Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, October 22
 

8:00am

Defensive Programming for PHP

Title: Defensive Programming for PHP
Trainer: Mike Doyle
When: October 22nd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $245, includes meals

Register Now

Abstract:
This full-day course helps PHP developers understand the features and specifics of the platform that can potentially introduce risks. The course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications.

PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.

The features and specifics covered by this course include (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Defensive techniques covered by this course include the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery prevention, transport security, and techniques for the prevention of injection attacks.

This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:

  • PHP Platform Security
  • The PHP Application Risk Landscape
  • Secure Design Principles
  • Defensive Programming Techniques in PHP
  • Secure PHP Architecture and Configuration

Labs and Demonstrations

Two labs guide the student through secure configuration and remediation of an insecure PHP application. These labs are provided as an Oracle VirtualBox VM running a typical LAMP stack with configuration management provided by Puppet. A variety of supplemental open source development and security tools are provided on the VMs. Students who wish to participate are encouraged to bring their own laptops with Oracle VirtualBox. Students may wish to collaborate in pairs or small groups.

There are also two interactive demonstrations during which the PHP application is exploited to show directory traversal, information leakage, and SQL injection. Cost is $245.

Register Now



Speakers
MD

Mike Doyle

Senior Consultant, Cigital


Tuesday October 22, 2013 8:00am - 5:00pm
Gemalto Room A Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

8:00am

Secure Developer Training: OWASP Top 10++ (2 Day Training)

Title: Secure Developer Training: OWASP Top 10++
Trainer: Matt Tesauro
When: October 22nd and 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $495, includes meals

Register Now

Abstract:
The Secure Development Training is a two-day (16 hour) instructor lead course that covers a variety of topics including the OWASP Top 10 Web Application Security Vulnerabilities, Threat Modeling, Basic Security Theory and Encryption. The course includes hands-on labs, interactive exercises and group discussion driven exercises. Special attention is given to mitigation of vulnerabilities in the lab application, particularly at design time or during initial application development.

Real-world examples drawn from the pen testing experience of the instructor are used to demonstrate how minor vulnerabilities can be chained into surprising compromises. The goal of this course is to increase the security awareness and experience among develops with the subsequent result of producing increasingly rugged code going forward. Additional information covering the gambit of resources available to developers from OWASP is interwoven into the course. When complete with the course, attendees should have increased their security foo substantially.

The lab application is written in Python but the training will be programming language agnostic. Cost is $495.

Register Now


Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Tuesday October 22, 2013 8:00am - 5:00pm
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

8:00am

Securing Mobile Devices and Applications (2 Day Training)

Title: Securing Mobile Devices and Applications
Trainer: David Lindner
When: October 22nd and 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $495, includes meals

Register Now

Abstract:
Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?

This two-day, hands-on course enables students to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile devices across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.

Register Now


Speakers
avatar for David Lindner

David Lindner

Managing Consultant and Global Practice Manager, Aspect Security
David Lindner, a Managing Consultant and Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 15 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David's focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD... Read More →


Tuesday October 22, 2013 8:00am - 5:00pm
HackersForCharity.org Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
 
Wednesday, October 23
 

8:00am

Defensive Programming for JavaScript & HTML5 - 1 DAY TRAINING

Title: Defensive Programming for JavaScript & HTML5
Trainer: Ksenia Dmitrieva
When: October 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $245, includes meals

Register Now

Abstract:
Understand JavaScript and HTML5 Features to Secure Your Client-side Code.

This full-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.
Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (DOM and SOP), XSS, CSRF, DOM manipulation, Sandboxing iframes, JavaScript Execution Contexts, CORS, Web Messaging, Web Storage, and JSON.
This course is structured into modules and includes code analysis and remediation exercises. The high-level topics for this course are:
• The HTML5 and JavaScript Risk Landscape
• Storage of Sensitive Data
• Secure Cross-domain Communications
• Implementing Secure Dataflow
• JSON-related Techniques

Objectives
After completing this course, students will be able to:
• Apply HTML5 Defensive Programming Techniques
• Apply JavaScript Defensive Programming Techniques
• Apply JSON Defensive Programming Techniques
There should be a maximum of 20 students.

Labs and Demonstrations
If students bring their own laptops with VirtualBox software installed, they can install an Ubuntu VM (provided by the instructor) with an insecure web application and students will participate in two interactive lab sessions where they will learn to fix issues related localStorage object, web messaging, sandbox attribute for iframes, input validation and output encoding, parsing JSON data, and cross-site scripting. There are also two interactive demonstrations showing how to tamper with client-side data, evade client-side filters and work with Firebug. The labs are not compulsory to get the full value of the course.

 


Speakers
avatar for Amit Sethi

Amit Sethi

Senior Principal Consultant, Cigital
Amit Sethi is a Senior Principal Consultant and the Director of the Mobile Practice and the Advanced Penetration Testing Practice at Cigital. He has over 12 years of experience in the security industry as well as a Masters degree in Cryptography. He has extensive experience performing penetration testing, source code reviews and architectural risk analysis of a wide variety of systems as well as helping organizations solve complex security... Read More →


Wednesday October 23, 2013 8:00am - 5:00pm
Gemalto Room A Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

8:00am

Secure Developer Training: OWASP Top 10++ (2 Day Training)

Title: Secure Developer Training: OWASP Top 10++
Trainer: Matt Tesauro
When: October 22nd and 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $495, includes meals

Register Now

Abstract:
The Secure Development Training is a two-day (16 hour) instructor lead course that covers a variety of topics including the OWASP Top 10 Web Application Security Vulnerabilities, Threat Modeling, Basic Security Theory and Encryption. The course includes hands-on labs, interactive exercises and group discussion driven exercises. Special attention is given to mitigation of vulnerabilities in the lab application, particularly at design time or during initial application development.

Real-world examples drawn from the pen testing experience of the instructor are used to demonstrate how minor vulnerabilities can be chained into surprising compromises. The goal of this course is to increase the security awareness and experience among develops with the subsequent result of producing increasingly rugged code going forward. Additional information covering the gambit of resources available to developers from OWASP is interwoven into the course. When complete with the course, attendees should have increased their security foo substantially.

The lab application is written in Python but the training will be programming language agnostic. Cost is $495.

Register Now


Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Wednesday October 23, 2013 8:00am - 5:00pm
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

8:00am

Securing Mobile Devices and Applications (2 Day Training)

Title: Securing Mobile Devices and Applications
Trainer: David Lindner
When: October 22nd and 23rd, 2013
Where: LASCON 2013, Austin, TX (held at Norris Conference Center)
Cost: $495, includes meals

Register Now

Abstract:
Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?

This two-day, hands-on course enables students to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile devices across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.

Register Now


Speakers
avatar for David Lindner

David Lindner

Managing Consultant and Global Practice Manager, Aspect Security
David Lindner, a Managing Consultant and Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 15 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David's focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD... Read More →


Wednesday October 23, 2013 8:00am - 5:00pm
HackersForCharity.org Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
 
Thursday, October 24
 

8:00am

Expo Hall Opens

Thursday October 24, 2013 8:00am - 9:00am
Expo Hall Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

9:00am

The Origins of Insecurity - Keynote with Nick Galbreath
Speakers
avatar for Nick Galbreath

Nick Galbreath

Owner, Client9
Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges and media trading platforms. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features.  Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media... Read More →


Thursday October 24, 2013 9:00am - 9:45am
WhiteHat Security Ballroom Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

10:00am

Malware Automation
Automation is key when it comes to production. The same is true for malware. Malware production has moved on from the traditional manual method to a more efficient automated assembly line. In this talk, I will take the audience on an over-the-shoulder look at how attackers automate malware production. Discussion will focus on the tools and methodologies the attackers use to produce thousands of malware on a daily basis. The talk will then conclude with a live demonstration of how malware is produced in an automated fashion.

Speakers
avatar for Christopher Elisan

Christopher Elisan

Principal Malware Scientist, RSA
Christopher Elisan is the author of “Malware, Rootkits and Botnets: A Beginner’s Guide.” Elisan is a seasoned reverse engineer and malware researcher. He is currently the Prinicipal Malware Scientist at RSA. Elisan is one of the pioneers of Trend Micro’s TrendLabs where he held multiple technical and managerial positions. After Trend, he led and established F-Secure’s Asia R&D where he spearheaded multiple... Read More →


Thursday October 24, 2013 10:00am - 10:45am
HackersForCharity.org Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

10:00am

Vulnerability and Threat Management: How Can We close the Gaps?
In this presentation, we will examine how sound application development, configuration, and ongoing operations can improve your vulnerability and threat management process, as well as compliance. Topics will include how the DevOps and Visible Ops methodologies can aid in correcting the situation, and what we should expect from our tools and process.

Speakers
PP

Peter Perfetti

Director, IMPACT Security LLC
Pete has been involved with IT Security for over 15 years. Before heading up Security Services and Operations at IMPACT Security, he worked as an Information Security Officer, Security Engineer, and Manager at such companies as UBS, ABN AMRO, MTV, Viacom, and the NBA. His background includes administration, integration, governance, engineering, and investigations. Pete is an OWASP Chapter leader in Dallas, and was formerly on the leadership... Read More →


Thursday October 24, 2013 10:00am - 10:45am
Gemalto Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

10:00am

We are the Cavalry: Why it has to be us & why now

In the Internet of Things, security issues have grown well beyond our day jobs. Our dependence on software is growing faster than our ability to secure it. In our efforts to find the grown-ups who are paying attention to these risks, one painful truth has become clear: The Cavalry Isn¹t Coming. Our fate falls to us or to no one. At BSidesLV and DEF CON 21, a call was made and many of you have answered. At DerbyCon, we begin the work of shaping our futures. Here at LASCON, we have the opportunity to level-up and reframe our role in all of this. As the initiated, we face a clear and present danger in the criminalization of research, to our liberties, and (with our increased dependence on indefensible IT) even to human safety and human life. What was once our hobby became our profession and (when we weren¹t looking) now permeates every aspect of our personal lives, our families, our safetyŠ Now that security issues are mainstream, security illiteracy has lead to very dangerous precedents as many of us are watching our own demise. It is time for some uncomfortable experimentation.


Speakers
avatar for Adam Brand

Adam Brand

Director, Protiviti
Adam Brand: Adam Brand has more than 16 years’ experience in information technology and security. He is a Director with Protiviti, where he has assisted companies in resolving major security incidents and maturing their information security programs. Adam has been heavily involved with the “I am The Cavalry” movement, a group of researchers focused on information security issues that can affect human life and safety. He has recently focused... Read More →


Thursday October 24, 2013 10:00am - 10:45am
WhiteHat Security Ballroom Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

10:00am

Securing Redis with Sedona
Redis is an open-source network-based key-value store. Similar to memcached, Redis allows developers to store and retrieve strings, lists, sets, and hashes rapidly and at scale. Redis helps power a number of popular open-source applications and websites including Twitter, Craigslist, Instagram and Flickr. 
The Redis security model states that Redis should only be run in a trusted environment and accessed by trusted clients. As a result Redis does not include many of the native security features that developers have come to expect from network-based storage solutions. Traditional security features found in similar storage solutions, like relational databases, include the ability to authenticate and authorize clients, or provide encryption for network communications. These features are non-existent or partially implemented in Redis, making it impossible to enforce security policy or isolate access for unique applications that utilize the same datastore. 

To address these issues I developed Sedona, an application firewall for Redis. Sedona functions as a context-aware firewall for Redis that gives administrators granular control over commands and provides key-level access restrictions for Redis objects. Sedona also improves upon the existing authentication support in Redis by adding support for modular authentication and per-use access control lists. 
In this talk we’ll examine the Redis security model as well as security features that are available natively in Redis. Next we will introduce Sedona, an open-source application firewall that I have developed for Redis. We’ll cover use cases for Sedona, administration, configuration, and the performance implications it has on access to Redis. 


Speakers
avatar for Will Urbanski

Will Urbanski

Will Urbanski is a security researcher who tracks vulnerability and malware trends. He has experience in both research and security operations in enterprise and higher education environments. Will is the co-author of a patent for an IPv6 moving target defense. He has more than eight years of experience in Information Security and has written articles for numerous journals, including IEEE Security & Privacy. Will holds a Bachelor of Science in... Read More →


Thursday October 24, 2013 10:00am - 10:45am
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

11:00am

No More Monkey Business: Quality Assurance in Penetration Testing
Security audits, whether internal or customer-driven, are becoming more common and more frequent for software development programs. In many cases audit activities such as risk assessments, security scanning and penetration testing are required for program certification and accreditation. Going through a security audit can be a challenging situation filled with misunderstanding and frustration that can put a software program under considerable stress. This fact is exacerbated by some alarming trends being notice in the degradation of quality in security testing, and the lack of quality assurance governing such testing activities. 

With this increase in security audit activity, the security testing field has exploded with new practitioners in a discipline that was previously held almost exclusively by elite technical experts. This rapid growth is likely a contributing factor in declining quality as well as a plethora of rubber stamping certifications, poor training, and industry ignorance. Over the past two years, my team has assisted several large software development programs in preparing for and accommodating extensive security audits. We have noticed and collected evidence pointing to a problem in quality of security testing activities and results. These issues are costing engineering teams significant dollars to deal with the false positives, unjustified severities and overreaching scopes of poor quality audits. Many real-world examples of poor quality penetration testing results are presented in this talk in order to help describe and identify the problem. 

The purpose of this talk is not to point fingers or stroke our own egos by implying that we are better than those whose mistakes are highlighted. Instead it is a call to quality assurance in the relatively new field of security auditing and penetration testing. Penetration testing is widely considered to be an art form or black magic by many in the software engineering world. And there is truth to the fact that, similar to a home inspection, two testers will not produce the exact same list of findings. However, our findings point to an overall degradation in the skill and knowledge of penetration testers that can, if not corrected, turn pen-testing from a so-called black art into a quackery selling “snake-oil”. 

This presentation concludes with guidance for security practitioners in improving their security testing knowledge and skills taking personal responsibility for maintaining the highest standards of excellence. We suggest assurance methods based on sound engineering principle that should be implemented by security assessment teams. We also encourage those interested in or new to the field to base their careers on proven methods, quality certifications and most of all a passion for bettering the industry.

Speakers
avatar for Aaron Estes

Aaron Estes

Chief Software Security Architect, Lockheed Martin Corporation
Aaron Estes is a software security consultant, engineer and professor who has worked with the nations top defense contractors, financial institutions, and electronics and entertainment conglomerates to assess security risk and solve some of the most critical security concerns of todays’ changing digital world. Aaron has set his professional career apart by focusing on academic discipline as well as creative passion to create a level of... Read More →


Thursday October 24, 2013 11:00am - 11:45am
HackersForCharity.org Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

11:00am

Convincing Your Management, Your Peers, and Yourself That Risk Management Doesn't Suck
As security professionals, almost every action we take comes down to making a risk-based decision. Web application vulnerabilities, malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set.

The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It's cumbersome, time consuming, and just plain sucks. After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn't let me go down the GRC route, I finally decided to do something about it. SimpleRisk is a simple and free tool to perform risk management activities.

Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time and can be downloaded for free or demoed at http://www.simplerisk.org. With a simple, powerful, and cost-effective tool and some basic risk management knowledge at your disposal, you too can become the security rock star that your business seeks out for risk-based decision making. Let me show you how to convince your management, your peers, and yourself that Risk Management doesn't suck.

Speakers
avatar for Josh Sokol

Josh Sokol

Information Security Program Owner, National Instruments
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Josh manages all compliance, security architecture, risk management, and vulnerability... Read More →


Thursday October 24, 2013 11:00am - 11:45am
Gemalto Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

11:00am

From Gates to Guardrails: Alternate Approaches to Product Security

Traditional approaches to secure development lifecycles have relied on high-touch and process-driven models involving a series of assessments (e.g. design review, threat model, vuln scan) and associated decisions on whether to proceed to the next phase and gate. While this model serves many well, there are an increasing number of organizations embracing concepts like DevOps, agile, cloud, and continuous delivery that are looking for more pragmatic, automated, and dynamic approaches that suit the technology and business environments in which they exist. In this talk, Jason will highlight some of the ways Netflix has approached this shift, emphasizing practical methods to problems ranging from continuous assessment to regulatory compliance to team staffing.
 



Speakers
avatar for Jason Chan

Jason Chan

Engineering Director, Netflix


Thursday October 24, 2013 11:00am - 11:45am
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

11:30am

Lunch Option 1
Lunch will be served from 11:30 to 1:30 in the expo hall every 30 minutes.  Seating will be available in the main hall.

Thursday October 24, 2013 11:30am - 12:00pm
Expo Hall Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

11:30am

Open Seating Area for Lunch
Thursday October 24, 2013 11:30am - 1:30pm
WhiteHat Security Ballroom Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

12:00pm

Lunch Option 2
Lunch will be served from 11:30 to 1:30 in the expo hall every 30 minutes.  Seating will be available in the main hall.

Thursday October 24, 2013 12:00pm - 12:30pm
Expo Hall Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

12:30pm

Lunch Option 3
Lunch will be served from 11:30 to 1:30 in the expo hall every 30 minutes.  Seating will be available in the main hall.

Thursday October 24, 2013 12:30pm - 1:00pm
Expo Hall Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

1:00pm

Lunch Option 4
Lunch will be served from 11:30 to 1:30 in the expo hall every 30 minutes.  Seating will be available in the main hall.

Thursday October 24, 2013 1:00pm - 1:30pm
Expo Hall Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

1:00pm

Stupid webappsec Tricks

This talk will discuss amusingly simple yet effective techniques to detect vulnerabilities as they're discovered by attackers, as well as how to make specific types of malicious activity economically infeasible. 



Speakers
ZL

Zane Lackey

Director of Security Engineering, Etsy
Zane Lackey is the Director of Security Engineering at Etsy and a member of the Advisory Council to the US State Department-backed Open Technology Fund. Prior to Etsy, Zane was a Senior Security Consultant at iSEC Partners. | | He has been featured in notable media outlets such as the BBC, Associated Press, Forbes, Wired, CNET, Network World, and SC Magazine. A frequent speaker at top industry conferences, he has presented at BlackHat, RSA... Read More →


Thursday October 24, 2013 1:00pm - 1:45pm
HackersForCharity.org Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

1:00pm

5 Proven Success Strategies for your Software Security Program
These proven strategies will help you establish and improve your software security program. They have been accumulated through years of consulting & advising companies and government agencies of all sizes & types on their software security programs. Each strategy will be presented with context of when to apply it, why it works, and why less successful strategies fail. 

Speakers
BT

Bankim Tejani

Under Armour, Sr. Manager, Digital Product Security


Thursday October 24, 2013 1:00pm - 1:45pm
Gemalto Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

1:00pm

Cloud Keep: Protect your Secrets at Scale
In our internal research at Rackspace, the number one customer concern around security is Data Protection. While there are many aspects to protecting customer data, encryption is typically a key part of most solutions. This importance can be seen in requirements in every compliance regime and a large suite of encryption providers & products, both open-source and commercial. However, these sources tend to lack technical implementation detail, especially around the hardest part of designing an encryption scheme, key management. 

This presentation will cover Cloud Keep, an open source project sponsored by Rackspace to build a secure, Cloud-ready key management solution. We hope to solve a need for our customers as well as other OpenStack projects. Additionally, we aim to provide a free and open-source system that all applications can use, regardless of their location, language or maturity. We will walk through our plans for the system, its technical architecture and demonstrate our current proof of concept implementation.

Speakers
avatar for Jarret Raim

Jarret Raim

Rackspace
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace?s internal software teams as well as defined strategy for building secure systems on Rackspace?s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant for Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide... Read More →
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Thursday October 24, 2013 1:00pm - 1:45pm
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

2:00pm

Stalking a City for Fun and Frivolity
Tired of the government being the only entity around that can keep tabs on a whole city at once? Frustrated by dictators du jour knowing more about you than you know about them? Fed up with agents provocateur slipping into your protests, rallies, or golf outings? Suffer no more, because CreepyDOL is here to help! With open-source software, off-the-shelf sensors, several layers of encryption, and a deployment methodology of "pull pin, point toward privacy insurance claimant," it allows anyone to track everyone in a neighborhood, suburb, or city from the comfort of their sofa. You, too can move up from small-time weirding out to the big leagues of total information awareness: deploy CreepyDOL today! This talk will also cover what's changed since July in the CreepyDOL project, the open source release, and a sense of numinous dread.

Speakers
avatar for Brendan O'Connor

Brendan O'Connor

CTO/DSS, Malice Afterthought, Inc.
Brendan O'Connor is a geek of many trades. While he's a full-time law student at the University of Wisconsin in Madison (set to graduate in May 2014), his consultancy, Malice Afterthought, completed two DARPA Cyber Fast Track contracts during his first two years in law school. He has also taught information warfare for the DoD, played the violin (now for more than 21 years), obtained his Amateur Extra certification, and wished fervently that... Read More →


Thursday October 24, 2013 2:00pm - 2:45pm
HackersForCharity.org Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

2:00pm

The Real Cost of Security
It's your first day on the job as a CISO. You're responsible for implementing a whole security program. What do you buy?

This is the question we asked many seasoned security professionals, and a whole lot of different answers came back. Not only that, but when we tried to price the most common technologies they named for a sample organization, we got even more confusing answers. Even assuming you know what you want to buy, can you even afford security? We'll share the results of this research, along with boxes of Kleenex. Bring your own preferred flavor of ethanol.

Speakers
avatar for Wendy Nather

Wendy Nather

Research Director, Enterprise Security Practice, 451 Research
Wendy Nather is Research Director, Security, within 451 Research's Enterprise Security Program, providing analysis on the current state of security from the perspective of a veteran CISO. Wendy's primary areas of coverage are on application security and security services. Wendy joined 451 Research after five years building and managing all aspects of the IT security program at the Texas Education Agency, which serves 4.6 million Texas students... Read More →


Thursday October 24, 2013 2:00pm - 2:45pm
Gemalto Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

2:00pm

Practical PKI
Establishing Electronic Trust is becoming a more important part of the digital landscape than ever before. This presentation aims to do two things: One is to use allegory and a story like approach to explain what PKI is without the math. The other seeks to paint a picture of the impact to doing business and where the road looks to be going.

Part One: What is PKI in practical terms. It may seem commonplace in the industry by now, but believe you me, there are plenty who don't know a Relying Party from a hole in the ground. We'll cover some of the common terms above and beyond Digital Certificates, how they interact, and how things are managed. An attempt will be made to inject some humor as gravy to what is seen as an otherwise dry topic. 

This isn't to say this that finger puppets will be used, but for the people want to learn, demystifying information in plain English should be a welcome change. An explanation of the trusted roles involved in deploying certificates, the governance of the system, and the management and distribution of keys will be offered afterwards.

Part Two: A few real world examples of how to apply these concepts will then be offered, having established a basic understanding of how the pieces of the jigsaw fit together. Once these topics are briefly covered, it will be time to suggest where things are going based on key events taking place in this ever active and growing industry of Identity Management. Included will be some observed happenings regarding the National Strategy for Trusted Identities in Cyberspace (NSTIC) and the much sought after on-the-fly provisioning methods.

Speakers
avatar for Steven Bernstein

Steven Bernstein

Security Endeavors
Working with Identity Management technologies for over ten years, Steven seeks to provide Information Assurance by developing, enabling and supporting PKI solutions in the Information Security arena. Modeling and applying software engineering methods and techniques, he designs, defines, develops, evaluates, integrates, and supports complex products, policies, tools, and technologies requiring PKI certificates for audiences ranging from End... Read More →


Thursday October 24, 2013 2:00pm - 2:45pm
WhiteHat Security Ballroom Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

2:00pm

Rugged Driven Development with Gauntlt
"Be Mean to Your Code” is the core concept behind the ruggedization framework called Gauntlt (http://gauntlt.org) which brings the benefits of Behaviour Driven Development to the realms of automated security testing, application hardening and ruggedization. Security testing is often done at a cadence set by the audit team and is often obscured from the development and operations teams. This isn't good and this creates an adversarial relationship between security, dev and ops.

Gauntlt helps security, ops, and development teams work together. Gauntlt is meant to be used by security experts with interest in automation as well as developers with interest in security. It can be used to deliver the results of a security audit or penetration test via failing Gauntlt attacks (tests) which can in turn be added to automated test suites. Developers know they have resolved a particular vulnerability when Gauntlt no longer reports a failure. Gauntlt can also be used in regression tests to detect when a previously resolved vulnerability has been re-introduced.

Traditional approaches to web security can be less effective in cloud environments, due to the highly dynamic nature of cloud infrastructure. Fortunately, infrastructure-driven, continuous testing can overcome many of these challenges. Netflix uses Gauntlt to continuously validate that the security configuration of its cloud deployment and applications remains as expected, even with a rapid rate of change and high degree of self-service. 

One of the core contributors of the Gauntlt project, James Wickett will talk about the history of the project, the current features, examples of how to use Gauntlt and the future roadmap of Gauntlt. As part of this talk we will do a demo where we will walk the audience through getting started using pre-built Gauntlt attacks and then move to writing their own Gauntlt attacks. Come find out how to "Be Mean to Your Code" and ruggedize your next project.

Gauntlt is an open source ruggedization framework using cucumber and written in ruby. It has been developed in collaboration with the security engineering teams at Netflix and Twitter. Gauntlt is MIT Licensed and hosted on github at http://github.com/gauntlt/gauntlt.

Speakers
avatar for James Wickett

James Wickett

Sr. Engineer, Signal Sciences Corp
James is an innovative thought leader in the DevOps and InfoSec communities and has a passion for helping big companies work like startups to deliver products in the cloud. He got his start in technology when he ran a Web startup company as a student at University of Oklahoma and since then has worked in environments ranging from large, web-scale enterprises to small, rapidly growth startups. As a Senior DevOps Engineer, James is currently... Read More →


Thursday October 24, 2013 2:00pm - 2:45pm
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

3:00pm

Hacker org skills - Keeping it together
Penetration testers may have mad skillz when it comes to hacking, but this is of little use if you lose your results files or forget how you exploited that vulnerable FTP server. This presentation will provide you with tools (mostly open source) and tips to help keep your stuff together before, during, and after an engagement. This information should appeal not only to penetration testers and those in InfoSec, but to all of us with jobs of a techie nature.

Speakers
DH

David Hughes

Sr. Security Assurance Analyst-Red Team, General Motors
David has been involved with the IT industry for the past 20 years and for the latter half of that time have been primarily focused on Information Security. He spent several years performing penetration testing and security assessments, utilizing quite a number of tools and techniques. The clients ranged in size from very small office spaces to large state-owned data centers. Training is also one of his passions, and his experience... Read More →


Thursday October 24, 2013 3:00pm - 3:45pm
HackersForCharity.org Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

3:00pm

Railsgoat - Rails attack and defense
While working to secure rails applications in a truly Agile development environment, it became clear that the Rails and Ruby ecosystem needed attention from the security community in the form of free and open training, and the events that have transpired this year have only reinforced that belief. RailsGoat is an attempt to bring attention to both the problems that most frequently occur in Rails, solutions for remediation, and common attack scenarios. To accomplish this, we've built a vulnerable Rails application that aligns with the OWASP Top 10 and can be used as a training tool for Rails-based development shops. 

Railsgoat is an OWASP project, addtional details can be found at the following link: 

http://railsgoat.cktricky.com/ 

Speakers
avatar for Ken Johnson

Ken Johnson

CTO, nVisium
Ken Johnson - CTO, nVisiumKen Johnson has been hacking web applications professionally for 8 years. Ken is both a breaker and builder and currently leads the nVisium product team. Previously, Ken has spoken at AppSec DC, AppSec California, DevOpsDaysDC, LasCon, numerous Ruby and OWASP events, and AWS NYC. Ken is currently investing his time between OWASP’s Railsgoat, Elxir and Go, as well as all aspects of AWS offerings. | | Ken is also... Read More →
avatar for Michael McCabe

Michael McCabe

Senior Application Security Consultant, nVisium
Helping companies become more secure through training, review and solutions.


Thursday October 24, 2013 3:00pm - 3:45pm
WhiteHat Security Ballroom Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

3:00pm

How overlay networks can make public clouds your global WAN network
Enterprises, organizations and governments are realizing the benefits of cloud flexibility, cost savings, scalability and connectivity. Yet the traditional approach focuses too much on the underlying infrastructure, instead of the applications. 

So who is making solutions for the people who work at the application layer? Are software-defined things secure? 

With a focus on application-layer integration, governance and security, overlay networks let developers, and the enterprise apps they work with, use the public clouds as a global WAN network, not just extra storage. 
Developers can build on top of overlay networking to extend traditional networks to the cloud with added security such as encryption, IPsec connections, VLANs and VPNs into the public cloud networks. 
Prime examples are the previously cost-prohibitive projects can now use public clouds as global points of presence to create cloud WAN to partners and customers. 

Traditionally, global WANs were limited to large organizations due to the major investments in equipment and agreements with service providers to supply connectivity.  Now, cloud providers have made the investment to provide state-of-the-art facilities, experienced staff, and fantastic equipment distributed across the globe.  Enterprises of any size can use these public cloud points of presence (POPs) to build a globally distributed WAN. Essentially, anyone with a credit card can use the public cloud to create a new point of presence on a project by project basis.   

3-5 audience benefits: 
A look at the “cloud stack” - where cloud computing stratifies into disparate layers of control and access for end application owners. 

A new look at how to solve application developer’s concerns about security - with things like data encryption, network privacy, and secure customer / partner connectivity. 

Insight from the industry-unique approach to cloud networking and security. 

Speakers
avatar for Ryan Koop

Ryan Koop

Marketing Director, Co-Founder, CohesiveFT


Thursday October 24, 2013 3:00pm - 3:45pm
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

4:00pm

Speed Debates!
The legendary Speed Debates at LASCON! Get your twitters ready to quote our panelists in this edition of the LASCON Speed Debates.  Hillarious, fun and the start to our roaring happy hour!

Moderators
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →

Speakers
avatar for Nick Galbreath

Nick Galbreath

Owner, Client9
Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges and media trading platforms. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features.  Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media... Read More →
avatar for Robert Hansen

Robert Hansen

Director of Product Management & Technical Evangelist, WhiteHat Security
Robert Hansen (CISSP) is the Director of Product Management at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Cable & Wireless doing managed security services, and eBay as a Sr. Global Product Manager of Trust and Safety. Mr. Hansen contributes to and sits on the... Read More →
avatar for Jim Manico

Jim Manico

Author and Educator, OWASP volunteer, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/advisor for Signal Sciences. Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. Jim is also a volunteer and former board member for the OWASP foundation. He is the author of "Iron-Clad Java... Read More →
HM

HD Moore

Chief Research Officer, Rapid7
Bits and bytes
avatar for Wendy Nather

Wendy Nather

Research Director, Enterprise Security Practice, 451 Research
Wendy Nather is Research Director, Security, within 451 Research's Enterprise Security Program, providing analysis on the current state of security from the perspective of a veteran CISO. Wendy's primary areas of coverage are on application security and security services. Wendy joined 451 Research after five years building and managing all aspects of the IT security program at the Texas Education Agency, which serves 4.6 million Texas students... Read More →
avatar for Mano 'dash4rk' Paul

Mano 'dash4rk' Paul

Christian, CyberSecurity Advisor and Strategist, Author, Shark Biologist, Entrepreneur, Security Trainer, Speaker, HackFormer, yada yada yada ... | Ask a resident of Hawaii what Mano means and they would say that it is one of the above. Do you know which one?
PP

Peter Perfetti

Director, IMPACT Security LLC
Pete has been involved with IT Security for over 15 years. Before heading up Security Services and Operations at IMPACT Security, he worked as an Information Security Officer, Security Engineer, and Manager at such companies as UBS, ABN AMRO, MTV, Viacom, and the NBA. His background includes administration, integration, governance, engineering, and investigations. Pete is an OWASP Chapter leader in Dallas, and was formerly on the leadership... Read More →


Thursday October 24, 2013 4:00pm - 4:45pm
WhiteHat Security Ballroom Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

4:00pm

Happy Hour Bar Opens
Grab a drink and head to the Speed Debates

Thursday October 24, 2013 4:00pm - 5:00pm
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

4:30pm

Expo Hall Closes
Expo Hall Closes at 5pm

Thursday October 24, 2013 4:30pm - 5:00pm
Expo Hall Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

5:00pm

Happy Hour w Live Music
Thursday October 24, 2013 5:00pm - 7:00pm
WhiteHat Security Ballroom Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

5:00pm

Ride the Mechanical Bull
Speakers

Thursday October 24, 2013 5:00pm - 7:00pm
Gemalto Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
 
Friday, October 25
 

8:00am

Expo Hall Opens
Friday October 25, 2013 8:00am - 9:00am
Expo Hall Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

9:00am

Blindspots - Keynote with Robert Hansen
Approaching two decades of experience in web application and browser security, Robert Hansen will share with you areas that our small part of the industry (webappsec) tends to get wrong or completely misses more often than not.  This preso will challenge you to broaden your thinking, touch areas that you may not otherwise be comfortable with and raise the industry's capabilities, one blindspot at a time.

Speakers
avatar for Robert Hansen

Robert Hansen

Director of Product Management & Technical Evangelist, WhiteHat Security
Robert Hansen (CISSP) is the Director of Product Management at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Cable & Wireless doing managed security services, and eBay as a Sr. Global Product Manager of Trust and Safety. Mr. Hansen contributes to and sits on the... Read More →


Friday October 25, 2013 9:00am - 9:45am
WhiteHat Security Ballroom Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

10:00am

DDOS/DOS Attack Classification per Attack Target and Attack Vector
Recent DDOS attacks got all of us to struggle to develop new defense mechanisms. It is very hard to develop protection for every single new and unseen DDOS attack. These attacks made us all feel like we are chasing our tail. The idea of this research is to develop DDOS attacks classification based on a large sample of attacks (together with example attacks for each attack class). This research will show how DDOS attacks are conducted using few defined attack vectors and attack targets.Developed DDOS attack classification would enable development of protection mechanisms for each type (class) of DDOS attack. Therefore, organizations would be able to develop preventive mechanisms for any new DDOS attack. Accordingly, accompanying incident management process can be implemented and be successful. 

DDOS attacks cause system exhaustion by using different attack vectors. This research work and talk will define categories of system exhaustion attack vectors with defined protection mechanisms to enable development of preventive DDOS attack measures. 


Speakers
avatar for Pez Zivic

Pez Zivic

WW Security Solutions Architect, F5
Security Services Since 1993! | Dedicated to anything you wanted to know about DOS and hacking but were afraid to ask.


Friday October 25, 2013 10:00am - 10:45am
Gemalto Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

10:00am

Million Browser Botnet


Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.

With a few lines of HTML5 and javascript code we’ll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. Put simply, instruct browsers to make HTTP requests they didn’t intend, even something as well-known as Cross-Site Request Forgery. With CSRF, no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way. Also nice, when the user leaves the page, our code vanishes. No traces. No tracks.

Before leveraging advertising networks, the reason this attack scenario didn’t worry many people is because it has always been difficult to scale up, which is to say, simultaneously control enough browsers (aka botnets) to reach critical mass. Previously, web hackers tried poisoning search engine results, phishing users via email, link spamming Facebook, Twitter and instant messages, Cross-Site Scripting attacks, publishing rigged open proxies, and malicious browser plugins. While all useful methods in certain scenarios, they lack simplicity, invisibility, and most importantly -- scale. That’s what we want! At a moment’s notice, we will show how it is possible to run javascript on an impressively large number of browsers all at once and no one will be the wiser. Today this is possible, and practical.


Speakers
avatar for Matt Johansen

Matt Johansen

Manager, Threat Research Center, WhiteHat Security
Matt Johansen is a manager for WhiteHat Security¹s Threat Research Center (TRC). Matt began his career as a security consultant, where he was responsible for performing network and web application penetration tests for clients. He then took at role at WhiteHat as an application security specialist for the TRC and quickly rose through the ranks to managing more than 40 at the company¹s Houston location. | | In his spare time, Matt is a... Read More →


Friday October 25, 2013 10:00am - 10:45am
WhiteHat Security Ballroom Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

10:00am

Big Data, Little Security? – Practical Steps for securing Big Data
Big data is characterized by three Vs; Velocity, Variety and Volume. Perhaps we should add one more “V” to this; V for Vulnerability? Big data installations have security challenges that must be enumerated, understood and addressed. This presentation explains the security challenges around Big Data and outlines some practical and security measures to help safeguard these installations. 


Speakers
avatar for Manoj Tripathi

Manoj Tripathi

Security Architect, PROS, Inc
Security, Poetry and Tennis ( in that order !)


Friday October 25, 2013 10:00am - 10:45am
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

10:00am

Minding The Gap: Secure PhoneGap Apps
PhoneGap is a popular framework amongst the mobile development community. PhoneGap allows developers to rapidly build cross-platform mobile applications using HTML 5, JavaScript, and CSS. Using PhoneGap plugins, developers can call native platform APIs from browser-like applications using JavaScript. This approach introduces both interesting as well as powerful vulnerabilities that are not typically as prevalent within native mobile applications, warranting a fresh look at the way we view the impact and likelihood of exploitation amongst PhoneGap applications. PhoneGap applications inherit security issues generally reserved for code running within web browsers, while also being potentially vulnerable to traditional security issues affecting native mobile applications. 

In this presentation, we will take a deep look at the core framework and we will examine the overall attack surface for applications built with PhoneGap. Live demonstrations will be performed to illustrate how PhoneGap prevents you from hiding behind the safety of a mobile platform's security model. Real-world examples of vulnerable applications built with PhoneGap will be demonstrated as well. This provides context as well as plenty of entertainment for audience members. In addition, a walkthrough of the vulnerable OWASP GoatDroid PhoneGap app will be provided. 

After discussing the common pitfalls of PhoneGap cross-platform development, we will provide a methodology and recommendations for narrowing the surface for attack. We will also release an open-source tool for enhancing the security posture for your PhoneGap applications. This presentation will be heavy on code examples, demonstrations, and practical information. 

Speakers
JM

Jack Mannino

nVisium
Jack is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run... Read More →


Friday October 25, 2013 10:00am - 10:45am
HackersForCharity.org Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

11:00am

Riding the Magical Code Injection Rainbow
There are many intentionally vulnerable web applications available for people to learn how to exploit various types of flaws. Unfortunately, many of them have only the most basic and easily exploited examples of flaws. In order to work with a more complex version of a flaw, it's usually necessary to write your own vulnerable application or modify an existing one. 

There is another option! The Magical Code Injection Rainbow! MCIR is a framework for building configurable vulnerable applications. This presentation will demonstrate the use of the existing MCIR applications such as SQLol (for SQL injection) and XMLmao (for XML and XPath injection), teach advanced exploitation techniques in SQL injection; XPath injection; cross-site scripting; and shell command injection, discuss the exploitation of insecure cryptosystems and discuss how to use the MCIR framework to build your own configurable vulnerable application.

Speakers
avatar for Daniel Crowley

Daniel Crowley

Senior Security Consultant, Trustwave
Daniel (aka "unicornFurnace") is a Senior Security Consultant for Trustwave's SpiderLabs team. Daniel denies all allegations regarding unicorn smuggling and questions your character for even suggesting it. Daniel has developed configurable testbeds such as SQLol and XMLmao for training and research regarding specific vulnerabilities. Daniel enjoys climbing large rocks. Daniel has been working in the information security industry since 2004 and is... Read More →
AJ

Andrew Jordan

Independent Security Researcher


Friday October 25, 2013 11:00am - 11:45am
Gemalto Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

11:00am

OWASP Top Ten Proactive Controls
The OWASP Proactive Controls is a "Top 10 like document" aimed to help developers build secure applications. This project is phrased and built in a positive, testable manner. It describes the Top 10 software control categories that architects and developers should absolutely, positively include 100% of the time in every software project. 

This talk will cover the fundamental controls in critical software categories such as Authentication, Access Control, Validation, Encoding, Query Parameterization, Data Protection, Secure Requirements, Secure Architecture and Secure Design.

Speakers
avatar for Jim Manico

Jim Manico

Author and Educator, OWASP volunteer, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/advisor for Signal Sciences. Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. Jim is also a volunteer and former board member for the OWASP foundation. He is the author of "Iron-Clad Java... Read More →


Friday October 25, 2013 11:00am - 11:45am
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

11:00am

Mobile AppSec: Development and Alphabet Soup
There are approximately 6 billion mobile devices in the world today and the number of mobile applications available in the Google Play and Apple AppStore's is around 1.5 million. Vulnerabilities and mobile malware are skyrocketing, and development of new applications and release of new devices continue at an increasing pace. We are treating mobile application security like a foreign language and are struggling with alphabet soup concerning BYOD, MDM, MAM, and MNM. Dave will explain his experiences in running a mobile application security practice and the solutions he is seeing in the industry in regard to effectively managing the mobile security of devices, applications, and data. Dave will talk about how to effectively protect your data and applications from the bad guy. 

Join David as he explains mobile application security and why there needs to be a mix of device and application security to effectively protect your critical data and infrastructures. As Aspect Security’s Global Practice Manager of Mobile Application Security Services, Dave has first-hand expertise in helping clients in the financial and retail sectors with their mobile application security programs. 


Speakers
avatar for David Lindner

David Lindner

Managing Consultant and Global Practice Manager, Aspect Security
David Lindner, a Managing Consultant and Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 15 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David's focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD... Read More →


Friday October 25, 2013 11:00am - 11:45am
HackersForCharity.org Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

11:30am

Lunch Option 1
Lunch will be served from 11:30 to 1:30 in the expo hall every 30 minutes.  Seating will be available in the main hall.

Friday October 25, 2013 11:30am - 12:00pm
Expo Hall Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

11:30am

Open Seating Area for Lunch
Friday October 25, 2013 11:30am - 1:30pm
WhiteHat Security Ballroom Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

12:00pm

Lunch Option 2
Lunch will be served from 11:30 to 1:30 in the expo hall every 30 minutes.  Seating will be available in the main hall.

Friday October 25, 2013 12:00pm - 12:30pm
Expo Hall Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

12:00pm

Revenge of the Geeks: Hacking Fantasy Sports Sites
In this talk, I’ll show how all my IT security geek friends in the LASCON community can win the Super Bowl! I’ll walk through the anatomy of a hack against popular Fantasy Football and Baseball mobile applications showing every “sneak play” required to control the application. The tools and techniques used in this hack can be applied against any mobile application. These applications leverage rich new formats like JSON and REST to deliver a rich user experience, and are not surprisingly exposing the same familiar vulnerabilities like SQL and command injection, yet are not being effectively tested. 

In this particular application, mistakes with the application’s session management enable me to break down the nested communication formats and finally inject targeted payloads to manipulate both team lineups, to make sure my players were on top and to cause my opponents to lose. I also found that I could post false comments on the message board from the victims account. 

After we walk through the sack, I mean hack, we’ll abstract these techniques, tie them directly to best practices, and apply them to other mobile applications so participants will walk away with specific tools and techniques to better understand mobile back-end hacking. Are you ready for some football? 

Speakers
avatar for Dan Kuykendall

Dan Kuykendall

co-CEO and CTO, NT OBJECTives
Dan has been with NTO for more than 10 years and is responsible for the strategic direction and development of products and services. He also works closely with technology partners to make sure our integrations are both deep and valuable. As a result of Dan’s dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most accurate because of its sophisticated... Read More →


Friday October 25, 2013 12:00pm - 12:45pm
Gemalto Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

12:00pm

User Auth for Winners, how to get it right the first time!
Every couple of months, we see articles about how a reputable company has had a user account or password breach! Often, these are simple issues that could have been avoidable during design or implementation. 

In this talk, I will outline the best practices to build out a secure user management and authentication platforms for your products. 

At National Instruments, I architected a REST based platform that allowed customers to create online accounts, reset passwords, licensed and authentication for various web products over a 2 year period. During that time, a lot of time was spent researching best practices for building authentication systems, authentication tokens, user experiences for user creation and password reset workflows and scaling authentication platforms. 

At the end of this talk, you’ll have the knowledge to implement (or fix) a stronger user authentication system for your startup or enterprise! 

Speakers
avatar for Karthik Gaekwad

Karthik Gaekwad

Senior Engineer, StackEngine
I'm an experienced software engineer with a passion to quickly design and develop cloud hosted, web software products. I enjoy writing API's and user interfaces. I live in Austin, Texas and I'm an organizer for Devopsdays Austin, Container Days, and CloudAustin.


Friday October 25, 2013 12:00pm - 12:45pm
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

12:00pm

Ice Cream "sudo make me a" Sandwich
With the advent of Android 4.0+, we have seen the rooting landscape shift dramatically. This presentation gives a brief, but highly technical overview of the most ingenious new types of attacks on 4.0+. We will give an overview of Android's device protection mechanisms in 4.0+ and how they can be circumvented or unintentionally undermined by device manufacturers. 

Each device manufacturer and carrier can add or modify code from the Android Open Source Project (AOSP). This can include access to device memory, exploitable processes which run as the root user, initialization scripts which perform privileged actions without proper validation, or APKs which leak access to otherwise-protected information sources. This talk will examine what carriers and device manufacturers are doing to help customers root their devices. We will also detail /boot and /recovery differences between OEMs, how signature checks are performed, and demonstrate some of our tools to examine new devices and find potential security flaws. 

This talk is not about exploiting the AOSP, but rather identifying mistakes and misconfigurations due to customized builds and additional features. 

Speakers
avatar for Max Sobell

Max Sobell

Independent Consultant
Max is an independent security consultant based out of NYC. He has performed code reviews and conducted mobile application penetration tests for numerous Fortune 500 clients on a multitude of platforms, such as Android, BREW, RIM, and iOS. He specializes in mobile device penetration testing and has spent time researching NFC (for access control and on mobile devices), Bluetooth, mobile wallets, and secure elements. Before working in security... Read More →


Friday October 25, 2013 12:00pm - 12:45pm
HackersForCharity.org Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

12:30pm

Lunch Option 3
Lunch will be served from 11:30 to 1:30 in the expo hall every 30 minutes.  Seating will be available in the main hall.

Friday October 25, 2013 12:30pm - 1:00pm
Expo Hall Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

1:00pm

Lunch Option 4
Lunch will be served from 11:30 to 1:30 in the expo hall every 30 minutes.  Seating will be available in the main hall.

Friday October 25, 2013 1:00pm - 1:30pm
Expo Hall Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

1:00pm

Heading Off Trouble: Securing Your Web Application with HTTP Headers and X-Headers
This session is a survey of HTTP security headers used to protect Web applications. Much of Web security has been cobbled together over the years, and the disparate and ad hoc standards we have today reflect this evolution. Most engineers are not aware of all the tools available in the developers' toolbox, and some of these tools are still evolving. A view into the state of Web security today and a vision of the future is of interest to any developer working in today's threat-laden cloud service world. 

The following areas are covered, with illustrations of attacks and example defenses. 

* Cross-Site Scripting (XSS), X-Xss-Protection and Content Security Policy (CSP) 
* Cross-Site Request Forgery (CSRF), Origin checking 
* Clickjacking, X-Frame-Options and UI Redressing extensions to CSP 
* Insecure SSL/TLS Implementation, HTTP Strict Transport Security and Certificate Pinning 
* Web APIs, Cross Origin Resource Sharing 
* Hosting Untrusted Content, X-Content-Type-Options and X-Download-Options 
* Stealing Sessions, Session Continuation 

Speakers
avatar for Kevin Babcock

Kevin Babcock

Principal Security Engineer, PagerDuty
Kevin Babcock has been working in the Web security arena since 2000. He was part of the original engineering team at SafeWeb, the inventor of SSL VPN, which was acquired by Symantec in 2003. He continued his information security work at Symantec, developing products for remote access, network security, anti-spam, and Web security; and at Box, leading projects in application security and encryption. He is currently Principal Security Engineer... Read More →


Friday October 25, 2013 1:00pm - 1:45pm
Gemalto Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

1:00pm

Hacking .NET(C#) Applications: The Black Arts(v3)
This presentation will show how to carry out attacks on .NET applications. Learn how to make cracks, malware, and other aggressive software quickly. Common protections/defenses and counter protection techniques will be covered. 

This will supply a valuable skill/tool for Pen-Testers on BlackBox evaluations.

Speakers
avatar for Jon Mccoy

Jon Mccoy

Jon' OR DROP ALL TABLES OR 'McCoy, DigitalBodyGuard
Jon McCoy is into security with a focus on application security under the .NET Framework. Jon started security in forensics and moved to reverse engineering and incident response. He is the founder of DigitalBodyGuard.com and Wave3D.com along with heading a number of open source projects in the area of security tools and disabled assistance/augmentation systems.


Friday October 25, 2013 1:00pm - 1:45pm
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

1:00pm

Drawing the map: Outlining Android permissions mechanism
The Android Open Source Project provides software stacks for mobile devices operating on the Android platform. The API provided by this project helps enforce restrictions on specific functions and process which are allowed to operate under the standard Android permission mechanism. Because of the fine-grained permissions of the model, combined with the lack of permissions maps, it is not clear which functions require which permissions to operate. Additionally, due to the constant development in the AOSP and API, required permissions change frequently, creating headaches for application security testers, app developers and security minded Android users. 

During this talk, Andrew Reiter, security researcher, Veracode, will introduce the various methodologies used for building an Android permission map, and discuss the inherent deficiencies in each. The audience will learn why it is important to create a single group responsible for generating a permission map, and why Reiter believes this group should be Google. The discussion will also cover why permission mapping is an important part of securing this ever growing environment. 

Speakers
avatar for Andrew Reiter

Andrew Reiter

Principal Researcher, Veracode
Andrew Reiter is a Principal Researcher at Veracode focusing on both static | analysis of android apps, web app framework, et al., and the design of automated security analysis algorithms for Android. He holds a M.Sc. in Applied Mathematics from UMASS-Amherst.


Friday October 25, 2013 1:00pm - 1:45pm
HackersForCharity.org Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

2:00pm

Software and Supply Chain Assurance (SSCA)
Just as with food and pharmaceuticals, software can be corrupted in ways that put users, organizations, and missions at risk. Thus each participant in the supply chain requires an appreciation of controls and processes that should be in the potential paths software can take before it is acquired and put into use. How do we ensure that the right levels of due diligence are being applied to help assure the confidentiality, integrity, and availability of the sensitive information entrusted to our third party vendors in our supply chain? Do we need an approach that uses a “do once, use many times” framework to save cost, time, and staff required to conduct redundant agency security assessments? What would such a standardized software supply chain approach consist of for assessment, authorization, risk management, and continuous monitoring for software products and services?

Speakers

Friday October 25, 2013 2:00pm - 2:45pm
WhiteHat Security Ballroom Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

2:00pm

View this abstract in your browser
Personalized invoices, receipts, hotel reservation confirmations, special credit card promotions, and more can all be found online without ever entering a username or password. These vulnerabilities originate from an insecure method of hosting and communicating sensitive information. This presentation will go over how you may already be a victim of this blatant information disclosure, how the leaked information can be exploited, and who some of the offenders are. The presentation will also go over some of the methods to avoid these vulnerabilities in the first place, and what to do once you discover that your company is already vulnerable.

Speakers
avatar for PHIL PURVIANCE

PHIL PURVIANCE

Security Associate, Bishop Fox
The number of companies with bug bounty programs has increased dramatically over the last five years. A clever researcher can make easy money disclosing security vulnerabilities responsibly, and some have even turned it into a full-time job. | | But how do these programs actually work? I will use my personal experiences on both sides of the fence - as a bug hunter and as a bug bounty submission reviewer - to provide an exclusive look into... Read More →


Friday October 25, 2013 2:00pm - 2:45pm
Gemalto Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

2:00pm

Enforcing Authorization with Cryptography
An attacker’s ability, with only user credentials, to tamper with requests and directly access sensitive data ("Insecure Direct Object Reference") exposes valuable data and can even result in impersonation. OWASP’s 2007, 2010 and 2013 Top 10 lists include this problem. Common solutions include (1) using indirect object reference maps, or (2) performing authorization checks thoroughly. 

Of the solutions above, only random indirect object maps solve all potential problems associated with insecure object references. However, this may require tons of memory. This talk presents cryptographically protected references: trading increased but acceptable computation time for very little memory requirements. 

Using threat modeling, the talk outlines relevant attack vectors. Next, the talk walks the audience through alternatives in secure design comparing each from security and performance perspectives. For each alternative, concrete comparison includes benchmark results. 

Is secure object reference about access control? Is it about random-looking parameters? What does this have to do with database keys? Audience members will leave with specific guidance to share with developers.

Speakers
avatar for Amit Sethi

Amit Sethi

Senior Principal Consultant, Cigital
Amit Sethi is a Senior Principal Consultant and the Director of the Mobile Practice and the Advanced Penetration Testing Practice at Cigital. He has over 12 years of experience in the security industry as well as a Masters degree in Cryptography. He has extensive experience performing penetration testing, source code reviews and architectural risk analysis of a wide variety of systems as well as helping organizations solve complex security... Read More →


Friday October 25, 2013 2:00pm - 2:45pm
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

2:00pm

iOSApps.reverse #=> iPwn Apps
While iOS apps downloaded from the AppStore are packaged in binary format and usually encrypted, there is a lot of information one can glean by reversing engineering iOS apps. This talk with cover reversing tools and techniques that can be used to reverse iOS apps to make them iPwn Apps.

Speakers
avatar for Mano 'dash4rk' Paul

Mano 'dash4rk' Paul

Christian, CyberSecurity Advisor and Strategist, Author, Shark Biologist, Entrepreneur, Security Trainer, Speaker, HackFormer, yada yada yada ... | Ask a resident of Hawaii what Mano means and they would say that it is one of the above. Do you know which one?


Friday October 25, 2013 2:00pm - 2:45pm
HackersForCharity.org Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

3:00pm

How Malware Uses and Abuses Your Software: Learn How To Prevent Hackers from Attacking and Masquerading as your Software
Imagine having your software associated with virus reports or whitelists when people Google it, or getting angry calls from customers who say it infected their computer, or worse, having it deleted by anti-malware products. This is unfortunately today’s reality. 

Malware is designed to hide and evade detection, and malware authors commonly disguise their software as real applications in their efforts to conceal their activities. In this talk, the attendee will learn how and why malware targets certain applications, and how it takes advantage of software issues to conceal itself. You will walk away from this talk with actionable information that you can put in place in your development process today to avoid becoming tomorrow’s next target. 

The presentation walks the audience through the following key areas: 
• Revealing common exploitation techniques of malware authors 
• The challenges with today’s forensic investigation techniques 
• Creating a secure build environment 
• The realities of code signing 
• Positively identifying your software and third party validation 

Speakers
avatar for Michael Gough

Michael Gough

BSidesAustin, BSides Texas
Information Security, Full Disclosure, Mountain Biking, Malware Hunting, Blue Team, Security Architecture & Darwins Theory. | | Michael Gough is an Information Security professional and researcher. Michael has been a security consultant for HP and other companies and holds CISSP, CISA and CSIH certifications. Michael is one of the partners for Security BSides Texas and lead for the Austin BSides conference. He is also part one of the... Read More →
avatar for Ian Robertson

Ian Robertson

Security Researcher
Ian Robertson is a security professional/researcher with over 15 years of experience defending networks large and small. Ian's background includes application development, systems administration, network design and architecture, telecommunications, security policy and compliance, penetration testing and malware analysis. Ian is a frequent presenter at various security conferences on topics that provide audiences with new, relevant and... Read More →


Friday October 25, 2013 3:00pm - 3:45pm
Gemalto Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

3:00pm

Do You Have a Scanner or a Scanning Program?
By this point, most organizations have acquired at least one code or application scanning technology to incorporate into their software security program. Unfortunately, for many organizations the scanner represents the entirety of that so-called “program” and often the scanners are not used correctly or on a consistent basis. This presentation looks at the components of a comprehensive software security program, the role that automation plays in these programs and tools and techniques that can be used to help increase the value an organization receives from its application scanning activities. It starts by examining common traps organizations fall into where they fail to address coverage concerns – either breadth of scanning coverage across the application portfolio or depth of coverage issues where application scans do not provide sufficient insight into the security state of target applications. After discussing approaches to address these coverage issues, the presentation walks through metrics organizations can use to keep tabs on their scanning progress to better understand what is being scanned, how frequently and at what depth. The presentation also contains a demonstration of how freely available tools such as the open source ThreadFix application vulnerability management platform and the OWASP Zed Attack Proxy (ZAP) scanner can be combined to create a baseline scanning program for an organization and how this approach can be generalized to use any scanning technology.

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.


Friday October 25, 2013 3:00pm - 3:45pm
WhiteHat Security Ballroom Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

3:00pm

Why CloudHSM can Revolutionzie AWS
When it comes to a cloud, a traditional mindset of many IT leaders and security analysts who are dealing with highly sensitive data can be shortly formulated as "we do not trust them". 

The reason of that is not so much in insufficient security controls implemented by cloud providers, as in uncertainty, lack of knowledge and control by cloud consumers over security policies and processes implemented by the providers as well as the providers' reluctance to accept any legal liabilities or commit to SLA's for customer's cloud deployments. 

The first obvious suggestion to make the risk manageable is to encrypt everything in transition and at rest with cryptographic keys that are not accessible by "them".

Implementation might be challenging though, because it's not clear how to make the keys inaccessible by "them". Using Cloud HSM solution looks like a good choice since by design cloud provider's employees do not have access to the content of partitions created by customers.

Lack of automation and manual HSM setup process are other challenges that need to be resolved for making the appliances compliant with a cloud automation principle. HSM setup automation tools have been created and are described in the scope of this presentation.

Yet another challenge to make Cloud HSM working in a secure manner is related to passing HSM credentials (partition level pins, private certificate) from an internal data center to a cloud that can be done through a credential-less EC2 instance validation process that is covered by this talk as well.

Speakers
TC

Todd Cignetti

Sr. Product Manager, Security, Amazon Web Services
Product leader in security at Amazon Web Services. Previous experience with network encryption and key management at Certes Networks, and file/folder and point-to-point encryption at BitArmor/Trustwave. B.S. in Computer Engineering from Carnegie Mellon University and M.S. in Computer Science from Duke University.
avatar for Oleg Gryb

Oleg Gryb

Sr. Manager, Security Engineering, Samsung Strategy and Innovation Center
Oleg Gryb is Sr. Manager working in application security domain at Samsung Strategy and Innovation Center. He was previously Security Architect at Intuit , where he was creating application and security architecture for financial and business applications processing highly sensitive data. Oleg participates actively in creating open source software in a security, identity management and other domains. He has a lot of passion around embedding... Read More →


Friday October 25, 2013 3:00pm - 3:45pm
21CT Room Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

3:00pm

Expo Hall Closes
Friday October 25, 2013 3:00pm - 4:00pm
Expo Hall Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757

4:00pm

Closing Remarks and Door Prizes
Door prizes, sponsor drawings and closing remarks.

Speakers
DH

David Hughes

Sr. Security Assurance Analyst-Red Team, General Motors
David has been involved with the IT industry for the past 20 years and for the latter half of that time have been primarily focused on Information Security. He spent several years performing penetration testing and security assessments, utilizing quite a number of tools and techniques. The clients ranged in size from very small office spaces to large state-owned data centers. Training is also one of his passions, and his experience... Read More →


Friday October 25, 2013 4:00pm - 5:00pm
WhiteHat Security Ballroom Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757