2016 BASC Homepage

Welcome
This is the homepage for the 2016 Boston Application Security Conference (BASC). This free conference will take place 8:30am to 6:30pm on Saturday, October 1st at
 * Location: 5 Wayside Road Burlington, MA Note the location is different from last year.

The BASC will be a free, one day, informal conference, aimed at increasing awareness and knowledge of application security in the greater Boston area. While many of the presentations will cover state-of-the-art application security concepts, the BASC is intended to appeal to a wide-array of attendees. Application security professionals, professional software developers, software quality engineers, computer science students, and security software vendors should be able to come to the BASC, learn, and hopefully enjoy themselves at the same time.

Registration
Register now.

Keynote
Analyzing NextGen Security Practices and Security Tools

Jared DeMott

Is DevOps worse or better than the waterfall software development methodology for security? Where, and how, should software security ideally take place? And how do all these NextGen endpoint security tools differ from prior gen anti-virus? Are they really better? Dr. DeMott enlightens us on those two critical NextGen topics, with a conversational, but instructional talk.

Dr. DeMott is developing Vision (an EDR product), as the CTO of Binary Defense Systems. Jared is also the founder and regular trainer for vdalabs.com. You&#39;ll find fingerprints of his work all across the security industry. From fuzzing, code auditing, and exploitation, to malware and developer security courses on Pluralsight. When he’s not bypassing EMET or CFG, he’s enjoying time with his family, or being active outdoors.

OWASP Boston Chapter
BASC is presented by the OWASP Boston chapter.

<!--

"How I Teach Security"

Rob Cheyne, CEO, Big Brain Security, Executive Director, SOURCE Conference

After spending over 10 years as a builder of software systems, and the next five years on the breaking side of things, I then spent over a decade teaching information security concepts to over 25,000 people around the world at leading global organizations. Over the course of this work, I’ve noticed some interesting patterns across my body of students and clients. In most organizations, I have seen have at least one critical area of the business where basic information security best practices were not implemented where they should be. In many cases, this is because people are either not factoring in an accurate representation of infosec risks into their planning & project life cycles, or they willfully ignore them. The reason for this often boils down to one thing: the overall level of security awareness in most places is pretty low, even amongst developers, and even in organizations where you would think it should be a lot higher. Amongst business and management groups, it can be practically non-existent because security is still often assumed to be the purview of the security group, the infrastructure team, or the developers. In such an environment, business requirements often take precedence over security requirements, even when the security requirements are truly protecting the best interests of the business. I have seen that many people within a typical organization: I have come to believe strongly that this is as much as much our failure to communicate and influence information security initiatives as it is the business' failure to understand. Given the shortage of infosec professionals in the marketplace, I believe the only way we can scale ourselves is to communicate what we know more effectively. In short, we need to learn how to communicate what we know much, much better than we are doing today. Security is arguably much more of a people problem than a technology problem, and the ability to communicate rational security wisdom to people outside of the “InfoSec echo chamber” is a highly underrated skill. There are many areas of security where we have solid best practices, but they aren’t followed because the people who need to hear the message the most simply never receive it. Please join me in this frank & interactive discussion of what it means to communicate information security outside of our echo chamber, and discuss some specific strategies for doing so.
 * have little to no understanding of the actual risks they face.
 * have no idea how to balance rational security options against business requirements to mitigate those risks.
 * think that security is somebody else’s job, and ignore it accordingly.
 * believe that internal systems are somehow safe from attack
 * think that the data breach will never happen to them


 * Date: Saturday, October 3rd, 2016
 * Location: NERD
 * Directions: NERD's website or Google Maps
 * Agenda
 * Speakers
 * Presentations
 * InfoSec Communication Workshop
 * LinkedIn Group
 * Twitter: Follow @BASConf HashTag: #basc2016
 * [[Media:BASCSponsorship2016.docx|Sponsorship Kit]]

Admission to the BASC is free but registration is required for breakfast, lunch, and the evening social time. We will do everything possible to accommodate late registrants but the facility and food are limited. Online registration is now open and you are encouraged to register early.

-->