Loading…
Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Regency Ballroom 2 [clear filter]
Thursday, October 11
 

10:15am

Web application compromise mitigation with crypto anchoring
Today’s world of Equifax breaches is the same old data security problem. In the past you’d need a solid SQL injection to pull all the records of a database. Now days, you need an RCE on the application server. The root problem has not changed. The app server has keys to database, decryption, and a public presence. How do you protect data in this architecture. A solution is crypto anchoring paired with effective monitoring.

Speakers
avatar for Jon Debonis

Jon Debonis

Head of Security / CSO, Blend
Hi. I'm Jon. I study companies who've kept huge amounts of data secure, and try to replicate their success.


Thursday October 11, 2018 10:15am - 10:50am
Regency Ballroom
  • NEW FIELD 1 Track 2

11:45am

Identifying and Remediating Security Vulnerabilities in AI Assistant Based Applications
Intelligent assistants are and will be everywhere. You might be thinking that you cannot hack assistants because you can't say "What's the weather in Boston' or 1=1--" or your assistant is safe in your house.  Unfortunately, there are ways around both.  This talk helps you understand how assistant applications are attacked, work, and how to identify and address vulnerabilities in them.

Speakers
avatar for Abraham Kang

Abraham Kang

Senior Director Software, Samsung Research America
Abraham Kang is fascinated with the nuanced details associated with programming languages and their associated APIs. Kang has a B.S. from Cornell University. He currently works for Samsung as a Senior Director Software helping to drive security and development in Samsung. Prior to... Read More →


Thursday October 11, 2018 11:45am - 12:20pm
Regency 2
  • NEW FIELD 1 Track 2

1:30pm

Paving the road for Developers: Lessons from integrating third party library scanning in DevOps workflows
The necessity of securing third-party libraries and packages is not a new concept, however, not many organizations understand its importance in a world where open source is mainstream. There is an exponential growth in the usage of third party libraries and reusing code is the norm for developers. Adding a library can end up adding several other dependencies without the developer even being explicitly aware of them. Now combine this with the rapid pace of shipping new code on a daily basis, and the security challenge all of a sudden seems insurmountable.

In this talk, we will share our story of how we tackled this challenge head-on and leveraged DevOps tooling to build security that enables the developers. You should attend this talk if you want to learn about the technical and architectural choices of library scanning that worked for us at scale, and the ones that didn’t. You will learn how to drive automation while maintaining the consistency of overall developer experience.

And while you may have heard great talks about how DevOps (or DevSecOps) enables security, it also sets you up for losing credibility at DevOps speed if you’re not careful. We will give you tips and tricks, the Do’s and Don'ts that will enable you to implement third-party library security automation in your developer workflow, make it the path of least resistance and empirically measure success over time.

Speakers
avatar for Tim Champagne

Tim Champagne

Sr. Product Security Engineer, Medallia
avatar for Harshil Parikh

Harshil Parikh

Director of Security, Medallia
Harshil Parikh leads the security team at Medallia, Inc. He is currently helping democratize security within Medallia for functions like Secure Product Development Lifecycle, DevSecOps, Monitoring & IR.


Thursday October 11, 2018 1:30pm - 2:05pm
Regency 2
  • NEW FIELD 1 Track 2

2:15pm

Chromebooks and network motes to enforce security posture from the device to the cloud
Chromebooks and network motes to enforce security posture from the device to the cloud. Telling a developer they cannot have admin access on their local machine is not practical. We want them to get work done. For any company that doesn’t have an IT security team greater than 4 to 5 people, monitoring devices is not practical. How do we both provide secure access to production where the stakes are very high, and provide admin rights on personal devices? Our solution was to roll out chrome books, and it was fraught with technical challenges.

Speakers
avatar for Jon Debonis

Jon Debonis

Head of Security / CSO, Blend
Hi. I'm Jon. I study companies who've kept huge amounts of data secure, and try to replicate their success.


Thursday October 11, 2018 2:15pm - 2:50pm
Regency 2
  • NEW FIELD 1 Track 2
 
Friday, October 12
 

11:00am

Open Source Security Tools for Kubernetes Applications
Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important.

In this talk, we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain a secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.

Speakers
avatar for Michael Ducy

Michael Ducy

Director of Community & Evangelism, Sysdig
Michael Ducy currently works as Director of Community & Evangelism for Sysdig where he is responsible for growing adoption of Sysdig’s open source solutions. Previously, Michael worked at Chef where we held a variety of roles helping customers and community members leverage Chef’s... Read More →


Friday October 12, 2018 11:00am - 11:35am
Regency 2
  • NEW FIELD 1 Track 2