| layout | title | tags | region | altfooter |
|---|---|---|---|---|
col-sidebar |
OWASP Austin - Past Events |
austin |
North America |
true |
Home Page Chapter Leadership Study Groups Past Events Sponsorship Event Archive
2020 2019 2018 2017
(see Past Events Archive for earlier events)
When: Tuesday, July 28th, 2020 @ 12:00 AM - 1:00 PM
Title:The Spice Must Flow: AppSec for DevOps
Your approach to application security will likely be dictated by your team’s role in the development process. Developers will usually gravitate to SAST and security engineers to DAST but what about everyone in between? Should DevOps try to adopt these strategies, modify them, or reinvent the wheel?
In this session, we’ll discuss several different approaches that you can take when rolling out your application security strategy that keep DevOps top of mind.
Speaker:
Garrett Gross received his first modem at age six and has been plugged in ever since. Today, he is a technical advisor for the VRM practice at Rapid7, specializing in application security. Garrett serves as an interdepartmental liaison, a global escalation layer for the practice, and provides technical enablement across all organizations. He has served in various information technology roles in a myriad of environments, ranging from systems administration in higher education to network engineering at security startups. Garrett has been a hacker and technophile his entire life, loving nothing more than discovering new ways to make and break things.
Youtube: Here!
When: Tuesday, May 26th, 2020 @ 12:00 AM - 1:00 PM
Title: Architecting for Security in the Cloud
Emergency Fill-In Presetnation Josh presented on best-practicies and lesson-learned that he has done while architecting SimpleRisk in cloud providers.
Speaker:
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, Information Security Program Owner at National Instruments, and now runs SimpleRisk. In his current role, Sokol manages all aspects of the application, infrastructure, architecture, and business roles for SimpleRisk. Prior to and during all of his roles, Josh has been a key community member for Austin OWASP as well as serving a four year term on the OWASP Global Board of Directors.
Youtube: Here!
When: Tuesday, May 26th, 2020 @ 12:00 AM - 1:00 PM
Title: Why is Organizational Change Management important in Cybersecurity for healthcare
Digital transformation in the Health Sector has been underway for many years and the issue of security has more increasingly problematic and costly to the healthcare ecosystem. New Innovations, legacy systems create the need to be more secure in order to protect your healthcare data. 2013 Presidential directive put healthcare in the critical infrastructure with other industries. Today with Covid-19 it is more necessary than ever.
Why it is risky not to have a change model to help accelerate adoption and awareness of a better cybersecurity posturing in healthcare and how culture plays an important role to address cybersecurity in healthcare
Speaker:
Hazel arrived in Austin under 2 years ago from the UK having worked in healthcare for over 16 years. She is a highly organised leader, consultant and advisor in EPR deployments in both private and government organizations. Hazel specializes in architecting change to support business transformation leveraging deep industry experience where she headed up ventures in the UK, Ireland, and Europe. She brings value to organizations by ensuring operational readiness, driving faster adoption, getting engagement from the right people to accelerate business change which delivers cost benefits in an efficient and effective manner. Her recent work here in the US has been in cybersecurity in healthcare working with Health2047 which is the innovation and investment organization of The American Medical Association where, Health2047 are transforming healthcare to better protect your patient healthcare data.
Youtube: Here!
When: Tuesday, April 28th, 2020 @ 11:45 AM - 1:00 PM
Title: Incident Response is haaaaard, But it doesn’t have to be – PREPARE NOW
So your EDR, AV, or other fancy shiny blinky lights security tools alerted you that a system has some suspicious activity. Do you have the details you need to investigate or remediate the system? Can you quickly and easily investigate it? You can enable a lot of things you already have for FREE to help you with your investigations, no matter the tools used. Let’s take a look how we do Incident Response on a system and what you can do to prepare for an inevitable event.
How is your logging? Is it enabled? Configured to some best practice? (hopefully better than an industry standard that is seriously lacking). Have you enabled some critical logs that by default are NOT enable? Do you have a way to run a command, script, or a favorite tool across one or all your systems and retrieve the results? Do you block some well-known exploitable things? How do you know?
Everything mentioned here is FREE and you already have it!
This talk will describe these things and how to prepare, and be PREPARED to do incident Response, yes, even for DevOps. A few tools will be discussed as well that you can use to speed things up.
The attendee can take the information from this talk and immediately start improving their environment to prepare for the inevitable, an incident.
Speaker:
Michael Gough is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic for NCC Group. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael presents at many security and technology conferences helping to educate on security that attendees can go back to work and actually do. Michael is a primary contributor to the Open Source project ARTHIR. Michael is also co-developer of LOG-MD, a free and premium tool that audits Window settings, harvests and reports on malicious Windows log data, and evaluates for malicious system artifacts. Michael also blogs at HackerHurricane.com on various InfoSec topics. For the infosec community at-large, Michael ran BSides Texas entity (managing BSides conferences in Austin, San Antonio, Dallas and Houston) for six years and lead the Austin BSides conference.
When: Tuesday, March 31st, 2020 @ 11:45 AM - 1:00 PM
Title: Secure Application Development (with Cloud)
Most of us have developed software in one form or the other over our careers. Have we paid attention to all domains of the software lifecycle? This is a walkthrough of those domains that should span development from cradle to grave of any software development lifecycle, with a focus on security. We will follow that by a quick demo of how CI/CD and DevSecOps practices can help us address these concerns for deployment to cloud providers like AWS and Azure in a hybrid cloud environment.
Speaker:
Sam Gamare is an Austin Texas based Enterprise Architect who works for Dell Technologies. He has a broad IT background spanning two decades of experience in several roles across several different industries from Fortune 500 (like Dell, General Motors, Citibank, JPMorgan, Wendy’s, and several others) and State government (Texas / Indiana). His work focuses on designing solutions that solve problems for his business customers, with solutions that span several technologies like .NET/Java/Open Source, across several development domains that include the database, network, security, and cloud-based deployments. He has a passion for security and development. He holds several certifications that span AWS Architect Associate, AWS Developer Associate, Certified Scrum Master (CSM), and CISSP. In his free time, he entertains himself with raspberry pi and tech books
When: Tuesday, February 25th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Using Nmap's XSLT switch to better organize result scan data
Nmap is an old-friend and one of the most-used tools in our box. On scans against large-scale networks, identifying ports with web applications might be easy using some common command line switches, but gathering the normal output to enumerate and identify targets is difficult. This talk is about using Nmap's XML output switch combined with customized XSLT documents to save time and organize the output in a format, such as CSV, that provides penetration testers with richer analysis capabilities or even HTML that is "report ready". We will look more closely at the XML output that Nmap provides (including NSE data) and learn how XSLT can be harnessed to derive usable custom documents.
This talk will have application to some or all of the following OWASP Testing procedures: ASVS 9 Communication Security Requirements (9.1.1, 9.2.2) OTG-INFO-004 Enumerate Applications on Web Server OTG-CONFIG-006 Test HTTP Methods OTG-CRYPST-001 Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection …others, as NSE scripts are applicable and the Penetration Testing Execution Standard
Speaker:
Mark Spears is a Sr. Security Consultant for Solis Security - an Austin-based security firm that performs DFIR, GRC, MSSP, and Penetration Testing where he currently leads the Red Team doing a lot IP-based and Web Application testing while mentoring his younger peers.
Throughout Mark's 20+ years in the industry, he has been a:
- Programmer in a wide range of compiled and scripted languages but focused mainly on the Microsoft stack
- Teacher at different schools on all topics of database design, coding, and web development.
- Entrepreneur who wrote payments software as a Level 1 PCI Gateway and acting CISO for 8 years until helping bring the company to a sale.
- Virtual CISO for several companies simultaneously including multiple banks providing monthly security services, audit support, and annual Risk Assessments based on GLBA or other needed compliance frameworks.
- Constant student and teacher seeking mentors while mentoring.
When: Thursday, February 13th, 5:30 pm - 7:30 pm
Where: Brass Tap @ Domain Austin, 10910 Domain Dr, Austin, TX 78758
Sponsors: Sonatype and NowSecure
When: Tuesday, January 28th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: OWASP Austin CryptoParty!
In 1996, John Perry Barlow, co-founder of the Electronic Frontier Foundation (EFF) wrote 'A Declaration of the Independence of Cyberspace' where he stated "We are creating a world that all may enter without privelege or prejudice accorded by race, economic power, military force, or station of birth. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity." The Internet of today is an amazing place of knowledge and opportunity, but it unfortunately falls short of Mr. Barlow's original vision.
In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to to communicate and associate without fear. To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies like TOR, full-disk encryption, GPG, and many more. CryptoParties are free to attend, public, and not commercially aligned.
The Austin Chapter of the OWASP Foundation invites you to join us for our CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.
Speakers: Josh Sokol, Sam Gamare, Pradeep Nambiar
When: Thursday, January 9th, 5:30 pm - 7:30 pm
Where: Brass Tap @ Domain Austin, 10910 Domain Dr, Austin, TX 78758
Sponsor: Pure Storage
When: Tuesday & Wednesday, October 22-23, 2019 (Pre-Conference Training), Thursday & Friday, October 24-25, 2019 (Conference Sessions)
Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
We had a great time celebrating our 10th year anniversary of LASCON. Many thanks to those who attended!
When: Tuesday, September 24th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: OAuth 2.0 Misimplementation, Vulnerabilities and Best Practices
OAuth 2.0 is an authorization framework that enables third party applications to obtain temporary limited authorization to access a protected resource on behalf of a resource owner. The framework is defined by authorization interactions that are each scoped to the type of client obtaining authorization and the type or types of resource owners that must grant access. Diverging from these defined scopes can open up various interception and redirect attack vectors that can grant a malicious actor access to protected resources. For this talk, we will be discussing Public Clients vs Confidential Clients, User Authentication vs Client Authentication, Proof Key for Code Exchange (PKCE) for Public Clients, and how restricting certain OAuth flows to either Public or Confidential Clients is required to mitigate unauthorized access to protected resources.
Speaker: Pak Foley
Pak Foley is a Security Engineer at Procore Technologies. He has specialized in Identity and Access Management with a focus on architecting enterprise OAuth and SAML solutions for authentication and authorization throughout distributed systems. With a passion for OAuth in particular, he has spent much of his time seeking out and mitigating vulnerabilities from misimplemented OAuth solutions and contributed to the open source Rails OAuth provider, Doorkeeper. His passion for securing web applications has prompted his recent move from IAM to security.
When: Thursday, September 12th, 5:00 pm - 7:00 pm
Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: Synack
When: Tuesday, August 27th @ 11:45 AM - 1:00 PM
Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin TX 78757
Title: A Standards-Based Approach to Assessing Your Organization's Cybersecurity Maturity
We were tasked with creating a roadmap for the National Instruments Information Security Program. While we had previously used a Gartner Maturity Model to figure out how far along our organization was, we found their recommendations to be too high level to define an actionable roadmap. After some discussion, we determined that we could use the NIST Cybersecurity Framework to not only assess our maturity, but also define risk in our environment, and create a roadmap. This talk will not only show you how we did it, but how you can do it too!
Speaker: Josh Sokol and Alex Polimeni
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and recently completed a four year term serving on the OWASP Global Board of Directors.
Alex Polimeni runs the IT Compliance program at National Instruments. He gave his first security talk at BSides Austin in 2019 and is excited about sharing his experience with the OWASP crowd. He is a former boxer and once got stuck in a cave.
When: Tuesday, July 30th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Data Loss Prevention
Data is being produced and consumed at an exponentially increasing rate by organizations and individuals. Can firewalls truly prevent the loss, misuse, or unauthorized access of the sensitive data? What are the standard methods for Data Loss Prevention? Who needs them? Are there any methods overlooked or underutilized? Why should a DLP strategy be the top priority for the organization?.
Speaker: Shirish Patil
Shirish Patil has over 20 years of experience leading and implementing enterprise data management and architecture solutions for public and private sector organizations. His focus has been on enterprise wide information and data management strategy, data architecture, data governance, data quality, data modeling, database performance and business intelligence capabilities. Shirish is based in Austin, Texas with vast experience in IT and management consulting, has been leveraging data, technologies and common sense to create strategies and solutions to achieve organizational goals for clients. . Shirish is a consulting Lead Enterprise Data Architect in Advanced Digital Technology and Analytics group at Grant Thornton in Austin TX on defining their Enterprise Information and Data Management Strategy for short term and long term. As a Lead Enterprise Data Architect at Sitek Inc., an IT consulting and Services firm, Shirish has designed and architected several data-centric solutions for Texas Health and Human Services Commission (HHSC) and Duke Energy. The solutions were wide ranged starting from basic database designs to laying the foundation for application scalability to enterprise wide data initiatives and strategy for one of the largest Integrated Eligibility application in United States. Previous to engaging with Sitek Inc., Shirish has consulted for Verizon Wireless and Deloitte. Before his time with these organizations, Shirish has worked for European analytics and regulatory reporting firm FRSGlobal and major US lending company Mortgage Cadence through their partner firms. Shirish developed and managed regulatory reports, database platform migration and enhanced performance of the database design for these organizations and was recognized for the leadership and ability to execute with innovative approaches to database management. Shirish has presented at many international conferences as a keynote speaker on data management and data security topics. He currently serves on Editorial Board, Technical Program Committee and Reviewer for several international journals and conferences on Databases and Data Mining, Database Management Systems, Computer Science, Cyber Security, Information Technology and Software Engineering.
When: Thursday, July 11th, 5:00 pm - 7:00 pm
Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759.
Sponsor: Contrast Security
When: Tuesday, June 25th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Passwords are Secure
Do passwords really work? Can they? What are the alternatives? This talk will be a conversation about alternatives, and an open interchange of ideas. Everyone knows passwords are very difficult for users to deal with.
Speaker: Dovell Bonnett – “The Password Guy”
Dovell Bonnett has been creating computer security solutions for over 20 years. His passionate belief that technology should work for humans, and not the other way around, has lead him to create innovative solutions that protect businesses from cyber-attacks, free individual computer users from cumbersome security policies, and put IT administrators back in control of their networks.
He has spent most of his career solving business security needs, incorporating multiple applications onto single credentials using both contact and contactless smartcards. The most famous example of his work is the ID badge currently carried by all Microsoft employees.
In 2005, he founded Access Smart LLC to provide logical access control solutions to businesses. His premiere product, Power LogOn, is an Identity Management solution that combines Multi-Factor Authentication and enterprise password management. Power LogOn is used by corporations, hospitals, educational institutions, police departments, government agencies, and more around the world.
Dovell is a frequent speaker and sought-after consultant on the topic of passwords, cybersecurity, and building secure, affordable and appropriate computer authentication infrastructures. His recent book is Making Passwords Secure: How to Fix the Weakest Link in Cybersecurity and his new social media column is the Guardians of the Gateway..
When: Tuesday, May 28th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Schrodinger's SOC - The Human Element of Information Security
People are what drive security, elements of that include: salary, innovation, mission, education and peace of mind. Security as a career field is exhausting, even straining, leaders in these spaces need to ask and listen to their practioners. Anecdoctally: I've witnessed security organizations ignored, however praised by leadership for their work. Thus, does the security operation exist? Or is too much of a cost center? How can leaders utilize their security assets for organizational and personnel growth? How can the security worker look towards a better work/life balance?
Speaker: Ricky Banda
Security professional with 8 years of experience in the field, 12 IT/Security certifications, 25 years old. Professional career began as a DoD intern for the 24th Air Force at age 17, due to success with the Cyber Patriot program. Recognized by the state of Texas, and outspoken volunteer for public education cybersecurity initiatives. Specialty in incident handling, security architecture, and forensic analysis.
When: Thursday, May 9th, 5:00 pm - 7:00 pm
Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: Qualys
When: Tuesday, April 30th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Securing AWS: A Real-World Case Study
Using cloud first governance driven approach to reduce and mitigate risks managing privileged access and identities in an AWS environment, we’ll review a real world example how a Fortune 500 company how they perform:
- Management of privileged access to AWS workloads
- Real-time monitoring and enforcement of baseline security policies on their AWS infrastructure
- Access visibility’ of federated identities to AWS Objects’ on a periodic basis with continuous compliance controls
- Periodic certification process for critical resources hosted in their AWS ecosystem to ensure only authorized individuals have access to their AWS ecosystem
- AWS Role lifecycle management and governance
Speaker: Diana Volere
Diana is a strategist, architect and communicator on digital identity, governance and security, with a passion for organizational digital transformation. She has designed solutions for and driven sales at Fortune 500 companies around the world, and has an emphasis on healthcare and financial verticals. In her role as a Principal Solution Architect at Saviynt she works as a technical evangelist and strategist with partners and customers to help them derive business value from technical capabilities. Her past twenty years have been spent in product and services organizations in the IAM space. Outside of work she loves travel, gastronomy, sci-fi, and most other activities associated with being a geek.
When: Tuesday, March 26th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Browser Hardening, Personal Security and Privacy Measures
In this day and age, it is becoming increasingly difficult to stay secure and private online. In this talk, we will show you how to harden your browser, along with a set of best practices aimed at improving one's security and privacy.
Speaker: Héctor Quartino
Héctor is the manager of the Product Security Engineering team at Oracle+NetSuite. He has been a software developer for more than 15 years in multiple technologies (Java, .NET and Web).
When: Tuesday, February 26th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Angular for AppSec Professionals
One of the most popular web frameworks is Angular. While you don't need to become an expert in new JavaScript frameworks to be able to conduct successful assessments of Angular applications, knowing the fundamentals and building blocks of that framework can definitely give you an advantage during the initial phases of an application security assessment. This talk aims to introduce application security professionals to the basics of AngularJS and Angular applications from a security standpoint. We will also demonstrate how to dynamically debug Angular code from the browser console. This allows us to change the behavior on an application by manipulating Angular components. With that knowledge in hand, we can start conducting a more in-depth analysis of Angular based applications.
Speaker: Alex Useche
Alex is an Application Security Consultant at nVisium and has over 12 years of experience in the IT industry as a software developer, security engineer, and penetration tester. As a software developer, he has worked with and architected mobile and web applications in a wide range of languages and frameworks, including Angular, .NET and Django. While his expertise is in application security, Alex also has experience conducting penetration tests of internal and external networks. In his previous position, Alex led several projects aimed at building secure coding and DevOps processes for a mid-sized consultancy agency, as well as automating security analysis tasks. Alex has a Bachelors in Information Technology and a Masters in Software Engineering. He has also conducted and published research on artificial intelligence technologies. Alex is actively working on developing security tools written in Go and participating in various bug bounties.
When: Thursday, February 7th, 6:00 pm - 8:30 pm
Where: 77º Rooftop Bar, 11500 E Rock Rose Ave, Austin, TX 78758
Sponsor: Secure | Austin.
When: Tuesday, January 29th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: OWASP Austin CryptoParty!
- Introduction (Josh Sokol)
- Phone as Security: the trifecta of Signal, Password Manager, and MFA (Dan Ehrlich)
- Hardware Security Keys (Ryan Breed)
- You are the captain of your Data (Shirish Patil)
When: Tuesday & Wednesday, October 23-24, 2018 (Training Days), Thursday & Friday, October 25-26, 2018 (Conference Sessions)
Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
What: The Lonestar Application Security Conference (LASCON) is an OWASP conference held annually in Austin, TX. It is a gathering of 400+ web app developers, security engineers, mobile developers and information security professionals. LASCON is held in Texas where more Fortune 500 companies call home than any other state and it is held in Austin which is a hub for startups in the state of Texas. At LASCON, leaders at these companies along with security architects and developers gather to share cutting-edge ideas, initiatives, and technology advancements.
Presentations and other information
When: Tuesday, September 25th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Scaling Your Cyber Security Threat Modeling
There are two schools of thought around threat modeling. One school advocates the creation of attack trees and data flow diagrams. This requires extensive, cross-functional, security skills and is not a scalable approach. The other school encourages organic insertion of defenses based only on current context without “boiling the ocean”. This lack of systems thinking leaves applications vulnerable as exploits in a weaker component can open the door to critical systems.Part of the problem is threat modeling today is largely an art. We need to inject more science in this domain and derive a repeatable and auditable approach that maps to risk. Such a model should abstract away the non-scalable elements and still provide a high degree of assurance in today’s faster velocity business context.
This presentation will outline a threat modeling framework that abstracts traditional methods into systems, data, and people components. You will come away with an approach that takes away some of the scalability problems of traditional threat modeling, yet provides sufficient rigor and systems thinking to help manage risk.
Speaker: Pranoy De - Software Engineer
Pranoy currently works as a backend developer at Security Compass, helping to develop industry-leading application security products. Over the years, Pranoy has taken on a variety of roles, which included working as a software consultant, working as a network engineer, and writing software for the VFX industry.As a network engineer, Pranoy has primarily spent his time developing and conducting planned DDoS attacks for companies testing their defenses. This was his first position in the world of cybersecurity, and it eventually lead to his current role in application security.
When: Thursday, September 13th, 5:00 pm - 7:00 pm
Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: Thanks to our last-minute sponsor, Michael Gough with LOG-MD.
When: Tuesday, August 28th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Deploying a Secure NodeJS app with Docker and Kubernetes
Learn how to secure a NodeJS application from development to production. We will walk you through best practices of developing a NodeJS application with Docker and deploying it with Kubernetes while building security into each step of the process.
Speaker: Brett Stewart
Brett Stewart is Co-Founder and CTO of truFable. He has been a leader in the startup scene, previously serving as the lead software architect and advisor to CrowdFunder.com. Brett has consulted for some of the top brands in the tech and media industry and has spoken at several DevOps and security events. He works with organizations such as WeWork and Bunker Labs, assisting Veterans looking to take their tech startups to the next level.
When: Tuesday, July 31st @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Introduction to Electron Security
Electron allows developers to build cross platform desktop apps with JavaScript, HTML, and CSS. Electron is a framework for creating native applications with web technologies. More and more companies such as Slack, Microsoft, and Docker have adopted Electron for desktop applications. This talk will go over the basics and the security implications.
Speaker: Marcus J. Carey
Marcus J. Carey is the founder and CEO of Threatcare. He is a hacker who helps organizations build, measure, and maintain cybersecurity programs. Marcus started his technology voyage in U.S. Navy Cryptology and working at the National Security Agency (NSA).
When: Thursday, July 12th, 5:00 pm - 7:00 pm
Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: Rapid7
When: Tuesday, June 26th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: The State of DevSecOps
Call it what you will - DevSecOps, DevOpsSec, Rugged, Agile Application Security, Shift Left Unicorn Dust AppSec,... The face of security is changing. We'll go through the results of the DevSecOps Community Survey and examine the trends. Then we'll lead a group discussion on the topic. How have you tried to make security part of your SDLC? What have you seen work? What hasn't? What's important to you?
Speakers: Ernest Mueller and James Wickett
When: Thursday, June 14th, 5:00 pm - 7:00 pm
Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: SecureWorks
When: Tuesday, May 29th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Trust: Designing Privacy, Consent, & Security into Your Products
Most software today collects and tracks as much data as possible with no concern for privacy or user consent. Consumers and regulations are starting to demand change. It's time to focus on building trust with our users. Our products should collect only what data is necessary, should always receive consent before collecting data, and should have proper security in place to protect collected data.
Speaker: Taylor McCaslin
Taylor McCaslin is a multi-disciplinary technologist and Product Manager living in Austin, Texas. He currently works as a Mobile Product Manager at Duo Security. Taylor is an advocate and defender of privacy, consent, and inclusion.Taylor graduated from The University of Texas at Austin, where he studied business, theatre, computer science, and digital art & media. For the past 6 years, he’s worked at enterprise-scale, hyper-growth technology companies including WP Engine, Indeed.com, and Bazaarvoice. Taylor also enjoys volunteering with local human rights and LGBTQ organizations around central Texas.
https://www.taylormccaslin.com/
https://www.linkedin.com/in/taylormccaslin
https://twitter.com/digital_SaaS
When: Thursday, May 10th, 5:00 pm - 7:00 pm
Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: DirectDefense
When: Tuesday, April 24th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Cloud Jacking
Subdomain hijacking presents significant security risks to organizations. Everything from credential theft to phishing can be made possible with a few keystrokes and click of a mouse. This talk focuses on how these risks materialize within an AWS cloud environment, how to enumerate their existence, and options to quickly mitigate them.
Speaker: Bryan McAninch
When: Thursday, April 12th, 5:00 pm - 7:00 pm
Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: Cisco
When: Tuesday, March 27th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Cryptocurrencies - More than just bubbles, money and Dogecoins
Speaker: Arthur Kendrick
When: Wednesday, March 7th, 5:00 pm - 7:00 pm
Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
Co-sponsors: Critical Start and Mimecast
When: Tuesday, February 27th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: DevSecOps Unplugged (Results from our latest research on DevSecOps)
There is a confluence of forces that disrupt the ability for organizations to implement DevSecOps effectively. We continue to increase our dependence on software but teams are still relatively immature in developing securely. Our systems continue to grow exponentially complex. With IoT starting to take off, there is no clear industry vision for security these devices. Cybersecurity threats continue to rise. Even the most diligent teams find themselves subtly gaining technical debt because they are unable to do the job right.This impact is felt across industries: telecommunications, financial, software development, transportation, and medical just to name a few. So what is our response as security professionals? We have software tools and databases like OWASP Top 10, CWE/CVE, SANS Top 25 and so on. But what we need is a set of patterns and anti-patterns on implementing DevSecOps.
Our talk will highlight what we’ve observed in conducting research from Tier 1 peer reviewed articles from 2016 to the present. We will present what seems to be emerging as a set of best practices as well as anti-patterns in DevSecOps.
Speaker: Altaz Valani
[https://vimeo.com/channels/owaspaustin/262482415 Vimeo]
When: Thursday, February 8th, 5:00 pm - 7:00 pm
Where: Baby A's, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: RSA
When: Tuesday, January 23rd @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: CryptoParty
In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to communicate and associate without fear.
To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies for securing your chats, your phone calls, your e-mails, and your computer documents.
The Austin Chapter of the OWASP Foundation invites you to join us for our CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.
Speakers: Josh Sokol, Bankim Tejani, Dave Sanford, David Vas, Michael Marotta, and Nate Sanders
[https://vimeo.com/channels/owaspaustin/254361873 Vimeo]
Presentation slides:
- [https://www.owasp.org/images/a/ac/OWASP-Austin-Mtg-2018Jan-CryptoParty-Josh-Sokol.pdf Josh Sokol - Introduction]
- [https://www.owasp.org/images/c/ca/OWASP-Austin-Mtg-2018Jan-CryptoParty-Bankim-Tejani.pdf Bankim Tejani - Secure Communication and Data Sharing with PGP]
- [https://www.owasp.org/images/8/89/OWASP-Austin-Mtg-2018Jan-CryptoParty-Dave-Sanford.pdf Dave Sanford - Decentralized IDs and Verifiable Claim]
- [https://www.owasp.org/images/8/8b/OWASP-Austin-Mtg-2018Jan-CryptoParty-Michael-Marotta.pdf Michael Marotta - Charles Babbage: Codebreaker]
- [https://www.owasp.org/images/9/9e/OWASP-Austin-Mtg-2018Jan-CryptoParty-David-Vas.pdf David Vas - Zero Knowledge Bets]
- [https://www.owasp.org/images/1/1a/OWASP-Austin-Mtg-2018Jan-CryptoParty-Nate-Sanders.pdf Nate Sanders - Keybase]
When: Tuesday & Wednesday, October 24-25, 2017 (Training Days), Thursday & Friday, October 26-27, 2017 (Conference Sessions)
Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
What: The Lonestar Application Security Conference (LASCON) is an OWASP conference held annually in Austin, TX. It is a gathering of 400+ web app developers, security engineers, mobile developers and information security professionals. LASCON is held in Texas where more Fortune 500 companies call home than any other state and it is held in Austin which is a hub for startups in the state of Texas. At LASCON, leaders at these companies along with security architects and developers gather to share cutting-edge ideas, initiatives, and technology advancements.
[https://lascon.org/lascon2017/ Presentations and other information]
When: Tuesday, September 26th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: How to create Purple Team Exercises, using the Cyber Kill Chain and Extended CKC as a framework
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. You don’t necessarily need a ‘red team’, anyone can do it. This talk will show how to build and plan cyber exercises, using the Cyber Kill chain and Extended Cyber Kill Chain as a framework.
Speaker: Haydn Johnson
When: Thursday, September 14th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758
Sponsor: Contrast Security
When: Tuesday, August 29th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledge Proofs
You can ignore the Blockchain hype for identity solutions, it is superb marketing; but suboptimal technology. You can also ignore biometrics for a spell. Instead, the real breakthroughs, especially in authentication, will be based on elegant math and crypto, e.g., Zero-Knowledge Proofs (ZKP). These have the added benefit of being privacy-preserving, and amenable to user control of identity attributes. ZKP has been identified as a category for many other solutions in the future, not just identity. Conceived at MIT in 1985 by Shafi Goldwasser, ZKP is still young. You will see it in many other contexts as appreciation and recognition evolves.
Speaker: Clare Nelson, CISSP, CIPP/E
Clare's focus combines security, privacy, and identity. Her middle name is MFA, and she loves all things identity. She forges identity solution roadmaps and tracks emerging technologies, especially in light of EU regulations including GDPR and PSD2.
Clare’s early technical background includes software development of encrypted TCP/IP variants for NSA. She has held leadership positions in product management, marketing, and technology for companies including EMC2, Dell, Novell, and TeaLeaf Technology (IBM).
Clare is a co-founder of the mentoring organization, C1ph3r_Qu33ns. She headed ClearMark Consulting for 14 years, and she is currently Director, Office of the CTO at AllClear ID. She has a B.S. in Mathematics from Tufts University, and is a lifelong fitness enthusiast.
[https://vimeo.com/channels/owaspaustin/231902811 Vimeo] (apologies for the low audio)
When: Thursday, August 10th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758
Sponsor: Rapid7
When: Tuesday, July 25th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Frontline Web App Security
According to the Verizon DBIR (Data Breach Investigation Report) for 2016, web application attacks are the #1 source of data breaches. Web applications account for only 8 percent of overall reported incidents. However, attacks on web applications accounted for over 40 percent of incidents resulting in a data breach, and were the single-biggest source of data loss.
With those threats in mind, it has never been more important to ensure that companies have visibility into what is happening with their web apps. The most effective way to address application flaws and preemptively block unknown attacks is to have a close relationship with your web application firewall.
Static, signature based blocking is not enough to address never before seen attacks. In this talk, we will walk through scenarios that we have observed, talk about coding practices that enable your web app to be secured, and describe the steps that are taken to defend against critical web applications attacks.
Speakers: Paul Scott and Jason Payne
Paul Scott is an OWASP Houston chapter leader and the Manager of Alert Logic’s Web Application Security Team. Jason Payne ran the Alert Logic Global Security Operations Center for nearly a decade and is now engineering solutions to defend systems, networks, and application on premises and in the cloud.
[https://vimeo.com/channels/owaspaustin/231902836 Vimeo]
When: Thursday, July 13th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758
Sponsor: Technology Navigators
When: Tuesday, June 27th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Making Vulnerability Management Less Painful with OWASP DefectDojo
DefectDojo was created in 2013 when one security engineer at Rackspace stupidly opened his mouth in front of his leadership team. Vulnerability management is traditionally tedious, time consuming, and mentally draining. DefectDojo attempts to streamline vulnerability management with automation centered around templating, report generation, metrics, scanner consolidation, and baseline self-service tools. DefectDojo is currently used by multiple large enterprises and has core contributors from five different companies. It has made several engineers' lives much easier, and it can help you too. Got a ton of findings to consolidate and report on? DefectDojo has you covered. Need to have a dashboard of your team’s work? DefectDojo has you covered. Tired of boilerplate report generation? DefectDojo does that for you. Come check out how to make vulnerability management less painful and speed up your appsec program in this talk with demo.
Speaker: Greg Anderson
Greg Anderson is a security professional with diverse experience ranging from vulnerability assessments to intrusion detection and root cause analysis. His recent work has focused on advanced security automation to get the most out of application security programs. Greg's previous work, which was featured at DEFCON, focused on unconventional attack vectors and how to maximize their impact while avoiding detection.Greg is the creator of DefectDojo and was a Chapter Leader of OWASP San Antonio for two years.
Feel free to chat him up about anything and everything.
[https://vimeo.com/223334540 Vimeo]
When: Thursday, June 8th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758
Sponsor: Cyberbit
When: Tuesday, May 30th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Annoying web app vulnerabilities: HTTP Request Smuggling, HTTP Response Splitting and Cross-Origin Resource Sharing Misconfigurations.
Part 1:
**Abstract:** HTTP Request Smuggling is an attack capable of bypassing security protections and "poisoning the well" for caching web proxies. In this talk we'll be discussing attack scenarios and their security implications.Speaker: Gabriel has been actively involved in the security industry since 2007 and currently holds the position of security analyst at Rapid7.
Part 2:
**Abstract:** HTTP Response Splitting is a web application vulnerability that is often misunderstood, but can lead to a serious compromise. This talk will walk through the basics of Response Splitting, how an attack works, and what you can do to defend against it.Speaker: Ben Columbus is a security analyst for Rapid7, who specializes in network and web application penetration testing. He has been working in security for the last eight years in various positions and was previously a penetration tester for the State of Texas.
Part 3:
**Abstract: **The talk will provide information about headers used for Cross-Origin Resource Sharing (CORS) and how servers use these headers to communicate access policy to browsers. The possible security implications of misconfigured CORS headers will be discussed.Speaker: Jacob enjoys learning about security vulnerabilities and their usage in the real world.
[https://vimeo.com/219563653 Vimeo]
When: Wednesday, May 3rd, 5:00 pm - 7:00 pm
Where: Mister Tramps Sports Pub and Cafe, 8565 Research Blvd, Austin TX 78758 (different location and date to coincide with BSides Austin)
Sponsor: Rapid7
When: Tuesday, April 25th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: The CISO Playbook
The era of CISO-as-dictator is at an end. Growing cybersecurity with the business can be tricky and requires security leaders to find ways to get to “yes” with the business. This session will cover solid tactics to lead successful change throughout your organization.
Speaker: John McLeod
John McLeod is the CISO at AlienVault, responsible for cyber security in the enterprise and their products. John is a former Air Force Special Agent with over 20 years of experience in information security including but not limited to criminal, counter-intelligence, fraud and computer crime investigations. Prior to joining Alienvault, he served as the Director of Information Security for National Oilwell Varco. His experience includes management roles for Halliburton, Mandiant, Guidance Software, and Mantech International. The US Intelligence community recognized him for his work in steganography. As a consultant, he responded to some of the highly publicized cyber-attacks, including: Moonlight Maze, Titian Rain, Night Dragon, TJX and Operation Aurora. He holds a B.S. in Information Systems Management from the University of Maryland University College, and M.S. in Network Security from Capitol College in Maryland. Additionally, he is a Certified Information Systems Security Professional (CISSP).
[https://vimeo.com/214731194 Vimeo] | [https://www.owasp.org/images/b/b5/OWASP-Austin-Chapter-2017-04_CISO-Playbook.pdf Presentation Slides]
When: Thursday, April 6th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
Sponsor: Amazon
When: Tuesday, March 28th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: DevSecOps Lessons from Detroit to Deming
In 1982, the city of Detroit saw 15,000 vehicles roll off its production lines every day. To achieve this goal, Detroit's line workers were being measured on velocity, often at the expense of quality. At the same time, auto workers in Japan -- applying lessons from W. Edwards Deming -- were implementing new supply chain management practices which enabled them to manufacture higher quality vehicles, for less cost, at higher velocity. As a result, from 1962 to 1982, the Detroit auto industry lost 20% of its domestic market to Japan.The parallels between the auto industry of 35 years ago and software development practices in place today are remarkable. DevOps teams around the world are consuming billions of open source components and containerized applications to improve productivity at a massive scale. The good news: they are accelerating time to market. The bad news: many of the components and containers they are using are fraught with defects including critical security vulnerabilities.
This session aimed to enlighten Security, DevOps, and development professionals by sharing results from the 2017 State of the Software Supply Chain Report -- a blend of public and proprietary data with expert research and analysis. The presentation also revealed findings from the 2017 DevSecOps Community survey where over 2,200 professionals shared their experiences blending DevOps and security practices together. Throughout the discussion, Derek shared lessons that Deming employed decades ago to help us accelerate adoption of the right DevSecOps culture, practices, and measures today.
Speaker: Derek E. Weeks
After flying to 40 countries and racing through a half-Ironman competition, Derek woke up one morning on the top of Kilimanjaro and saw the world in a new light. Soon after, Derek become a huge advocate of applying proven supply chain management principles into AppSec practices to improve efficiencies and sustain long-lasting competitive advantages. He currently serves as vice president and DevSecOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation. Derek is also the co-founder of the All Day DevOps conference and the lead researcher behind the annual State of the Software Supply Chain report.
[https://vimeo.com/210478219 Vimeo]
When: Thursday, March 9th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
Sponsor: Rapid7
When: Tuesday, February 28th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Building and Breaking Password Reset Mechanisms
It happens to everyone, you forgot your password. Now you need to get back into your account and prove you are who you say, but without using your password as proof. How, then, can that be done securely? More interestingly, how can it be done insecurely? This talk will dissect a number of security vulnerabilities found in real-world password reset mechanisms, and discuss how password reset mechanisms should be built.
Speaker: Dan Crowley
Daniel Crowley is a Senior Security Engineer and Regional Research Director for NCC Group Austin, tasked with finding and exploiting flaws in everything from Web applications and cryptosystems to ATMs, smart homes, and industrial control systems. He denies all allegations of unicorn smuggling and questions your character for even suggesting it. He has been working in information security since 2004. Daniel is TIME’s 2006 Person of the Year. He has developed and released various free security tools such as MCIR, a powerful Web application exploitation training and research platform, and FeatherDuster, an automated modular cryptanalysis tool. He does his own charcuterie and brews his own beer. He is a frequent speaker at conferences including Black Hat, DEFCON, Shmoocon, Chaos Communications Camp, and SOURCE. Daniel can open a door lock with his computer but still can’t launch ICBMs by whistling into a phone. He has been interviewed by various print and television media including Forbes, CNN, and the Wall Street Journal. He holds the noble title of Baron in the micronation of Sealand. His work has been included in books and college courses.
When: Thursday, February 9th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
Sponsor: Vectra Networks
When: Tuesday, January 31st @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Random Number Generation - Lava Lamps, Clouds and the IoT
Random numbers are the basis of security for all cryptography, yet they are often taken for granted. Learn why random numbers are so hard to generate and validate, compare different technologies in use today across virtualized environments, and discuss operational steps to take the risk out of random numbers and help secure cryptosystems even into the era of quantum computers.
Speaker: Richard Moulds
[https://vimeo.com/202234199 Vimeo]
When: Thursday, January 12th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill], 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
Sponsors: Bugcrowd and Rapid7