AppSec California 2017
Talks
Twubhubbook: like an appsec program, but for startups
Twubhubbook: like an appsec program, but for startups Brent Johnson GitHub Application Security Contractor Brent is a working as an Application Security contractor for GitHub as he finishes a B.S in Computer Science with a minor in Applied ...
Neil Matatall, Brent Johnson
Opening Keynote: Scaling a Software Security Initiative: Lessons from the BSIMM
Opening Keynote: Scaling a Software Security Initiative: Lessons from the BSIMM Gary McGraw, Ph.D. Synopsys Vice President Security Technology Websitehttps://garymcgraw.com @cigitalgem Gary McGraw is the Vice President Security Technolog...
Gary McGraw
Serverless! The holy grail of security operations (?)
Serverless! The holy grail of security operations (?) David Cuadrado Santiago Kantorowicz David Cuadrado Twilio Tech Lead at Twilio David is a tech lead at Twilio. He got hired as Authy’s first engineer during YC in 2012 and joined Tw...
David Cuadrado, Santiago Kantorowicz
Serverless
InfoSec at Peak Prevention
InfoSec at Peak Prevention Daniel Miessler IOActive Director of Advisory Services San Francisco, California Security tester and consultant with 17 years of experience. Currently work for IOActive as the head of its Advisory Services group...
Daniel Miessler
Make me a sandwich: Automating a custom SecDevOps pipeline
Make me a sandwich: Automating a custom SecDevOps pipeline Patrick Albert Tony Trummer Patrick Albert Tinder Director of Operations Military Veteran and Tech junkie with over a decade of experience in Technical Operations and Security. L...
Patrick Albert, Tony Trummer
Protecting Container Applications with Runtime Whitelisting
Protecting Container Applications with Runtime Whitelisting Chenxi Wang
Chenxi Wang
Life of a Password
Life of a Password Arvind Mani LinkedIn Engineering Director, Security, Anti-Abuse & Privacy https://linkedin.com/in/arvindmani Arvind is the head of Trust Engineering at LinkedIn where he leads a team of 60+ engineers who solve security,...
Arvind Mani
Threat Modeling for Mobile
Threat Modeling for Mobile Amit Sethi Cigital Senior Principal Consultant Mid-Atlantic cigital.com Amit Sethi is a Senior Principal Consultant and the Director of the Mobile Practice and the Advanced Penetration Testing Practice at Cigita...
Amit Sethi
Monitoring Application Attack Surface to Integrate Security into DevOps Pipelines
Monitoring Application Attack Surface to Integrate Security into DevOps Pipelines Dan Cornell Denim Group, Ltd. Chief Technology Officer and a Principal A globally recognized application security expert, Dan Cornell holds over 15 years of e...
Dan Cornell
DASTProxy: Don’t let your automated security testing program stall on crawl. Instead focus on business context
DASTProxy: Don’t let your automated security testing program stall on crawl. Instead focus on business context. Srinivasa Rao eBay Information Security Engineer Srinivasa Rao is an Information Security Engineer in AppSec at eBay, responsibl...
Srinivasa Rao, Kiran Shirali
Panel: Women in Security
Marian Merritt • Deidre Diamond • Kelly FitzGerald • Julie Medero • Chenxi Wang Marian Merritt National Institute of Standards and Technology Lead for Industry Engagement, National Initiative for Cybersecurity Education (NICE) Marian Merri...
Kelly FitzGerald, Deidre Diamond, Chenxi Wang, Julie Medero, Marian Merritt
Want to be secure? Eliminate passwords. If you don't have a password, it can't be stolen!
Want to be secure? Eliminate passwords. If you don't have a password, it can't be stolen! Jack Bicer Sekur Me CEO Websitesekur.me Jack Bicer is the founder and CEO of SEKUR.me, a mobile security and payments company, that eliminates password...
Jack Bicer
HSTS, TLS, HPKP, CSP: putting them all together to move to HTTPS
HSTS, TLS, HPKP, CSP: putting them all together to move to HTTPS Sun Hwan Kim Salesforce Senior Member of Technical Staff, Development Received Bachelor of Science in Computer Science from Carnegie Mellon University in 2013. Previously In...
Sun Hwan Kim, Julien Sobrier
The Physical Web, interact with anything
The Physical Web, interact with anything Scott Jenson Google Product Strategy Websitehttps://linkedin.com/in/scottjenson Scott Jenson has been doing user interface design and strategic planning for over 25 years. He worked at Apple on System...
Scott Jensen
Java LangSec: New Security Controls in Java 8 and 9
Java LangSec: New Security Controls in Java 8 and 9 Jim Manico Manicode Security Founder, Secure Coding Instructor Hawaiian Islands https://manicode.com Jim is the founder of Manicode Security where he trains software developers on secure ...
Jim Manico
Java
The Road to Free Certificates is Paved with Good Intentions
The Road to Free Certificates is Paved with Good Intentions Jillian Karner Let's Encrypt/Internet Security Research Group Log Whisperer Jillian has worked at black screens with white typewriter text for start-ups in the security field sinc...
Jillian Karner
AWS Survival Guide
AWS Survival Guide Ken Johnson - CTO, nVisiumKen Johnson has been hacking web applications professionally for 8 years. Ken is both a breaker and builder and currently leads the nVisium product team. Previously, Ken has spoken at AppSec DC, App...
Ken Johnson
AWS
SPArring with the Security of Single Page Applications
SPArring with the Security of Single Page Applications Dan Kuykendall Rapid7 Senior Director, Application Security Products California Website https://rapid7.com/products/appspider/ Dan Kuykendall is the Senior Director of Application Se...
Dan Kuykendall
An SDLC for the DevSecOps Era
An SDLC for the DevSecOps Era Zane Lackey Signal Sciences Founder/Chief Security Officer New York, NY @zanelackey Zane Lackey is the Founder/Chief Security Officer at Signal Sciences and serves on the Advisory Boards of the Internet Bug...
Zane Lackey
Essential TLS Hardening for Better Web Security
Essential TLS Hardening for Better Web Security Justin Mayer is the founder of Monitorial.com, a solution for identifying and addressing potential security vulnerabilities. A serial entrepreneur who has designed and built a variety of mobile/w...
Justin Mayer
Closing Keynote: The anatomy of modern deceptive technologies
Closing Keynote: Hide and Seek just got harder, the anatomy of modern deceptive technologies Chris Roberts Chris Roberts Acalvio Technologies Chief Security Architect Roberts is considered one of the world’s foremost experts on counter threa...
Chris Roberts
Dissecting Browser Privacy
Dissecting Browser Privacy Yan Brave Security Engineer Websitehttps://diracdeltas.github.io Yan is a Sr. Security Engineer at Brave Software working on most things browser-related. She is also a Technology Fellow at EFF, was formerly a mem...
Yan Zhu
Uninvited Guests on the World's Wild Web: Understanding Malicious Web Bots with OWASP Handbook
Uninvited Guests on the World's Wild Web: Understanding Malicious Web Bots with OWASP Handbook Tin Zaw OWASP Volunteer Los Angeles https://linkedin.com/in/tinzaw Tin Zaw currently co-leads the OWASP project on Automated Threats to Web Appli...
Tin Zaw
Oscar Whiskey Alpha September Papa
Oscar Whiskey Alpha September Papa Tom Brennan OWASP Foundation Global Board of Directors Greater New York City Area Websiteowasp.org Tom is an elected member of the Global Board of Directors for OWASP Foundation. He has served the OWASP ...
Tom Brennan
#securityselfie (size up your appsec program with new metrics)
#securityselfie (size up your appsec program with new metrics) Jim O'Leary (@jimio) works on Facebook's product-security team; he delights in short biographies.
Jim O'Leary
Scaling Security Testing at the Speed of DevOps
Scaling Security Testing at the Speed of DevOps Roger Seagle Cisco Principal Engineer Asheville, NC Roger Seagle Jr. is a Principal Engineer in the STO TIP team at Cisco. Previously, he worked in Cisco's Advanced Security Initiatives Group...
Roger Seagle
Crowdsourced Security: The Good, The Bad, and The Ugly
Crowdsourced Security: The Good, The Bad, and The Ugly Caroline Wong Cobalt VP Security Strategy https://linkedin.com/in/carolinewmwong Caroline Wong is the VP of Security Strategy at Cobalt. Cobalt delivers crowdsourced pen tests and priv...
Caroline Wong
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle Rod Cope Rogue Wave Software CTO Websiteroguewave.com Rod Cope, CTO, drives the technology vision for Rogue Wave Software. Rod was the founder and CTO of OpenLogic, a ...
Rod Cope
CSP: The Good, the Bad and the Ugly
CSP: The Good, the Bad and the Ugly Ilya Nesterov Shape Security Engineering Manager https://shapesecurity.com/ Ilya Nesterov is currently an engineering manager at Shape Security, where he is responsible for product quality. Prior to Shape...
Ilya Nesterov
A Case for Integrity: JavaScript Apps Should Have it Too
A Case for Integrity: JavaScript Apps Should Have it Too Pedro is the CTO and co-founder of Jscrambler where he co-leads business development. Holds a degree in Computing Engineering and a MSc in Computer Networks and Services. Has extensive k...
Pedro Fortuna
JavaScript
"Stealth" Authentication - how to not leak information to hackers in web application authentication
"Stealth" Authentication - how to not leak information to hackers in web application authentication Marc Buetikofer serves as Director Innovation and CTO for Airlock, a leading Swiss web application security suite provided by the company Ergon...
Marc Bütikofer
OCSP Stapling in the Wild
OCSP Stapling in the Wild Devdatta Akhawe Emily Stark Devdatta Akhawe Dropbox Engineering Manager Websitedevd.me Devdatta leads the Product Security team at Dropbox. Before that, he received a PhD in Computer Science from UC Berkeley. H...
Emily Stark, Devdatta Akhawe
AppSec Pipelines and Event-based Security: Moving beyond a traditional security test
AppSec Pipelines and Event-based Security: Moving beyond a traditional security test. Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO o...
Matt Tesauro
Keynote: Machine Learning - cybersecurity boon or boondoggle
Keynote: Machine Learning - cybersecurity boon or boondoggle Dr. Zulfikar Ramzan RSA Chief Technology Officer Dr. Zulfikar Ramzan serves as the Chief Technology Officer of RSA. In this role, he is responsible for leading the developmen...
Zulkfikar Ramzan
Serverless is teh Hawtness for Defenders and DevOps
Serverless is teh Hawtness for Defenders and DevOps James Wickett Signal Sciences Head of Research https://signalsciences.com James does research at the intersection of the DevOps and Security. He is a core developer of Gauntlt (a security...
James Wickett
Serverless
Adding PowerShell to your Arsenal
Adding PowerShell to your Arsenal Jared Haight Gotham Digital Science Security Engineer Jared Haight is a Security Engineer with Gotham Digital Science in Charlotte, NC. Before making the transition to Information Security he was a Systems ...
Jared Haight
A Hybrid Approach for Web App Penetration Testing
A Hybrid Approach for Web App Penetration Testing David Caissy TRM Technologies Inc. Penetration Tester Ottawa, Ontario, Canada @caissyd Websitetrm.ca David Caissy is a web application penetration tester with in-depth developer and IT S...
David Caissy
When Bandit(s) Strike - Defend your Python Code
When Bandit(s) Strike - Defend your Python Code Will Bengtson Travis McPeak Will Bengtson Nuna, Inc Senior Security Program Manager Websitehttps://linkedin.com/in/william-bengtson-cissp-26837953 William Bengtson is an information securit...
Travis McPeak, Will Bengtson
Python
On Strategic Defense
On Strategic Defense Kevin has worked extensively with banks and financial institutions throughout the Middle East, Europe and the UK. He served as leader of a DoD Red Team with 100% success rate of compromise. Some of his recent consulting pr...
Kevin Cardwell