Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Crystal Room [clear filter]
Friday, October 12


Campaign Security is Hard
avatar for Dylan Ayrey

Dylan Ayrey

Bio Dylan is an active member of the security open source community, and authored projects such as Trufflehog. He's spoken at a number of conferences including Defcon, BsidesSF, Toorcon, and others. He graduated college in 2015 and has been working in the security industry ever since... Read More →
avatar for Ben Hagen

Ben Hagen

Ben Hagen is likely the only security professional in the world who has won both a presidential election and an Emmy. He loves security and both building and breaking things. Ben is currently helping several organizations solve interesting security problems. Previously, he was head... Read More →

Friday October 12, 2018 10:15am - 10:50am


Tears From the Cloud
"When “getting pwned” doesn’t even fully describe what happened"

When building your systems and infrastructure in the cloud, you should always consider the attack vectors you open yourself up to and to continually strive to proactively close them. It’s common knowledge that when bringing up cloud computing resources you should do things like preventing SSH logins as the root user, disable password authentication for all users, as well as do things like limit which IP addresses can talk to the different services on your virtual machines. In more recent years, as our usage of SaaS and IaaS has grown, the importance of securing employee credentials has become even more crucial. So in addition to securing the infrastructure, you require that all employees who need access to the control panel use multi-factor authentication (using TOTP, making sure it’s not SMS-based).

By segmenting access, configuring an intrusion detection system, keeping the systems and packages up to date, and by implementing multiple factors of authentication for your cloud control panel you’re confident in the setup. You’re fairly certain that an alarm would go off if an attacker was able to gain access, and even then their access would be limited to an unprivileged user on only the infrastructure they have access to. But what happens if an employee’s credentials aren’t phished, and instead your infrastructure provider is compromised? Are your systems protected from that vector, and will your heuristics catch it? What can you do to protect yourself from this vector, and can you even reasonably do that?

In this talk, we’ll tell a story from the not too distant past around a successful targeted attack against a company using infrastructure providers as the vector. Details surrounding the methods used by the attacker will be shared, and the explicit steps they took to attempt to cover their tracks. We’ll also look at the other things they did after the attack vector was closed, while attempting to regain access to the systems. Finally, we’ll look at what things you can do to help mitigate the risks you incur if your infrastructure provider is compromised.


Tim Heckman

SRE, Netflix
Tim is a Site Reliability Engineer at Netflix, working on the team responsible for the reliability of the Streaming Platform. Prior to becoming an SRE at Netflix, he worked at startups in roles focused on the operation, reliability, and security of their applications and infrastructure... Read More →

Friday October 12, 2018 11:00am - 11:30am


Empowering Modern Development with Security Automation - Trials and Tribulations from the Trenches
The adoption of agile development practices and DevOps has enabled companies to iterate more quickly, allowing them to be more responsive to customer needs and deliver features in a fraction of the time. While this rapid release cycle has a number of benefits for the engineering team, it can tax already time- and person-limited security teams, who are usually outnumbered by engineers 100:1 or more.  To keep up with growing engineering teams and the rapid pace of development, security teams have begun investing heavily in tools, processes, and policies that more efficiently and effectively amplify their efforts.
 Join us for a candid panel discussion of how several companies have worked to scale their AppSec program, including senior security team members from Netflix, Datadog, DocuSign, and Signal Sciences. We’ll discuss a number of relevant topics, including:
* What are some initial, high ROI minimal security engineering efforts that are valuable to pursue first?
* Which security tools, processes, or libraries have been the biggest wins at your company?
* What are three things you’d do in any organization you join?
* What are three spectacular failures you’ve had?
Attendees will leave with specific, practical and actionable lessons they can apply immediately to their organizations. We’ll leave extra time for questions at the end to ensure we answer the audience’s most pressing needs.


Devdatta Akhawee

Director of Security Enginering, Dropbox
Devdatta heads the Product Safety Organization at Dropbox. Before that, he received a PhD in Computer Science from UC Berkeley. His graduate research focused on browser and web application security, during which time he also collaborated with the Firefox and Chrome teams.  He is... Read More →
avatar for Scott Behrens

Scott Behrens

Senior Application Security Engineer, Netflix
Scott Behrens is a senior application security engineer for Netflix. Before Netflix, Scott worked as a senior security consultant at Neohapsis (Cisco) and as an adjunct professor at DePaul University where he taught a graduate course on software security assessment. Scott's expertise... Read More →
avatar for Doug DePerry

Doug DePerry

Director, Product Security, Datadog
Doug DePerry is the Director of Product Security for Datadog. Prior to his current position, Doug lead the bug bounty program at Yahoo. Much of his 10+ years of experience in the security industry is on the offensive side, as a security researcher and consultant at Leaf SR and iSec... Read More →
avatar for Clint  Gibler

Clint Gibler

Research Director, NCC Group
 Dr. Clint Gibler is a senior security consultant and research director at NCC Group, a global information assurance specialist providing organizations with security consulting services. By day, he performs penetration tests of web applications, mobile apps, and networks for companies... Read More →
avatar for John Heasman

John Heasman

Deputy CISO, DocuSign
John Heasman is the Deputy CISO at DocuSign, focused on proactive approaches to securing software. Prior to DocuSign, he spent 10 years working as a consultant for the NCC Group. John has released numerous security advisories in widely used software and has presented original research... Read More →
avatar for Zane Lackey

Zane Lackey

Chief Security Officer, Signal Sciences
Zane Lackey is the Co-Founder / Chief Security Officer at Signal Sciences and the Author of Building a Modern Security Program (O’Reilly Media). He serves on multiple public and private advisory boards and is an investor in emerging cybersecurity companies. Prior to co-founding... Read More →

Friday October 12, 2018 11:45am - 12:20pm


Cheaters, cheaters, video game eater
An overview of performing enhancing software in League of Legends and what Riot does to combat it.

avatar for Clint Sereday

Clint Sereday

Security Manager, Riot Games
 Clint Sereday is the product owner for Anti-cheat at Riot Games. After ten years of building teams in the payment risk space, Clint followed his passion for video games to Riot. After initially building out their fraud prevention program, Clint has spent the last 4 years focusing... Read More →

Friday October 12, 2018 1:30pm - 2:05pm