Los Angeles/2015 Meetings

---July 29 2015

---June 24 2015, Symantec Offices, Culver City

Speaker: Joe Rozner

Topic: Langsec and You

Abstract: Langsec attempts to solve specific vulnerability classes caused by specially crafted user input being accepted by an application that has an undesired or unintended effect. Langsec and You will describe many of these vulnerability classes specifically focusing on XSS and SQL Injection due to their prevalence and relevance to the audience. We will dive into exactly why these vulnerability classes exist and how to use langsec to help solve them. This will involve a brief introduction or refresher to formal language theory before concluding with a survey of some of the tools available to start implementing langsec solutions for yourself.

Speaker bio: As an experienced software engineer with experience across many languages and paradigms Joe has focused his career on rapid prototyping and independent security research. He’s developed custom system call level sandboxes, rich web applications, and applications at all levels between. A strong interest in computer languages and implementation of them has led to a solid foundation and further cultivation in the area of language implementation and language security. This combination of experience has allowed Joe to lead teams in designing and creating truly unique products and solving difficult problems.

---May 27 2015, Symantec Offices, Culver City

Speaker: Kelly Fitzgerald

Topic: Clever: Securing the Savvy Vector

Abstract: Depending on your age you may remember Superman or Office Space and the clever scheme to take the portions of a penny from huge number of transactions in order to un-noticeably get rich quick. What about cybercrime in the real world? In this talk we will look at the clever side of cybercrime. Real world examples, events and protection. This information will help you as a security professional look at your world with a clever view and make you better at securing your world from the clever, savvy vector.

Speaker bio: Kelly has a BS in Computer Science from CSUSB. She was awarded a full academic scholarship from the National Science Foundation. In her senior year of college she took a job at EvidentData doing computer forensics. From there she fell in love with the dark side and purposely went in persuit of a career in computer security looking at the bleedy places where people and technology bruise. Kelly has worked at Symantec since 2003 and has two single-filer patents pending.

---April 29 2015, Symantec Offices, Culver City

Speaker: Kunal Anand

Speaker bio: Kunal is the co-founder and CTO of Prevoty, an application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company’s global Digital Entertainment and Gaming initiatives. Kunal also has several years of experience leading security, data and engineering at Gravity, MySpace and NASA’s Jet Propulsion Laboratory. His work has been featured in Wired Magazine and Fast Company. He continues to develop the patented security technologies that power Prevoty’s core products. Kunal received a B.S. from Babson College.

Topic: Beyond the Perimeter: The reality of the new application security landscape

Abstract: Web applications are dynamic, distributed and perhaps most importantly - the heart of every business in the post-PC era. These applications collect, process and persist information from a myriad of third-party services and users. From an adversary's perspective, the attack surface has never been more tantalizing. Today, a security model entirely predicated on applying controls and pattern-matching at the perimeter is at best a zero-sum game; applying probabilistic logic highlights that pattern matching techniques cannot prevent attacks created by content and SQL fuzzers. This talk will explore an alternative approach to identifying bad actors at runtime via the implementation of language security models to prevent attacks like XSS and SQLi without relying on past definitions and signatures. We’ll cover the tradeoffs, discuss performance and review the challenges of modern application security.

---March 25,2015, Microsoft Office, Playa Del Rey, CA Speaker:Jeff Williams is the founder and CTO of Contrast Security Speaker bio: Jeff Williams is the founder and CTO of Contrast Security, bringing the power of instrumentation and real time analytics to secure your application portfolio. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and may be reached directly at jeff.williams@contrastsecurity.com.

Topic:Why Your AppSec Experts Are Killing You

Software development has been transformed by practices like Continuous Integration and Continuous Integration, while application security has remained trapped in expert-based waterfall mode. In this talk, Jeff will show you how you can evolve into a “Continuous Application Security” organization that generates assurance automatically across an entire application security portfolio. Jeff will show you how to bootstrap the “sensor-model-dashboard” feedback loop that makes real time, continuous application security possible. He will demonstrate the approach with a new *free* tool called Contrast for Eclipse that brings the power of instrumentation-based application security testing directly into the popular IDE. Check out “Application Security at DevOps Speed and Portfolio Scale” for some background.

---March 11,2015, Symantec Offices, Culver City

Speaker: Jerry Hoff, VP of the Static Code Analysis Division at WhiteHat Security Speaker Bio: Jerry Hoff is the Principal Security Strategist at WhiteHat Security. Prior to WhiteHat Security, Jerry co-founded Infrared Security, a specialist in application security and next-generation static analysis technologies. His work experience also includes a number of financial firms including Morgan Stanley Asia where he was on the global Security Architecture team based out of Hong Kong. He has more than a decade of experience in application security consulting, and has taught at Washington University’s CAIT program delivering security and development classes for thousands of developers. Jerry is a frequent speaker at numerous security events around the globe, and is a regular OWASP contributor, where he leads up the OWASP Application Tutorial Series and WebGoat.NET. Jerry holds a Master's degree in Computer Science from Washington University in St. Louis.

Topic: Web Attacks at Scale in 2015 (Alternative Title: Web Security Bootcamp)

This talk is an attacker-centric presentation demonstrating how modern pen-testing tools such as OWASP Zap, Browser Exploitation Framework (BeEF) and sqlmap can be used to automate web attacks at scale. Reenactments of some of the most publicized attacks in recent history will be conducted to ensure participants understand and absorb how these attacks are taking place. Full exploits using these tools and more will be demonstrated, and a discussion of solutions will follow.

---February 25,2015, Symantec Offices, Culver City

Speaker: David Maman Mr. Maman is co-founder and CTO at GreenSQL, a leader in unified database security solutions. He is a recognized international expert in computer security advising companies on threat management, real-time network protection, advanced network design, and security architecture. David has founded a number of high-tech start-up companies, including Vanadium-Soft, Preacos, and Moksai. As a senior technology director for Fortinet, a leading international IT security firm, Mr. Maman provided consulting services to global businesses and opened new international regions. He was the information security manager for Bezeq, a national telecommunications company, and the chief scientist at Ofek, a leading Israeli IT and security consulting firm.

Topic: WAF Isn't Enough. The Multi-Faceted Approach to Defend against SQL Injection Attacks

WAFs are essential security mechanisms used on almost all commercial websites today. Despite the excellent protection they offer against many types of attacks, WAFs are inadequate to protect against today’s sophisticated SQL Injection (SQLi) attacks. This is because, fundamentally, a WAF does not understand database commands or database structure. Its protection is limited to a black list of blocked signatures. Even if a WAF did provide complete protection from web access, it still would be inadequate for database protection, because databases are accessed from many sources, not just from web-based applications. Attendees will learn best practices for defending against SQLi attacks using a comprehensive approach of:

Database firewalls Pattern learning processes Separation of duties Risk-based policies Masking of sensitive information