Los Angeles/2015 Meetings

---April 29 2015, Symantec Offices, Culver City

---March 25,2015, Microsoft Office, Playa Del Rey, CA Speaker:Jeff Williams is the founder and CTO of Contrast Security Speaker bio: Jeff Williams is the founder and CTO of Contrast Security, bringing the power of instrumentation and real time analytics to secure your application portfolio. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and may be reached directly at jeff.williams@contrastsecurity.com.

Topic:Why Your AppSec Experts Are Killing You

Software development has been transformed by practices like Continuous Integration and Continuous Integration, while application security has remained trapped in expert-based waterfall mode. In this talk, Jeff will show you how you can evolve into a “Continuous Application Security” organization that generates assurance automatically across an entire application security portfolio. Jeff will show you how to bootstrap the “sensor-model-dashboard” feedback loop that makes real time, continuous application security possible. He will demonstrate the approach with a new *free* tool called Contrast for Eclipse that brings the power of instrumentation-based application security testing directly into the popular IDE. Check out “Application Security at DevOps Speed and Portfolio Scale” for some background.

---March 11,2015, Symantec Offices, Culver City

Speaker: Jerry Hoff, VP of the Static Code Analysis Division at WhiteHat Security Speaker Bio: Jerry Hoff is the Principal Security Strategist at WhiteHat Security. Prior to WhiteHat Security, Jerry co-founded Infrared Security, a specialist in application security and next-generation static analysis technologies. His work experience also includes a number of financial firms including Morgan Stanley Asia where he was on the global Security Architecture team based out of Hong Kong. He has more than a decade of experience in application security consulting, and has taught at Washington University’s CAIT program delivering security and development classes for thousands of developers. Jerry is a frequent speaker at numerous security events around the globe, and is a regular OWASP contributor, where he leads up the OWASP Application Tutorial Series and WebGoat.NET. Jerry holds a Master's degree in Computer Science from Washington University in St. Louis.

Topic: Web Attacks at Scale in 2015 (Alternative Title: Web Security Bootcamp)

This talk is an attacker-centric presentation demonstrating how modern pen-testing tools such as OWASP Zap, Browser Exploitation Framework (BeEF) and sqlmap can be used to automate web attacks at scale. Reenactments of some of the most publicized attacks in recent history will be conducted to ensure participants understand and absorb how these attacks are taking place. Full exploits using these tools and more will be demonstrated, and a discussion of solutions will follow.

---February 25,2015, Symantec Offices, Culver City

Speaker: David Maman Mr. Maman is co-founder and CTO at GreenSQL, a leader in unified database security solutions. He is a recognized international expert in computer security advising companies on threat management, real-time network protection, advanced network design, and security architecture. David has founded a number of high-tech start-up companies, including Vanadium-Soft, Preacos, and Moksai. As a senior technology director for Fortinet, a leading international IT security firm, Mr. Maman provided consulting services to global businesses and opened new international regions. He was the information security manager for Bezeq, a national telecommunications company, and the chief scientist at Ofek, a leading Israeli IT and security consulting firm.

Topic: WAF Isn't Enough. The Multi-Faceted Approach to Defend against SQL Injection Attacks

WAFs are essential security mechanisms used on almost all commercial websites today. Despite the excellent protection they offer against many types of attacks, WAFs are inadequate to protect against today’s sophisticated SQL Injection (SQLi) attacks. This is because, fundamentally, a WAF does not understand database commands or database structure. Its protection is limited to a black list of blocked signatures. Even if a WAF did provide complete protection from web access, it still would be inadequate for database protection, because databases are accessed from many sources, not just from web-based applications. Attendees will learn best practices for defending against SQLi attacks using a comprehensive approach of:

Database firewalls Pattern learning processes Separation of duties Risk-based policies Masking of sensitive information