at DerbyCon, AppSec USA, RSA, AppSec DC, AppSec California, DevOpsDays DC, LASCON... Read More →


Thursday October 23, 2014 3:00pm - 3:45pm
Pecan Room Norris Conference Center, http://lascon.org/venue/

3:00pm

In AppSec, Fast Is Everything
Software development has been transformed by practices like Continuous Integration and Continuous Integration, while application security has remained trapped in expert-based waterfall mode by slow tools and slow processes. In this talk, Jeff will show you how you can evolve into a fast “Continuous Application Security” organization that generates assurance automatically across an entire application security portfolio. Jeff will show you how to bootstrap the “sensor-model-dashboard” feedback loop that makes real time, continuous application security possible. He will demonstrate the approach with a new *free* tool called Contrast for Eclipse that brings the power of instrumentation-based application security testing directly into the popular IDE.  Check out “Application Security at DevOps Speed and Portfolio Scale” for some background.

Speakers
avatar for Jeff Williams

Jeff Williams

Co-founder and CTO, Contrast Security
I've been in security since the late 1980's and have been blessed with the opportunity to help start three great application security organizations: Contrast Security, OWASP, and Aspect Security (recently sold to EY). | | I'm coming to LASCON to meet *you*. I'm easy to find :-) and... Read More →


Thursday October 23, 2014 3:00pm - 3:45pm
Red Oak Ballroom Norris Conference Center, http://lascon.org/venue/

4:00pm

Risk management for teams that get things done
Risk assessment and management gets harder the more your organization grows and the more complex your environment becomes. We'll discuss how iovation's Risk Assessment process works with practical examples and stories. Through peer review, clear lines of communication and automation we've sidestepped monolithic processes like a Change Control Board and kept a high standard of uptime for our Fraud Mitigation platform that processes millions of transactions per day.

Speakers

Thursday October 23, 2014 4:00pm - 4:45pm
Cypress Room Norris Conference Center, http://lascon.org/venue/

4:00pm

Speed Debates
Moderators
avatar for Matt Tesauro

Matt Tesauro

Senior AppSec Engineer, Duo Security
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was... Read More →

Speakers
avatar for Robert Hansen

Robert Hansen

Director of Product Management & Technical Evangelist, WhiteHat Security
Robert Hansen (CISSP) is the Director of Product Management at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has... Read More →
avatar for Matt Johansen

Matt Johansen

Senior Manager, WhiteHat Security
Matt Johansen is a Sr. Manager for the Threat Research Center at WhiteHat Security where he manages a team of Application Security Specialists, Engineers and Supervisors to prevent website security attacks and protect companies’ and their customers’ data. Before this he was an Application Security Engineer where he oversaw and assessed more than 35,000 web... Read More →
avatar for Matt Konda

Matt Konda

Founder, Jemurai
Matt Konda is a developer and application security expert. He founded Jemurai to focus on working with teams to deliver secure software. Jemurai works with clients on security automation, training, strategy, building AppSec teams and more. Matt is on the global board of OWASP... Read More →
avatar for Mano 'dash4rk' Paul

Mano 'dash4rk' Paul

Christian, CyberSecurity Advisor and Strategist, Author, Shark Biologist, Entrepreneur, Security Trainer, Speaker, HackFormer, yada yada yada ... | Ask a resident of Hawaii what Mano means and they would say that it is one of the above. Do you know which one?
avatar for Josh Sokol

Josh Sokol

Information Security Program Owner, National Instruments
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information... Read More →
avatar for Jeff Williams

Jeff Williams

Co-founder and CTO, Contrast Security
I've been in security since the late 1980's and have been blessed with the opportunity to help start three great application security organizations: Contrast Security, OWASP, and Aspect Security (recently sold to EY). | | I'm coming to LASCON to meet *you*. I'm easy to find :-) and... Read More →


Thursday October 23, 2014 4:00pm - 4:45pm
Red Oak Ballroom Norris Conference Center, http://lascon.org/venue/

4:00pm

Is this your pipe? Hijacking the build pipeline
As developers of the web, we rely on tools to automate building code, run tests, and even deploy services. What happens when we're too trusting of CI/CD pipelines? Credentials get exposed, hijacked, and re-purposed. We'll talk about how often and what happens when people leak public cloud credentials, how some are protecting themselves using encrypted secrets, how to bypass protections against leaking decrypted secrets and how to turn their Jenkins into your own butler. Come hijack credentials out of repositories, steal hidden and encrypted secrets using builds, and hijack infrastructure via their continuous deployment. 


Speakers
avatar for Greg Anderson

Greg Anderson

Founder, Infinitiv


Thursday October 23, 2014 4:00pm - 4:45pm
Pecan Room Norris Conference Center, http://lascon.org/venue/

5:00pm

Bull Riding
Thursday October 23, 2014 5:00pm - 7:00pm
Magnolia Room Norris Conference Center, http://lascon.org/venue/

5:00pm

Happy Hour
Thursday October 23, 2014 5:00pm - 7:00pm
Pecan Room Norris Conference Center, http://lascon.org/venue/
 
Friday, October 24
 

9:00am

Privacy: Re-framing what we think we know
Sometimes our greatest lessons come from when the frame of what we believed to be true is spun around and flipped upside down.  The conversations among security professionals, policy makers and others about what privacy means has seen some dramatic shifts in the past year;  raising far more questions then answers.  To complicate things, when asking general users what privacy means, often the response is a recount of scary stories of data breaches, surveillance, and face-less hacker communities like Tor.  As this unique journey into information security and time as a member of the Tor Project team will illustrate - privacy is not a point fixed in time, but a constantly evolving parade of questions we, as security professionals, need to say in tune with all while re-framing our own definitions.

Speakers
KM

Kelley Misata

Director of Communications and Outreach, The Tor Project
Kelley Misata, Privacy Advocate and Former Director of Communications for The Tor Project, Inc. As a advocate and thought-leader on issues of privacy, anonymity, and freedom of speech, Kelley passionately facilitates critical conversations and strategic initiatives around... Read More →


Friday October 24, 2014 9:00am - 9:45am
Red Oak Ballroom Norris Conference Center, http://lascon.org/venue/

10:00am

Warning Ahead: Security Storms are Brewing in Your JavaScript
JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language? 
Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to infecting users with malware. Hackers are beginning to recognize this new playground and are quickly adding JavaScript exploitation tools to their Web attack arsenal. 
In this talk we explore the vulnerabilities behind Javascript, including: 
- A new class of vulnerabilities unique only to JavaScript 
- Vulnerabilities in 3rd-party platforms which are exploited through JavaScript code 
- HTML5 is considered the NG-Javascript. In turn, HTML5 introduces a new set of vulnerabilities 

Speakers

Friday October 24, 2014 10:00am - 10:45am
Magnolia Room Norris Conference Center, http://lascon.org/venue/

10:00am

Burning Down the Haystack to Find the Needle: Security Analytics in Action
Your network is already compromised, but do you know how and by whom? Can you find them, remove them, and prevent them from getting back in again? In this presentation, we will examine actual attacks and indicators of compromise and show how, using some basic network flow pattern analysis, we can detect and prevent contemporary malware, advanced persistent threats (APTs), zero-day exploits and more. In addition, we will discuss how to feed this data into a security analytics program to create a new, broader perspective on the threats that your organization faces. 

Over the past four years at National Instruments, we have been collecting tools to work cohesively as part of a larger security analytics platform. The goal of this presentation is to provide the attendee with the basic information that they need in order to build a security analytics program of their own. We will begin by talking about the problem of a lack of visibility within the enterprise environment. From there, we will talk about the traits that characterize a tool as being good for security analytics. Next, we will talk about the types of data that exists in the different tool sets and what types of questions they are good at answering. From there, we will talk about what it means to create patterns and analyze your data to find those specific patterns. Then, we will look at some specific analytics that are useful to run on a regular basis to find malware, misconfigured systems, APTs, and more. Lastly, we will talk about actionable (and even automated) next steps once we discover the patterns that we are looking for. 

This talk will encourage audience participation by encouraging them to share what they are doing to perform security analytics and is appropriate for both novice and experienced security professionals. 

Speakers
avatar for Josh Sokol

Josh Sokol

Information Security Program Owner, National Instruments
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information... Read More →


Friday October 24, 2014 10:00am - 10:45am
Pecan Room Norris Conference Center, http://lascon.org/venue/

10:00am

Security Shark Tank
As a member of the information security community, I know many smart people who have amazing solutions to real world problems. We often lack the resources to make a dent in an ecosystem dominated by well funded incumbents. I believe given the right opportunities and funding we can challenge the status quo and build great products and businesses.

In this talk I will share my experience of pitching my security dreams to technology incubators, angel investors, and venture capitalists. 

Speakers
MC

Marcus Carey

Founder, vThreat, Inc.
Follow Marcus J. Carey at @iFail.


Friday October 24, 2014 10:00am - 10:45am
Red Oak Ballroom Norris Conference Center, http://lascon.org/venue/

10:00am

Securing The Android Apps On Your Wrist and Face
Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers. 

Many of the same issues we’re familiar with from past Android experiences are still relevant, while some issues are less impactful or not (currently) possible within existing wearables. At the same time, extending the app’s trust boundaries introduces new points of exposure for developers to be aware of in order to proactively defend against attacks. We want to highlight these areas, which developers may not be aware of when adding a wearable component to an existing app. 

In this presentation, we will explore how Android Wear and Glass work underneath the hood. We will examine their methods of communication, data replication, and persistence options. We will examine how they fit into the Android development ecosystem and the new risks to privacy and security that need to be considered. Our goal isn’t to deter developers from building wearable apps, but to enable them to make strong security decisions throughout development. 

Speakers
JM

Jack Mannino

nVisium
Jack is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source... Read More →


Friday October 24, 2014 10:00am - 10:45am
Cypress Room Norris Conference Center, http://lascon.org/venue/

11:00am

How to use adaptive hashes without making yourself vulnerable to DoS attacks
In recent years, several organizations have had to deal with their users’ hashed passwords being stolen. Although adding salts to hashes can prevent some attacks (e.g. rainbow tables), this approach does not slow down brute force attacks. With increases in attackers’ computational capabilities, brute force attacks have become a real possibility. As a result, security experts now recommend using adaptive hashing functions. However, adaptive hashing functions are computationally more expensive than traditional hashes. This added expense can be abused by attackers to cause a Denial of Service. The most common approach to avoid a Denial of Service involves shifting most of the work to the client side, which is less secure. 

This talk will present a different solution that can prevent Denial of Service attacks resulting from attackers exploiting computationally intensive adaptive hash verification routines. The solution uses a proof of work scheme and separates Denial of Service protection from password protection in a way that minimizes delays observed by users during the authentication process. Separating the two protections allows the client-side computational requirements to be scaled dynamically based on whether the server is being attacked. 

Using threat modeling, this talk outlines relevant attack vectors. Next, the talk walks the audience through alternatives in secure design comparing each from security and performance perspectives. The talk answers the questions: 
* Is it okay to simply move adaptive hashing to the client side? 
* Is it okay if we leak salts to clients so that they can compute hashes? 
* Can we keep adaptive hash computation on the server side, but still protect the server from Denial of Service attacks? 
Audience members will leave with specific guidance to share with developers.

Speakers
avatar for Amit Sethi

Amit Sethi

Senior Principal Consultant, Cigital
Amit Sethi is a Senior Principal Consultant and the Director of the Mobile Practice and the Advanced Penetration Testing Practice at Cigital. He has over 12 years of experience in the security industry as well as a Masters degree in Cryptography. He has extensive experience performing... Read More →


Friday October 24, 2014 11:00am - 11:45am
Magnolia Room Norris Conference Center, http://lascon.org/venue/

11:00am

Breach Assessments: Are you 0wned? You can find out!
If your organization or company was under attack at this very moment, would you know? If you are fortunate, your answer to that may be a very confident “YES!” Okay, are you confident you've caught every breach you've ever had in your company? Are there attackers still on your network right now? Is there malware sending data outside of your network? Do you know how to track down breaches analyze them and eradicate them? The answers to those questions tend to get a little weaker... It’s not an easy situation to have a complete handle on. In this talk we’d like to share our approaches for locating anomalous behavior on your network, zeroing in on that activity with certainty, capturing host images for analysis and a number of other techniques towards ultimately determining malware and human hacker activity as it is happening right now. This session provides the experience of life long Red Team members as they turn their expertise towards Blue Team activities – if you want to know how to spot a hack in progress, come listen to specialists that know how to perform them, what they look like and how attackers try to hide them.

Speakers
avatar for Kevin Dunn

Kevin Dunn

Senior Vice President for Consultancy, NCC Group
Kevin Dunn is Senior Vice President for Consultancy for NCC Group. Kevin has been a professional security consultant for over 15 years, working on diverse projects and challenging technologies for the world’s largest and most demanding companies. His current responsibilities include... Read More →


Friday October 24, 2014 11:00am - 11:45am
Pecan Room Norris Conference Center, http://lascon.org/venue/

11:00am

iOS App Integrity – Got Any?
iOS apps are vulnerable to static attack through binary code patching. Incorporating jailbreak and debugger detection algorithms can be rendered useless with a quick binary patch. Once patched the app can be further exploited, its app data stolen, and even cloned. The iMAS research team, the team that brought Encrypted CoreData (ECD) to Github open source, has your back! At this talk we will introduce open source Encrypted Code Modules (ECM) as a technique to protect sensitive enterprise iOS applications via static encryption and just in time decryption of bundled libraries. We will walk through this step-by-step process to make your iOS apps more secure and … authentic.

Speakers
avatar for Gregg Ganley

Gregg Ganley

Principal Investigator iOS Security Research, MITRE Corp
23+ software development and management experience Education: MSCS, BSEE. Active research and development in iOS security, Android development, Ruby on Rails web apps, and project leadership. For the past five years his passion has been in the mobile field and in particular mobile... Read More →


Friday October 24, 2014 11:00am - 11:45am
Cypress Room Norris Conference Center, http://lascon.org/venue/

11:30am

Lunch

Friday October 24, 2014 11:30am - 1:30pm
Red Oak Ballroom Norris Conference Center, http://lascon.org/venue/

12:00pm

Multi-Factor Authentication: Weeding Out the Snake Oil
As the demand increases for augmenting/replacing password-based authentication with stronger mechanisms, so does the number and variety of two- and multi-factor authentication solutions promoted by vendors. This talk will provide an overview of what the market has to offer, and define a set of evaluation criteria to help an organization select candidates for integration into their infrastructures. We will take a closer look at a sample of commercially available solutions, apply our criteria, and also try to gain some insight into their credibility and the soundness of their underlying mechanisms. 

Speakers
DO

David Ochel

Senior Information Security Manager, Rêv Worldwide
David Ochel is an information security technologist and risk management strategist. His private blog can be found here.


Friday October 24, 2014 12:00pm - 12:45pm
Magnolia Room Norris Conference Center, http://lascon.org/venue/

12:00pm

Practical AppSec: Quick Wins for More Secure Software
Securing your enterprise applications can be a daunting task. You may not be confident about your current application security posture, so where do you start? There are a variety of approaches to address the problem, including manual pen testing/assessment, source code review, automated scanning (static & dynamic), web app firewalls, threat modeling, and developer training. Remediation effort can't be overlooked as it often involves working with development groups who'd rather not have their baby called ugly. With limited time and resources (and probably no budget), you simply can't do it all. Don't be perfect. Raise the bar for attackers. In this nuts & bolts session, Dave will describe specific steps you can take to ratchet up the security of your applications with minimal effort. A popular software security maturity model will also be introduced as a way to measure progress and demonstrate improvement. 

Speakers
avatar for Dave Ferguson

Dave Ferguson

Solution Architect, Qualys
I'm a Solution Architect - aka AppSec SME - at Qualys. Previously, I led the global application security program at Sabre Corporation and worked as a Principal Consultant at FishNet Security (now Optiv). Before my security epiphany in 2004, I wrote lots of (probably insecure) Java... Read More →


Friday October 24, 2014 12:00pm - 12:45pm
Pecan Room Norris Conference Center, http://lascon.org/venue/

12:00pm

Derived Credentials – A better user experience for secure applications in the mobile world.
The increased use of smart phones in the enterprise and government space has created new opportunities for online identity management. Simultaneously, the convergence poses challenges for the traditional identification models based on Public Key Infrastructure (PKI). For example, a Personal Identity Verification (PIV) badge enabling physical and logical access to buildings and IT resources is not convenient in a mobile environment. Who wants to carry around a government badge, a card reader or attach a phone cradle to their latest mobile device? 

To address this need, and bridge the gap between security and user expectation in the mobile world, National Institute for Standards and Technology (NIST) standards have evolved to propose a new model. The proposal details that some mobile credentials will be derived based on the employee badge (PIV) and stored in the secure element inside the mobile device. Users are thus free to use both derived credentials and the original credentials as proof of their identity. This leads to a very convenient mobile experience without compromising the security associated with classical PKI. For this reason mobile derived credentials are gaining popularity with government and enterprises alike. 

In this talk, we will introduce PIV derived credentials, talk about their deployment architecture and discuss various application use cases that address the security and usability needs of a world that is becoming increasingly mobile. In particular, we will cover the following topics: 

1. Introduction to PIV and associated NIST standards. 
2. Overview of derived credential and how it relates to the original credential. 
3. Examples of applications that benefit from derived credentials on the mobile; e.g. VPN, email signing, email encryption, etc. 
4. Best practices and protocols for loading these derived credentials on a mobile device. 
5. End user experience with respect to the use of derived credentials. 
6. Technical as well as business related challenges that influence adoption of derived credentials. 

Speakers
AA

Asad Ali

Gemalto
avatar for Benoit Famechon

Benoit Famechon

Program Manager & Architect, Gemalto
Benoit Famechon is a senior program manager and architect at the Identity and Security Labs of Gemalto (Austin). | He is currently heading a team to develop Mobile Identity based products using GSMA specification. | He has worked in embedded development for Telecommmunication... Read More →


Friday October 24, 2014 12:00pm - 12:45pm
Cypress Room Norris Conference Center, http://lascon.org/venue/

1:00pm

Fixing XSS with Content Security Policy
Cross-site scripting (XSS) has been dominating OWASP Top 10 for many years. Although input validation and output encoding are good traditional defenses against XSS, it is often difficult to ensure that they are used in all required places in large applications. Content Security Policy (CSP) is a promising new HTML5 feature that can help prevent traditional and DOM-based XSS on your website. If you keep dynamic data and static code separate, you can have conforming browsers enforce your CSP to ensure that the data never gets interpreted as code. The intricacies of the technology are in how CSP policies are combined and what limitations they place on web development. 

The first version of CSP, which is supported by most modern browsers, requires complete separation of JavaScript (static code) from HTML (which contains dynamic data). This is not feasible for large existing web applications as it can require completely rewriting the user interface. CSP 2.0 introduces new keywords that can be used to apply policies to existing code bases without requiring a re-write from scratch. The talk will help the audience understand: 
  • What the differences between CSP 1.0 and CSP 2.0 are, and what these mean for web application developers. 
  • How CSP protects web applications from cross-site scripting. 
  • Whether input validation and output encoding are necessary if CSP is used properly. 
  • How you can get started with using CSP on your website. 

Speakers
avatar for Ksenia Dmitrieva

Ksenia Dmitrieva

Associate Principal Consultant, Cigital
Ksenia Dmitrieva is an Associate Principal Consultant at Cigital with over six years of experience in securing web applications and five years of development experience. She performs penetration testing and code review for clients in financial services, entertainment, telecommunications... Read More →


Friday October 24, 2014 1:00pm - 1:45pm
Magnolia Room Norris Conference Center, http://lascon.org/venue/

1:00pm

Welcome to the blue team! (How building a better hacker accidentally built a better defender)
Today’s cybersecurity battle is not a fair fight: the cyberthieves—growing in numbers and sophistication on a daily basis—are overwhelming today’s enterprises and their dated practices of in-house and scheduled penetration testing. As a result, enterprises are turning to crowdsourced security programs known as bug bounties to accelerate their software testing and the triaging and repair of resulting vulnerabilities. 

Bug bounties are “the wisdom of the crowd” applied to software testing. They are also a great training ground to make product development teams more “security-aware.” Tapping the crowd for security testing builds better hackers and a better application testing discipline for enterprises, leading to safer products that make it to market faster than with traditional testing methods. 

By putting the numbers, expertise, motivation and speed of the crowd to work in your favor, a bug bounty program will give your enterprise the tools and process to rapidly test your product and discover and fix flaws in record time. 

In this talk, CEO and Co-founder of Bugcrowd, Casey Ellis, will explain how bug bounties work and will share case studies that show how these programs have changed the enterprise security model. He will outline how enterprises can tap into the talents of over 10,000 active researchers to help defend against the volume and complexity of today’s cyber threats. 


Speakers
avatar for Casey Ellis

Casey Ellis

Founder, Bugcrowd
As Founder of Bugcrowd, Casey Ellis brings over 14 years of information security experience to lead the company’s technology vision and strategic operation. Prior to Bugcrowd, he served as chief security officer at ScriptRock and as an information security specialist and account... Read More →


Friday October 24, 2014 1:00pm - 1:45pm
Pecan Room Norris Conference Center, http://lascon.org/venue/

1:00pm

Runtime Manipulation of Android and iOS Applications
With over 1.6 million applications in the Apple AppStore and Google Play Store, and around 7 billion mobile subscribers in the world, mobile application security has been shoved into the forefront of many organizations. Mobile application security encompasses many facets of security. Device security, application security, and network security all play an important role in the overall security posture of a mobile application. Part of being a pen tester of mobile applications is understanding how each of the security controls work and how they interact. One powerful way to test the security and controls of our applications is to utilize runtime analysis and manipulation. Many tools exist to manipulate how an application works, both iOS and Android. 

This talk will help students learn how to improve their mobile security toolbox. The skills course will discuss tools such as cycript, snoop-it, jdb, etc for runtime manipulation and memory analysis. After the presentation, students will be able apply techniques learned and get better results from their mobile application security testing. 

Speakers
avatar for David Lindner

David Lindner

Managing Consultant and Global Practice Manager, Aspect Security
David Lindner, a Managing Consultant and Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 15 years of IT experience including application development, network architecture design and support, IT security and consulting, and application... Read More →


Friday October 24, 2014 1:00pm - 1:45pm
Cypress Room Norris Conference Center, http://lascon.org/venue/

2:00pm

Fireside chat with RSnake
Speakers
avatar for Robert Hansen

Robert Hansen

Director of Product Management & Technical Evangelist, WhiteHat Security
Robert Hansen (CISSP) is the Director of Product Management at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has... Read More →


Friday October 24, 2014 2:00pm - 2:45pm
Red Oak Ballroom Norris Conference Center, http://lascon.org/venue/

2:00pm

Ruby Meta-programming: Here's how to do it wrong
Ruby is a powerful programming language, it includes way to write dynamic code at run time, this is called meta-programming. Meta-programming, everyones favorite Rubyism to hate. It can lead to less code, more abstraction and tears of pain and sorrow. During the review of lots of Rails and Ruby applications we’ve see how meta-programming has lead to some really interesting but terrible security flaws. 

In this talk, we’ll do a deep dive into examples of how meta-programming can bite you in a big way.

Speakers
avatar for Michael McCabe

Michael McCabe

Security Architect, Stratum Security
Michael McCabe is a security consultant and developer. He works on making XFIL more secure and enjoys automating away the boring stuff, and RCE.
avatar for Ken Toler

Ken Toler

Senior Application Security Consultant, nVisium
Ken Toler is a Senior Application Security Consultant at nVisium specializing in web application penetration testing and static analysis in Ruby, Java, and .NET. He also comes with a network security background and has worked closely with growing startups in the DC area.


Friday October 24, 2014 2:00pm - 2:45pm
Magnolia Room Norris Conference Center, http://lascon.org/venue/

2:00pm

Implementing a large-scale identity theft prevention solution using the cloud
User identity theft, session hijacking and Man-in-the-Middle (MitM) attacks are some of the most serious threats faced by enterprises and are extremely challenging for security and development teams to overcome. Prevoty has architected and developed a distributed platform on top of AWS cloud infrastructure that has the capability to generate, validate and manage the state of cryptographic tokens on a large scale. 

In this talk, we will provide an overview of the polyglot architecture of our stack, including custom caching and queuing technologies, as well as an in-depth look at how the platform makes use of SQS, DynamoDB, RDS and EC2. We will also cover strategies employed to improve resiliency and business continuity, such as A/Z and region failover. 

Speakers
avatar for Kunal Anand

Kunal Anand

CTO, Prevoty
I care about three things: 1) Security, 2) Distributed Systems and 3) Data Visualizations. I also care about burritos, but hey that's for after LASCON. | | Currently the CTO and co-founder for Prevoty - we're doing fun stuff in the realm of app sec. | | Previously the Director... Read More →


Friday October 24, 2014 2:00pm - 2:45pm
Pecan Room Norris Conference Center, http://lascon.org/venue/

2:00pm

Leaky iCloud - Finding CVE-2014-4449 in iOS
iCloud Data Access in Apple iOS before 8.1 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. 

How does this happen and how can you prevent it in your application?

Speakers

Friday October 24, 2014 2:00pm - 2:45pm
Cypress Room Norris Conference Center, http://lascon.org/venue/

3:00pm

Methodology for Creation and Practical Applications of Polyglots
Polyglots are data that can be parsed as multiple formats without any changes. These polyglots often take the form of files. One example is a JPEG image that can also be opened as a RAR file. This particular flavor of polyglot is easy to create and can be done in less than a minute's time on any major operating system. Others are more complicated to create and require a lot of interesting trickery. Come learn about how polyglots are generally constructed; how to look at data formats and create your own techniques for constructing polyglots; how polyglots have been used in the past; and potential future uses for polyglots in computer security.

Speakers

Friday October 24, 2014 3:00pm - 3:45pm
Pecan Room Norris Conference Center, http://lascon.org/venue/

3:00pm

PANEL: 11,000 Voices: Experts Shed Light on 4-Year Open Source & AppSec Survey
This session will be educational, interactive, and controversial. And, oh yes, fun. 

We all know that OWASP recently updated its top 10 list to include “(A9) Avoiding the use of open source components with known vulnerabilities.” The guideline was added as OWASP leaders came to understand that 90% of a typical application is composed of open source components. In this session, our panel of senior application security experts will share and discuss the results of a four-year, industry-wide study on application security practices, policies, and trends within the open source development community. To date, over 11,000 professionals have participated in the study. 

Among the surprising survey responses, panelists will kick around: 

 1-in-3 organizations had or suspected an open source breach in the past 12 months 
 Only 16% of participants must prove they are not using components with known vulnerabilities 
 64% don't track changes in open source vulnerability data 

This annual study in 2014 was run during the month of April, right in the wake of the notorious open source Heartbleed bug announcement. Over 3,300 participated in the 2014 study with results directly reflecting the state of organization's preparedness to react to Heartbleed and any future vulnerabilities. 

Objectives and Outcomes: 

 The moderator will engaged the audience by polling them on a survey question prior to its discussion. 
 Panelists will share their perspectives on application security from the 2014 survey results, helping to increase awareness of open source component use, vulnerabilities, and best practices 
 Panelist will also reveal trends recognized across the four-year study to show where application security practices are getting better and where they are getting worse. 
 Attendees will learn from the study results and be encouraged to share them within their own organizations. While the stats may surprise attendees, the most value they will get from the session is from provoking discussions with the data in there own organizations. 

All participants will receive a copy of the survey results to take notes on and then share within their own organizations. 

Our expert panel for this discussion includes: 

 Oleg Gryb, Application Security Architect, Intuit 
 James Wickett, Sr. DevOps Engineer, Mentor Graphics 
 Matt Tesauro, Sr. Product Security Engineer, Rackspace + OWASP Foundation 
 Ryan Berg, Chief Security Officer, Sonatype

Moderators
avatar for Derek Weeks

Derek Weeks

VP, Sonatype
Derek E. Weeks, Vice President, Sonatype. Derek is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive advantages. He currently serves as vice president and DevOps advocate at So... Read More →

Speakers
avatar for Oleg Gryb

Oleg Gryb

Chief Security Architect, Visa Inc
Oleg Gryb is Chief Security Architect at Visa Inc. working in security architecture and security engineering domains. He was previously Sr. Manager and de-facto CISO of Samsung’s IoT platform called Artik Cloud.  Before that he worked as Security Architect at Intuit, where he was... Read More →
avatar for Matt Tesauro

Matt Tesauro

Senior AppSec Engineer, Duo Security
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was... Read More →
avatar for James Wickett

James Wickett

Sr. Engineer, Signal Sciences Corp
James is an innovative thought leader in the DevOps and InfoSec communities and has a passion for helping big companies work like startups to deliver products in the cloud. He got his start in technology when he ran a Web startup company as a student at University of Oklahoma and... Read More →


Friday October 24, 2014 3:00pm - 3:45pm
Red Oak Ballroom Norris Conference Center, http://lascon.org/venue/

3:00pm

What Good is this Tool? A Guide to Choosing the Right Application Security Testing Tools
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program.

The primary takeaways from this talk are: 
• An understanding the real value of each type of AST tool (SAST, DAST, IAST); 
• How to leverage your tools for better security visibility and process efficiency; 
• Steps to find the right tool for your security program; 
• Keys to finding the best stage of the SDLC to implement each tool type within your security program; 
• How to integrate new tools with your existing DevOps or Agile environments and processes 


Speakers
avatar for Kevin Fealey

Kevin Fealey

Director, ASPECT SECURITY INC
Kevin Fealey is the Director of Aspect Security's Automation & Integration Services Division. He specializes building security into CI/CD pipelines by automating commercial, open source, and custom tools; and developing streamlined processes to provide faster security feedback to... Read More →


Friday October 24, 2014 3:00pm - 3:45pm
Magnolia Room Norris Conference Center, http://lascon.org/venue/

4:00pm

Closing and Door Prizes
Friday October 24, 2014 4:00pm - 4:30pm
Red Oak Ballroom Norris Conference Center, http://lascon.org/venue/