50 Shades of AppSec – Troy Hunt
OWASP ZAP: 2.4.0 and beyond… – Simon Bennetts
Red team, blue team or white cell? – Trends in IT and how they force security to behave as an immune system – Frank Breedijk
Continuous Acceleration: Why Continuous Everything Requires a Supply Chain Approach – Joshua Corman
From Zero to Hero – or how OWASP saved my holiday – Tobias Gondrom
HTTPS is better than ever before. Now it’s your turn – Jim Manico
Securing the Internet of Things – Steve Lord
Lessons from DevOps: Taking DevOps practices into your AppSec Life – Matt Tesauro
Security is part of the DNA of a Defense organisation – Hans Folmer, Colonel RNLDA
The software not the human is the weakest link – Brenno de Winter
50 Shades of AppSec
Troy Hunt
The AppSec industry is enormously diverse and it only continues to diverge as we put more software into more things with more connections. It’s an industry that’s fluctuating between the sophisticated to the absurd, the intelligent to the primitive and the scary to the outright hilarious. There’s valuable lessons to be taken away from these events and applied in our future security efforts.
In this talk, Troy is going to cover a broad spectrum of what’s happening in our industry – an entire 50 shades of it in only 45 minutes – and you’ll get a sense of just how challenging it’s becoming for those of us working in AppSec to keep ahead of the attacks. Troy will cover everything from the social aspects of hacking through to some of the more obscure attacks and the increasing challenges we have as defenders.
OWASP ZAP: 2.4.0 and beyond…
Simon Bennetts
The Zed Attack Proxy (ZAP) is an OWASP Flagship project and the largest open source web application security tool measured by active contributors.
While it is an ideal tool for people new to appsec it also has many features specifically intended for advanced penetration testing.
In this talk Simon will give a quick introduction to ZAP before focussing on some of the changes introduced in the latest release (2.4.0). After that he will talk about the future of ZAP including a significant new direction for the project.
Red team, blue team or white cell? – Trends in IT and how they force security to behave as an immune system
Frank Breedijk
The past few decades have been decades of change for IT. IT is no longer the department that operates from within the safe was of your datacenter, but it is the group of people that makes sure that your local IT (if you have any left) works well with your cloud services, interacts smoothly with the systems of your partners and has to deal with increasing consumerization, BYOD and the Internet of things.
This forces security to play a different role in the system, it can no longer be the department of NO, the defends the walls of the datacenter castle, but has to operate more like the a bodies immune system.
This talk wil focus on these developments, their impact on IT and security and how security can adapt to cope and keep the patient alive.
Continuous Acceleration: Why Continuous Everything Requires a Supply Chain Approach
Joshua Corman
With continuous development, we write less code and consume more re-usable open source code. Innovation is accelerated and so is application complexity. Complexity is the enemy of quality. Poor quality creates unplanned/unschedule work. Re-work creates a drag on development speed. It’s a continuous loop.
While Agile and DevOps have made us faster and more efficient, they can only take us so far… and worse the year of OpenSource attacks we’ve just had commands better practices.
What if we could deliver applications on-time (even faster), on-budget (even more efficiently) and with a natural byproduct of more acceptable quality and risk?
The good news: other industries have figured this out with supply chain management. Applying supply chain approaches to software raises the bar on continuous goals.
A few of the patterns we can take from the rigor of things like the Toyota Supply Chain:
- Scrutinize the number and quality of your “suppliers”
- Manage out avoidable risk and complexity
- Improve traceability and visibility
- Ensure prompt agile responses when things go wrong
From Zero to Hero – or how OWASP saved my holiday
Tobias Gondrom
Ok. You finally got your first big breach. Everybody knew it was only a question of when not if. So now your Exec Management team is pretty upset, your customers worried, your employees confused, your CEO has you on speed dial and you get the “pleasure” of daily and then weekly briefings on fixing everything and what you do to make sure this never happens again. So, review everything, lots of policies and SDLC to write. Forget your plans for a nice summer holiday next month. Or maybe not?
Setting up, managing and improving your global information security organisation, there are many mature OWASP projects and tools that can help. Achieve cost-effective application security and bring it all together on the management level. A journey through different organisational stages and how OWASP tools help organisations to move forward improving their web and application security. This talk will discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation.
HTTPS is better than ever before. Now it’s your turn
Jim Manico
HTTPS/SSL/TLS has been under fire for years. BEAST, CRIME, POODLE, problems with the inherent weaknesses of the CA system, problems with various versions of the protocol – and more – have plagued HTTPS to be less than satisfactory, at best, as a transport security protocol. However, there is hope. Recent enhancements in browsers have made encryption in transit over the web rigorous and “secure” for the first time in history. This talk will review the HTTPS protocol and describe how it works. Historical attacks and other legacy issues with HTTPS will be discussed. And most important, we will talk about what can be done today to ensure that your users will have the most secure HTTPS experience possible including certificate stapling, ephemeral cipher suites, browser and mobile based certificate pinning, and more. Various guidelines will be provided based on which browsers you need to support. 2015 is the year of GOOD HTTPS STANDARDS, now it’s your turn enhance your HTTPS posture in your websites!
Securing the Internet of Things
Steve Lord
Sometimes a bandwagon seems more like the fail train. The Internet of Things, a fantabulous, Willie-Wonka-esque larger than life term for “Embedded stuff with sensors that shunts data to and from the cloud” is an amazing, technicolour bandwagon and/or all-in-one security fail train. Will it revolutionise the way we post pictures of recently eaten food on Instagram? Or instead do we face a dystopian Snowpiercer-style fail train future filled with regret as The Internet of Things turns on it’s end users as a result of potentially perverse incentives?
In this talk I will discuss the Information superhighway to hell/paradise on which we find ourselves, the route travelled thus far and point out the many good intentions that pave the road ahead. Along the way I’ll illustrate some practical Internet of Things problems from the OWASP Internet of Things Top Ten and issue a call to arms to AppSec specialists both in the cloud and in embedded systems arenas to help ensure that systems are both traditionally secure and operate within an ethical framework that doesn’t leave end users as the product being sold or spied on.
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Matt Tesauro
Bruce Lee once said “Don’t get set into one form, adapt it and build your own, and let it grow, be like water“.
AppSec needs to look beyond itself for answers to solving problems since we live in a world of every increasing numbers of apps. Technology and apps have invaded our lives, so how to you lead a security counter-insurgency? One way is to look at the key tenants of DevOps and apply those that make sense to your approach to AppSec. Something has to change as the application landscape is already changing around us.
This keynote will cover several fundamental principles of DevOps, how they translate into AppSec programs and provide real-world examples of where these principles where put into practice. The goal is to provide the audience with both the theoretical constructs to incorporate the best of DevOps into AppSec as well as concrete examples of the constructs being put to the test. Successes, failures and a few good laughs are on the table for this talk which will hopefully force you to rethink they way you’ve been doing things.
Security is part of the DNA of a Defense organisation
Hans Folmer, Colonel RNLDA
Security is not new. Already the Romans tried to defend themselves against intrusions by enemies. Techniques both in defence and in attack became more sophisticated over the years. Being secure is part of military thinking. Defense in depth is a military term. The military use of ICT has grown over the past decades as it has in the civilian world. This makes it a new target and it makes military vulnerable which requires new thoughts on defence. Within a military operation, but also prior to a mission during exercises and preparation.
The software not the human is the weakest link
Brenno de Winter
Application security is still seen as one of the side tracks of information security. But given the reality that more or less most software sucks we are vulnereable to the core. Let’s see basic mistakes lead to huge risks in our daily live. How can we prevent software from being the weakest link and make the human the weakest link again? Are we telling the story right and how can the community fix this?