Hella Secure's most premiere Application Security Conference.
Don't be settle for being secure. Be Hella Secure.
Schedule (All times PDT [UTC -7])
|9:00||Tanya Janca||Keynote & Fireside Chat|
|10:00||Ochaun Marshall||Flex Seal your CI/CD Pipeline|
|10:30||Sasi Siddharth Muthurajan||May SAST be with you - Anecdotal evidence on using SAST for good|
|11:00||Bigfoot||Getting Ready for a Bug Bounty: A Short Story|
|11:30||Frank Rietta||Securing the Open Source Software Supply Chain|
|12:30||Jillian Ratliff||Vulnerabilities that Hide From Your Tools|
|1:30||Nancy Gariché||Self-service Appsec as a service|
|2:00||Drew Dennison||sgrep:grep for code, an open source tool to find bugs|
|2:30||Ray||Delivering Happiness and AppSec to your developers|
|3:00||Mic Whitehorn-Gillam||A Demo is Worth 1000 Words|
Tayna JancaTwitter: @SheHacksPurple
Tanya Janca, also known as ‘SheHacksPurple’, is the founder, security trainer and coach of SheHacksPurple.dev, specializing in software and cloud security. Her obsession with securing software runs deep, from starting her company, to running her own OWASP chapter for 4 years in Ottawa, co-founding a new OWASP chapter in Victoria, and co-founding the OWASP DevSlop open-source and education project. With her countless blog articles, workshops and talks, her focus is clear. Tanya is also an advocate for diversity and inclusion, co-founding the international women’s organization WoSEC, starting the online #CyberMentoringMonday initiative, and personally mentoring, advocating for and enabling countless other women in her field. As a professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.
Keynote & Fireside Chat
From Day 1 to Metrics, and other important AppSec topics. Tanya will share her knowledge on how to start up and build out your Application Security Program.
Ochaun MarshallTwitter: @OchaunM
Ochaun (pronounced O-shawn) Marshall is a developer and security consultant with a background in computer science education and machine learning. In his roles at Secure Ideas, he works on ongoing development projects utilizing Amazon Web Services and breaks other people's web applications. When he is not swallowing gallons of the DevOps Kool Aid, he can be found blasting Two Steps from Hell while hacking, blogging and coding.
Flex Seal your CI/CD Pipeline
Continuous Delivery is the heart of DevOps. Web applications, APIs and Microservices are now designed to have the latest version deployed as quickly as possible. This revolution has empowered organizations to develop highly available products and platforms. However, most of the traditional security checks are often bypassed since code can be sent from a repository to a production environment in seconds. This talk lays down some strategies on how to continue having an operationally efficient DevOps pipeline while incorporating security throughout the entire process. Security is a growing concern in this field, not only because the pipeline is a critical component in many cloud native application and service deployments, but also due to the level of access these systems have to all the infrastructure around it. Most of that access is required for the level of automation organizations are striving to build towards, but forgoing security in this area exposes them in ways they may not know or understand.
Sasi Siddharth MuthurajanTwitter: @randm0rdr
Sasi Siddharth is an AppSec junkie who has played a key role in developing web application scanning techniques and DNS-based malware analysis. Sasi has contributed to yearly risk reports and submitted several patents showcasing his innovative ideas on techniques for detecting modern day software vulnerabilities. Currently, he enjoys securing enterprise applications while tweaking processes that make it easy to do so. He holds a Master's degree in Information Security from Georgia Tech and spends his weekends exploring the charm of New England.
May SAST be with you - Anecdotal evidence on using SAST for good
Static Application Security Testing (SAST) solutions have been used by enterprises for over two decades. While such solutions are considered necessary in any development shop, the technology has been notorious for reporting a high volume of false positives. This problem is especially significant in larger codebases and legacy applications. However, with the right skills, process and a little bit of time, teams can extract a lot more value from SAST tools. While SAST tools might sound like plug-n-play solutions, they require constant care and maintenance to achieve optimal Return on Investment (ROI). This talk is meant to be a discussion on identifying the various techniques that will allow teams to utilize SAST offerings to their maximum potential. It will also cover ideas for designing processes that will not only help use SAST tools effectively, but also prevent various categories of vulnerabilities from being introduced into the code.
Mic Whitehorn-GillamTwitter: @mic_wg
Mic has spent 13 years writing web applications professionally, and currently works as a Security Consultant for Secure Ideas, primarily providing penetration testing and security architecture review services specializing in web apps and APIs. He has also taught a number of secure coding classes for developers both privately for clients and publicly at conferences.
A Demo is Worth 1000 Words
Whether you're a developer or an appsec engineer, we all get better by teaching and learning from our peers. This can take many forms, from incidental knowledge sharing during day-to-day collaboration to more formal settings such as internal classes or lunch & learn sessions. While teaching appsec concepts to developers, I found that some topics can be difficult to explain even when you understand them clearly and consider them fairly simple. CORS and CSPs in particular, stand out. We'll take a look at why they're so difficult to explain with words or static slides. Then I will show the free, open-source demo tool that I created make it easier to *show* and tell about these concepts.
Frank RiettaTwitter: @frankrietta
Frank Rietta is the CEO of Rietta.com, a Security Focused Web Application Firm. He is a web application security architect, expert witness, author, and speaker. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. Additionally, he is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley. Rietta.com is in the business of defensive security. Our business is built around the realization that security cannot be bolted on at the end of a development process, and thus if you want to build web applications capable of withstanding constant attack from hackers and those who would cause users harm, you have to build security into the development process itself. This has become even more critical with the rise of cloud-based computing and the proliferation of mobile iPhone and Android applications that communicate constantly with publicly accessible web-based API servers to function. In our industry, the security perimeter is no longer defined as a network firewall, but is instead wherever your servers make an authentication decision. This means ultimately all security depends on software security.
Securing the Open Source Software Supply Chain
As a DevSecOps team it can be hard to understand the totality of the digital assets that your production environment depends upon. This situation is accelerating as the typical modern organization depends upon dozens of applications built on top of open source platforms. Popular frameworks such as Docker, NodeJS, React, Ruby on Rails, and Grails (Java) introduce hundreds or thousands of dependencies. Developers easily introduce unsafe dependencies and there is a history of previously safe dependencies being backdoored by malicious parties. In the last year, there were multiple incidents where malicious code was distributed via popular mainstream Ruby Gems. I will present original research into meta data analysis of the compromised Gems and discuss the three common attack patterns against Gems: - Backdoors in Popular Gems Distributed via Compromised Maintainer Credentials - Malicious Typo-Squatted / Soundalike Gems - Maintainership Transfer to a Malicious Actor I will connect the particular research into the Ruby ecosystem with broader principles that will apply to other open source library ecosystems. I will introduce you to a six part strategy for a comprehensive dependency management program that can be implemented by an organization to reduce the risk posed by third party open source library risk: 1. Minimize Dependencies During Development 2. Write Automated Integration Tests 3. Monitor Packages for CVEs & Updates 4. Implement CI/CD 5. Patch & Update Regularly 6 Contribute Code & Financial Support to Critical Open Source Infrastructure Attendees will gain immediately applicable knowledge about how to approach managing their open source supply chain proactively rather than reactively.
Jillian RatliffTwitter: @jillians2cents
Jillian provides application security training for software engineers, so they have the skills to write secure code in any language. She is also a stand up comedienne and uses humor to keep students engaged and entertained. With over 10 years of AppSec experience, she has worn many hats: penetration tester, consultant, code reviewer, and threat modeler! However, her favorite hat to wear has always been that of a teacher, and that’s why she founded Gold Hat Security in May 2019.
Vulnerabilities that Hide From Your Tools
Over the past few years, AppSec professionals have become increasingly reliant on automation. While it's fine to use tools to do the work that you just don't have the time for, there are many vulnerabilities that automated tools can't detect. In this talk, we'll discuss methodologies for finding those hidden vulnerabilities so you can sleep a little better at night.
In the early 2000s, Nancy joined the Canadian federal government as a computer science CO-OP student and never left. In 2009, she moved to Ottawa from Montreal, her beloved hometown, to land her first IT security job as a security analyst. This multi-hatted role gave her the opportunity to take on duties in multiple disciplines ranging from incident handling, to project and risk management. Involved in her local infosec community, she aspires to welcome and empower a new generation of industry professionals into the workforce. She is currently leading her federal Department’s Security Assessment and Authorization Program and she is the co-founder of Secure That Cert!, a community that helps cybersecurity professionals and enthusiasts obtain the skills and certifications required to kickstart or level up their career.
Self-service Appsec as a service
Contrary to popular belief, organizations that build software in-house do not always have an application security program! If they do, their program often heavily or completely relies on imperfect scanning tools or pentesting engagement to find vulnerabilities. As an individual contributor, I was left wondering how to, early in the development lifecycle, provide relevant security requirements at scale to growing development teams. In this lightning presentation, I explain how by leveraging projects from the Open Web Application Security Project (OWASP) like the Application Security Verification Standard (ASVS), I was able to build a self-service security questionnaire that proactively provides tailored security requirements to software engineers.
Drew DennisonTwitter: @drewdennison
Drew Dennison is the CTO & co-founder of r2c, a startup working to profoundly improve software security and reliability to safeguard human progress. Previously at Palantir, he led data-driven cyber insurance platform development and technical incident response on major data leaks for Fortune 100 companies. Drew received his degree in Computer Science from MIT. He lives in SF and spends his free time racing sailboats, camping, and trying to outsmart his two cats.
sgrep:grep for code, an open source tool to find bugs
Using a familiar grep-link syntax to find common patterns in code. How lightweight static analysis + secure by default frameworks can help you secure code with confidence. https://sgrep.dev
Life Coach and Conspiracy Theorist. He does AppSec in his non-spare time for money. He is currently watching The Expanse on Amazon Prime(pls no spoilers) and sometimes walks his dog.
Delivering Happiness and AppSec to your developers
In a perfect world, all developers, developer managers, and product owners would be champions of security. But we don’t live in that world and that won't happen anytime soon. This talk will give you the tools you need to start living in that perfect world.
In North American folklore, Bigfoot or Sasquatch are said to be hairy, upright-walking, ape-like creatures that dwell in the wilderness and leave footprints. Depictions often portray them as a missing link between humans and human ancestors or other great apes. They are strongly associated with the Pacific Northwest (particularly Oregon, Washington and British Columbia), Northern California, and individuals claim to see the creatures across North America. Over the years, these creatures have inspired numerous commercial ventures and hoaxes. The plural nouns 'Bigfoots' and 'Bigfeet' are both in use.Other names consist of "skunk-ape", "Ridge-walker", "pine-man", and "grass-man".
Getting Ready for a Bug Bounty: A Short Story
Bug bounties are one of the most obnoxious security trends of the last decade. They have also become a key piece in a company's security posture. Bug bounties allow independent security researchers a legal means to report security flaws within a company’s various applications and/or products. This talk is designed to give you a quick rundown of what to expect and how to find success with your bug bounty program.