Los Angeles/2015 Meetings

---April 29 2015, Symantec Offices, Culver City

Speaker: Kunal Anand

Speaker bio: Kunal is the co-founder and CTO of Prevoty, an application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company’s global Digital Entertainment and Gaming initiatives. Kunal also has several years of experience leading security, data and engineering at Gravity, MySpace and NASA’s Jet Propulsion Laboratory. His work has been featured in Wired Magazine and Fast Company. He continues to develop the patented security technologies that power Prevoty’s core products. Kunal received a B.S. from Babson College.

Topic: Beyond the Perimeter: The reality of the new application security landscape

Abstract: Web applications are dynamic, distributed and perhaps most importantly - the heart of every business in the post-PC era. These applications collect, process and persist information from a myriad of third-party services and users. From an adversary's perspective, the attack surface has never been more tantalizing. Today, a security model entirely predicated on applying controls and pattern-matching at the perimeter is at best a zero-sum game; applying probabilistic logic highlights that pattern matching techniques cannot prevent attacks created by content and SQL fuzzers. This talk will explore an alternative approach to identifying bad actors at runtime via the implementation of language security models to prevent attacks like XSS and SQLi without relying on past definitions and signatures. We’ll cover the tradeoffs, discuss performance and review the challenges of modern application security.

---March 25,2015, Microsoft Office, Playa Del Rey, CA Speaker:Jeff Williams is the founder and CTO of Contrast Security Speaker bio: Jeff Williams is the founder and CTO of Contrast Security, bringing the power of instrumentation and real time analytics to secure your application portfolio. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and may be reached directly at jeff.williams@contrastsecurity.com.

Topic:Why Your AppSec Experts Are Killing You

Software development has been transformed by practices like Continuous Integration and Continuous Integration, while application security has remained trapped in expert-based waterfall mode. In this talk, Jeff will show you how you can evolve into a “Continuous Application Security” organization that generates assurance automatically across an entire application security portfolio. Jeff will show you how to bootstrap the “sensor-model-dashboard” feedback loop that makes real time, continuous application security possible. He will demonstrate the approach with a new *free* tool called Contrast for Eclipse that brings the power of instrumentation-based application security testing directly into the popular IDE. Check out “Application Security at DevOps Speed and Portfolio Scale” for some background.

---March 11,2015, Symantec Offices, Culver City

Speaker: Jerry Hoff, VP of the Static Code Analysis Division at WhiteHat Security Speaker Bio: Jerry Hoff is the Principal Security Strategist at WhiteHat Security. Prior to WhiteHat Security, Jerry co-founded Infrared Security, a specialist in application security and next-generation static analysis technologies. His work experience also includes a number of financial firms including Morgan Stanley Asia where he was on the global Security Architecture team based out of Hong Kong. He has more than a decade of experience in application security consulting, and has taught at Washington University’s CAIT program delivering security and development classes for thousands of developers. Jerry is a frequent speaker at numerous security events around the globe, and is a regular OWASP contributor, where he leads up the OWASP Application Tutorial Series and WebGoat.NET. Jerry holds a Master's degree in Computer Science from Washington University in St. Louis.

Topic: Web Attacks at Scale in 2015 (Alternative Title: Web Security Bootcamp)

This talk is an attacker-centric presentation demonstrating how modern pen-testing tools such as OWASP Zap, Browser Exploitation Framework (BeEF) and sqlmap can be used to automate web attacks at scale. Reenactments of some of the most publicized attacks in recent history will be conducted to ensure participants understand and absorb how these attacks are taking place. Full exploits using these tools and more will be demonstrated, and a discussion of solutions will follow.

---February 25,2015, Symantec Offices, Culver City

Speaker: David Maman Mr. Maman is co-founder and CTO at GreenSQL, a leader in unified database security solutions. He is a recognized international expert in computer security advising companies on threat management, real-time network protection, advanced network design, and security architecture. David has founded a number of high-tech start-up companies, including Vanadium-Soft, Preacos, and Moksai. As a senior technology director for Fortinet, a leading international IT security firm, Mr. Maman provided consulting services to global businesses and opened new international regions. He was the information security manager for Bezeq, a national telecommunications company, and the chief scientist at Ofek, a leading Israeli IT and security consulting firm.

Topic: WAF Isn't Enough. The Multi-Faceted Approach to Defend against SQL Injection Attacks

WAFs are essential security mechanisms used on almost all commercial websites today. Despite the excellent protection they offer against many types of attacks, WAFs are inadequate to protect against today’s sophisticated SQL Injection (SQLi) attacks. This is because, fundamentally, a WAF does not understand database commands or database structure. Its protection is limited to a black list of blocked signatures. Even if a WAF did provide complete protection from web access, it still would be inadequate for database protection, because databases are accessed from many sources, not just from web-based applications. Attendees will learn best practices for defending against SQLi attacks using a comprehensive approach of:

Database firewalls Pattern learning processes Separation of duties Risk-based policies Masking of sensitive information