Loading…

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Management-Metrics [clear filter]
Wednesday, November 20
 

10:00am EST

How To Stand Up an AppSec Program - Lessons from the Trenches
We all know the importance of building security into the development of a company’s applications.  Most of us know many of the steps needed for an effective Application Security Program.  In this talk, we will discuss the best practices for implementing an AppSec Program, we’ll list all the moving parts, and we’ll talk about what worked and what didn’t work in various organizations.
Risk Management
Metrics
Training
SDLC
Requirements
Design Review
Development
Testing
Pre-Production
Production
Lessons Learned

Speakers
avatar for Joe Friedman

Joe Friedman

Director, Security Architecture and Planning, NYSE Euronext
NYSE Euronext - Application Security Program, Security Architecture; Merrill Lynch - Pentest Program, Security Architecture; Johnson & Johnson - Risk Assessments and Pentests of M&A targets & Operating Companies, Development of Security Processes; Various financial firms, startups... Read More →


Wednesday November 20, 2013 10:00am - 10:50am EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

11:00am EST

Can AppSec Training Really Make a Smarter Developer?
Video of session:
https://www.youtube.com/watch?v=jUOecoGGA2g&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=40

Most application risk managers agree that training software developers to understand security concepts can be an important part of any software security program.   Couple that with the Payment Card Industry, who mandate that developers should have training in secure coding techniques as laid out in their Data Security Standard.  Yet others call developer training "compliance-ware," a necessary evil and a tax on software development in the enterprise.
This presentation shares the results of a yearlong survey of nearly 1,000 software developers that captures their knowledge of application security before and after formal training.  The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements.  The session also includes the results of a "retest" of a subset of respondents, to identify how much security knowledge they retained after a specific length of time.  The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.

Speakers
avatar for John Dickson

John Dickson

Principal, Denim Group
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. Dickson is a... Read More →


Wednesday November 20, 2013 11:00am - 11:50am EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

1:00pm EST

2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs
Video of session:
https://www.youtube.com/watch?v=J4i3RY5AGhc&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=3

As organization born from grass root ideals and volunteering efforts that stared 12 years ago from the visionaries of the like of Mark Curphey and the likes OWASP has grown in members. OWASP mission has been to make application security visible to application security stakeholders. Thanks to the OWASP corporate sponsors and volunteers working on sponsored projects, OWASP has delivered free tools and guides that helped software developers to build more secure web applications. Most notably, the OWASP Top Ten provided the benchmark for testing web application vulnerabilities for several organizations. Projects such as the development guide and testing guide provides pointed guidance to software developers on how to design and test web applications. Among the application security stakeholders that OWASP serve today, (CISOs) Chief Information Security Officers are often the ones that make decisions on rolling out application security programs and activities invest in new tools and set budget for application security resources. Recognizing the important role that the CISO has in managing application security processes within the organizations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organization. Recognizing that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.

Speakers
avatar for Tobias Gondrom

Tobias Gondrom

Global Board Member, OWASP
Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and... Read More →
avatar for Marco Morana

Marco Morana

SVP, Citi
Dr. Morana is SVP at Citi's Information Security based in Tampa focusing on bringing emerging technologies for cybersecurity and FinTech to the level of maturity required for adoption by Citi and Citi clients. In his day to day job his focus is document internal technology standards... Read More →


Wednesday November 20, 2013 1:00pm - 1:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

3:00pm EST

Making the Future Secure with Java
Video of session:
https://www.youtube.com/watch?v=L2Bgn6xMog0&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=13


The world is not the same place it was when Java started.  It’s 2013, and attackers are intensely motivated, sophisticated, and well organized.  Java security is a significant concern across many organizations as well as for individuals.  Attend to learn more about Oracle’s progress on Java platform security and some our plans for the future.

Speakers
avatar for Milton Smith

Milton Smith

Sr. Principle Product Security Manager - Java, Oracle
Milton Smith (Twitter, @spoofzu) Leads the strategic security program for Java platform products as Sr. Principal Security PM at Oracle. Milton is responsible for defining the security vision for Java and managing working relationships with security organizations, researchers, and... Read More →


Wednesday November 20, 2013 3:00pm - 3:50pm EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

4:00pm EST

Tagging Your Code with a Useful Assurance Label
Video of session:
https://www.youtube.com/watch?v=FCyUwyjIoBE&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=14


With so many ways for software to be vulnerable, businesses needs a way to focus their assurance efforts on those potential vulnerabilities that are most dangerous to them and their software.  This talk will offer a new way to focus and organize your software vulnerability assessment and assurance efforts across the entire life-cycle of a project so that you target the most impactful weaknesses when they are most visible.  The approach can be done consistently across your enterprise and will have you looking for specific weaknesses at the point where you can gain the most assurance that you have dealt with them successfully. Matched to the activities of your development effort, this approach will have your team looking for those security weaknesses (CWEs) that are most discernable/findable in each of the different stages of a software development effort.  For example, when you have a live exemplar system available you should look for the weaknesses in design, configuration, code, or architecture that are findable through dynamic analysis, pen testing, or red teaming of that living system. Similarly, in the coding phase you want the emphasis to be looking for weaknesses that are findable by static analysis tools. The follow-on step to this approach is to use what you found and what you did to create “An Assurance Tag for Binaries", basically an assurance "food label" for the code of that project.  This talk will conclude with a discussion of what such a tag could look like, what it could capture, how the information could be obtained, whom would/could create them, and how they could be represented for humans and machines to use.

Speakers
avatar for Sean Barnum

Sean Barnum

Cyber Security Principal, MITRE
Sean Barnum is a Principal and Cyber Threat Intelligence Community Lead at The MITRE Corporation where he acts as a thought leader and senior advisor on information security topics to a wide variety of players within the US government, commercial industry and the international community... Read More →
avatar for Robert Martin

Robert Martin

Senior Principal Engineer, The MITRE Corporation
Robert A. Martin, Senior Principal Engineer of the MITRE Corporation and member of the Industrial Internet Consortium Steering Committee has dedicated his career to working on solving some of the world’s most difficult problems in systems and software engineering – including cybersecurity... Read More →


Wednesday November 20, 2013 4:00pm - 4:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis
 
Thursday, November 21
 

9:00am EST

AppSec at DevOps Speed and Portfolio Scale
Video of session:
https://www.youtube.com/watch?v=cIvOth0fxmI&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=23

Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops.
Unfortunately, software assurance hasn’t kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002. Here are some of the technologies and practices that today’s best software assurance techniques *can’t*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development.
Although we’re making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It’s not just security tools – application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all.
Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect realtime data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowingall the stakeholders in security to collaborate and finally become proactive.

Speakers
avatar for Jeff Williams

Jeff Williams

Co-founder and CTO, Contrast Security
I've been in security since the late 1980's and have been blessed with the opportunity to help start three great application security organizations: Contrast Security, OWASP, and Aspect Security (recently sold to EY).I'm coming to LASCON to meet *you*. I'm easy to find :-) and love... Read More →


Thursday November 21, 2013 9:00am - 9:50am EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

10:00am EST

Leveraging OWASP in Open Source Projects - CAS AppSec Working Group
Video of session:
https://www.youtube.com/watch?v=Zf9xSsRHRNo&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=34

The CAS AppSec Working Group is a diverse volunteer team of builders, breakers, and defenders that is working to improve the security of Jasig CAS, an open source WebSSO project.  This presentation will show how the team is leveraging OWASP resources to improve security, provide security artifacts for potential adopters, and implementing policy and processes for vulnerability analysis and notification.  The story is significant in that it directly addresses OWASP A9 "Using components with Known Vulnerabilities / Secure Coding", and points towards a model that other open source projects could adopt.

Speakers
avatar for David Ohsie

David Ohsie

David came to EMC 2005 in its acquisition of SMARTS. At SMARTS, he devised and implemented the lastest version of its automated root cause analysis algorithm. David received his Phd in Computer Sciences from Columbia University in 1997.4 years experience in product security assessment... Read More →
avatar for Bill Thompson

Bill Thompson

IAM Director, Unicon
Bill is the Director of the IAM Practice at Unicon, and leads a team of professionals providing IT consulting services to the Higher Education community with a focus on Identity and Access Management, CAS, Shibboleth, and Grouper. Prior to joining Unicon, Bill served as the Senior... Read More →
avatar for Aaron Weaver

Aaron Weaver

Principal Security Analyst, Pearson Education
Aaron Weaver is Principal Security Analyst at Pearson Education, the leading learning and publishing company. He has played various roles including software developer, system engineer, embedded developer to IT security. He also leads OWASP Philadelphia. Experience includes mobile... Read More →


Thursday November 21, 2013 10:00am - 10:50am EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

11:00am EST

The State Of Website Security And The Truth About Accountability and “Best-Practices”

Whether you read the Verizon Data Breach Incidents Report, the Trustwave Global Security Report, the Symantec Internet Security Threat Report, or essentially all other reports throughout the industry, the story is the same -- websites and Web applications are one of, if not the leading target of, cyber-attack. This has been the case for years. Website breaches lead directly to financial fraud, identity theft, regulatory fines, brand damage, lawsuits, downtime, malware propagation, and loss of customers. Given modern society’s ever-increasing reliance on the Web, the impact of a breach and the associated costs are going up, and fast. 
At WhiteHat Security we asked customers to answer roughly a dozen very specific survey questions about their SDLC and application security program. Questions such as: 
• How often do you preform security tests on your code during QA? 
• What is your typical rate of production code change? 
• Do you perform static code analysis? 
• Have you deployed a Web Application Firewall? 
• Who in your organization is accountable in the event of a breach? 
• We even asked: has your website been breached?
We received responses to this survey from 76 organizations, and then correlated those responses with WhiteHat Sentinel website vulnerability data. The results were both stunning and counter-intuitive. The connections from various software security controls and SDLC behaviors to vulnerability outcomes and breaches are far more complicated than we ever imagined.



This is exactly the kind of research the application security industry must gather in order to advance the state-of-the-art. To cost-effectively make applications and websites measurably more secure.

Speakers
avatar for Jeremiah Grossman

Jeremiah Grossman

Founder, WhiteHat Security
Jeremiah Grossman is the Founder and iCEO of WhiteHat Security, where he sets overall company vision and oversees day to day operations. Over the last decade, Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the... Read More →


Thursday November 21, 2013 11:00am - 11:50am EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

12:00pm EST

Application Security: Everything we know is wrong
Video of session:
https://www.youtube.com/watch?v=1r45Ro1g2Sg&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=24

The premise behind this talk is to challenge both the technical controls we recommend to developers and also our actual approach to testing and developing secure software. 
This talk is sure to challenge the status quo of web security today.
"Insanity is doing the same thing over and over and expecting different results." - Albert Einstein
We continue to rely on a “pentest” to secure our applications. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability?
Our testing methodologies are non-consistent and rely on the individual and the tools they use; Some carpenters use glue and some use nails when building a wooden house.
Which is best and why do we accept poor inconsistent quality.
Fire and forget scanners won’t solve security issues. Attackers take time and skill but our industry accepts the output of a software programme to help ensure security?
How can we expect developers to listen to security consultants when the consultant has never written a line of code?
Why don’t we ask ‘How much code development have you done, seen as you are assessing my code for security bugs?" Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. – it’s all code injection theory!! Why do we do this and make security bugs over complex?

Why are we still happy with “Testing security out” rather than the more superior “building security in”?

Speakers
avatar for Eoin Keary

Eoin Keary

CTO and Founder, BCC Risk Advisory Ltd.
Eoin Keary is an international board member of OWASP. He leads the OWASP code review project. Eoin is the CTO and founder of BCC Risk Advisory Ltd. He has also led global security engagements for some of the world’s largest financial services and consumer products companies. Eoin... Read More →


Thursday November 21, 2013 12:00pm - 12:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

4:00pm EST

Award Ceremony (Salon 1, 2, 3 & 4)
Don't miss the wrap-up, awards and highlights of AppSec USA 2013...it will be amazing!

Speakers
avatar for Tom Brennan

Tom Brennan

Founder, Security Architect, ProactiveRISK
Tom Brennan is a mage at Proactive Risk with two decades of hands on the keyboard building, breaking and defending data for clients worldwide. He is a an alumni of McAfee, Intel Security, SafeCode, Trustwave, WhiteHat, ADP, Datek Online and the United States Marines. As a volunteer... Read More →
avatar for Peter Dean

Peter Dean

Sr Account Executive, Aspect Security


Thursday November 21, 2013 4:00pm - 5:00pm EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis