OWASP Austin - Past Events
Home Page Chapter Leadership Study Groups Past Events Sponsorship Event Archive
Past Events
2023 2022 2021 2020 2019 2018 2017
(see Past Events Archive for earlier events)
2023
Austin Security Professionals Happy Hour sponsored by Solis, September 14, 2023
When: Thursday, September 14th, 5:30 pm - 7:30 pm
Where: Lavaca Street Bar @ Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: Solis
OWASP Austin Chapter Meeting August 2023
When: Tuesday, August 29th, 2023 @ 11:30 AM - 1:00 PM
Presentation: Undercover Agent in Chinese Card Shop Ecosystem: Become a Phishing Master
Personal Identifiable Information (PII) leaks have become more frequent in recent years, and losses from credit card fraud in 2022 have set records respectively in the USA. Where did this information get leaked and sold in the first place? The term "Dark web" refers to websites inaccessible without the use of Tor protocol, and given added privacy and anonymity while using Tor, and marketplaces in it are proven to be very attractive to criminals. An anonymous researcher will share experiences of dealing with vendors from card shops on marketplaces among dark web, focused on insights of shops selling American PIIs, and therefore, TTPs of hackers from these card shops. We hope to inspire audiences to rethink how to reduce credit card frauds.
Speaker:
Strawberry Donut
A data scientist specialized in fraud detection and machine learning. Apart from eating strawberry donuts, she is also interested in dark web analysis, threat intelligence, and anti-fraud social engineering. Extensive anti-fraud experiences in the top banks, securities, and internet companies. Invited speaker of BLUE CODE and HITCON. ACAMS (Certified Anti-Money Laundering Specialist) Member.
No video was recorded.
OWASP Austin Chapter Meeting July 2023
When: Tuesday, July 25th, 2023 @ 11:30 AM - 1:00 PM
Presentation: Every Risk is Not a CVE: Bolster up Against Software Supply Chain Attacks
Session Detail: 3rd party and open-source software components are both desired and indispensable ingredients used throughout the development lifecycle, but their consumption comes with considerable security risks, both for the developer herself and her downstream users. The rise of corresponding security incidents demonstrates that adversaries discovered those attack vectors as a viable and scalable attack pattern.
Speaker:
Divya Rao
Divya Rao is a Dependency Management Specialist at Endor Labs. She has a technical background with experience spanning engineering, operations, and sales at Stanford Medical and Indeed before focusing on cybersecurity startups. She is proud to be part of a great team at Endor Labs doing her part in pushing the boundaries of open-source software code governance and application security.
Austin Security Professionals Happy Hour sponsored by SecureLayer7, July 13, 2023
When: Thursday, July 13th, 5:30 pm - 7:30 pm
Where: Lavaca Street Bar @ Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: SecureLayer7
OWASP Austin Chapter Meeting June 2023
When: Tuesday, June 27th, 2023 @ 11:30 AM - 1:00 PM
Presentation: 2023 AT&T Cybersecurity Insights Report: Edge Ecosystem
We are poised on the precipice of a new era of computing underpinned by new networks, new apps, and a digital-first experience. Hear the latest findings from AT&T Cybersecurity research and learn about: - What high-priority edge computing use cases are across seven industry markets - How to secure and work with the edge ecosystem - How the attack surface is changing - How endpoints are diversifying The data from this research helps audiences understand challenges and opportunities of the future and examines: - Balanced investment strategies - Collaboration and communication needs - Building with dynamic cyber resilience in mind Security is now a critical part of business - learn how to move your team to the future!
Speaker:
Theresa Lanowitz
Theresa Lanowitz is a proven global influencer and speaks on trends and emerging technology poised to help today’s enterprise organizations flourish. Theresa is currently the head of cybersecurity evangelism at AT&T Business. Prior to joining AT&T, Theresa was an industry analyst with boutique analyst firm voke and Gartner. While at Gartner, Theresa spearheaded the application quality ecosystem, championed application security technology, and created the successful Application Development conference. As a product manager at Borland International Software, Theresa launched the iconic Java integrated development environment, JBuilder. While at Sun Microsystems, Theresa led strategic marketing for the Jini project – a precursor to IoT (Internet of Things). Theresa’s professional career began with McDonnell Douglas where she was a software developer on the C-17 military transport plane and held a US Department of Defense Top Secret security clearance. Theresa holds a Bachelor of Science in Computer Science from the University of Pittsburgh, Pittsburgh, PA
OWASP Austin Chapter Meeting May 2023
When: Tuesday, May 30th, 2023 @ 11:30 AM - 1:00 PM
Presentation: How Zero Trust can improve your web application security
In this presentation, we will review some of the Zero Trust concepts and roadmapping some adoption schemes. We will dive into some examples of using these concepts to improve and provide better controls around: * Setup and configuration of Zero Trust Services * Developer access and code security gains * Exposing internal web sites securely with MFA (even if not designed with MFA) with user and group driven policies without a VPN * Gain a WAF with exposing internal web sites through browser-based Zero Trust Network Access. * Dealing with 3rd party access to internal web sites
Speaker:
Mark Spears
Currently, Mark is a Principal Security Consultant at Solis Security and having fulfilled significant time as a network defender and vCISO dealing with writing and testing InfoSec Programs and dealing with auditors and endless reporting, he also started the OffSec program at Solis Security. Red Pill or Blue Pill.A lot of his most recent education and skill focus has been on helping companies with their Web Application security through Secure-SDLC practices including configuration of Web Application Firewalls and Zero Trust solutions. If not enjoying his work at Solis Security, he can be found practicing physical security, lock picking, social engineering, or hardware hacking. Otherwise, he is on a Harley Davidson feeding his inner rebel!
Austin Security Professionals Happy Hour sponsored by Optiv, May 11, 2023
When: Thursday, May 11th, 5:00 pm - 7:00 pm
Where: Lavaca Street Bar @ Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: Optiv
OWASP Austin Chapter Meeting April 2023
When: Tuesday, April 25th, 2023 @ 11:30 AM - 1:00 PM
Presentation: The Three Trends Driving Cybersecurity Forward in 2023
Dramatic trend shifts in threat management and data protection are having a profound impact on cybersecurity best practices. This session will explore these trends, with an emphasis on pragmatic use cases, delivered by a 29-year cyber veteran from IBM’s Security business.
Speaker:
Peter Wardrop
Patrick Wardrop is currently the engineering director for the identity and access management products under the Verify brand at IBM Security. He manages a large worldwide enginering organization in nine time zones and eight countries. Patrick has more than twenty years of experience in enterprise software development and security solutions for several industry verticals. He has more than twenty US-issued patents and more than forty worldwide issued patents and obtained the Master inventor designation at IBM.
Austin Security Professionals Happy Hour sponsored by Checkmarx, April 13, 2023
When: Thursday, April 13th, 5:00 pm - 7:00 pm
Where: Lavaca Street Bar @ Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: Checkmarx
OWASP Austin Chapter Meeting March 2023
When: Tuesday, March 28th, 2023 @ 11:30 AM - 1:00 PM
Presentation: API Risk Management
Web applications are prone to various cybersecurity risks. Did you know that 96% of these web applications contain some Open Source? Furthermore, did you know that 99% of such Open Source contain some Web APIs. You may be surprised to know that Web APIs contribute 83% of the traffic over the internet. Unfortunately, this growing API usage also means growing cybersecurity risks. Although, APIs benefit organizations immensely through accelerated innovations, newer business models, competitive differentiation, but organizations are also negatively impacted by APIs due to their weak security posture leading to business disruptions, legal and compliance issues. Gartner has actually predicted that by 2022, API abuses will be the most frequent attack vector resulting in data breaches for web applications. Given the importance of APIs for digital transformation at organizations, it is imperative for their Security, Compliance and Audit professionals to get a handle on APIs to manage various API related risks. This session will provide an overview of an API Governance framework for effective API Risk Management. This framework is inspired by the Zero Trust model that enterprises can use as a “Swiss Knife” for reducing their API related risks. We’ll also highlight best practices and hands-on examples for API Risk Management.
Speaker:
Dr. Baljeet Malhotra
Dr. Baljeet Malhotra, is an award-winning researcher known for his work in Open Source and API Data Management. He conceptualized the world's first "API Composition Analysis" based on source code static analysis. He founded TeejLab in 2017 and steered the team to build API Discovery and Security™, world's first comprehensive end-to-end API Management platform. Prior to TeejLab, he established the R&D unit of Black Duck Software in 2016 (acquired by Synopsys), he has also served as Research Director at SAP. He received a PhD in Computing Science from the University of Alberta and won several awards including NSERC (Canada) scholar in 2005 and Global Young Scientist (Singapore). He concurrently holds Adjunct Professor positions at the University of British Columbia, University of Victoria and University of Northern BC.
OWASP Austin Chapter Meeting February 2023
When: Tuesday, Feburary 28th, 2023 @ 11:30 AM - 1:00 PM
Presentation: AppSecOps - a Scalable Approach to Application Security
Today many unforeseen factors are driving AppSec chaos...We have found about 3-4 TOP challenges every vertical is seeing in today's frugal market. The factors range from simple to hilariously unattainable! I aim to give you a few tips and steps to overcome some if not ALL and create an organization able to ship software fast and secure! All the while addressing current events happening in the market and how to avoid potential potholes.
Speaker:
Luis Guzman
Enterprise Information Security expertise within Management, Pro Services Consulting, Security Architecture, Security Engineering and Sales! The last twelve years he has been laser focused on Security Incident Response, Security Architecture, Compliance Audits, Vulnerability Management, Data Classification, Phishing and Threat Intelligence. Luis is securing the ‘front lines’ of the production environment, protecting critical infrastructure, gathering threat intelligence and implementing best of breed technology for start-ups as well as Fortune 50 organizations! Bringing to play his technical sales ability mixed with a presentation style of a trained theater actor! An Information Security Professional combining technical expertise with business value, wrapped in an orator’s cloak! Most time away from keyboard, when Luis is resting, is Texas Cookouts and Family! He lives in the suburbs of CedarPark/Leander Texas!
OWASP Austin Chapter Meeting January 2023
When: Tuesday, January 31st, 2023 @ 11:30 AM - 1:00 PM
Presentation: Cryptoparty (various speakers)
In 1996, John Perry Barlow, co-founder of the Electronic Frontier Foundation (EFF) wrote 'A Declaration of the Independence of Cyberspace' where he stated "We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity." The Internet of today is an amazing place of knowledge and opportunity, but it unfortunately falls short of Mr. Barlow's original vision. In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to communicate and associate without fear. To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies like TOR, full-disk encryption, GPG, and many more. CryptoParties are free to attend, public, and not commercially aligned. At our January 31, 2023 OWASP Austin meeting, we will host a CryptoParty with the goal of inviting others to join us in learning about the tools and technologies that enable an individual's right to privacy. When the time comes, we will encourage you all to invite your family, friends, and peers to attend this event, but for now, I am looking for others who are willing to give a 10 minute max presentation on a crypto-oriented subject. The presentation will need to be laid out so that novice and experienced alike can take action based on the data presented. All tools must be free and open source. If you are interested in presenting, please e-mail me directly (do not reply to the list) with your name, bio, talk title, and abstract for consideration. This is going to be EPIC!
Speaker:
Josh Sokol (and others!)
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, Information Security Program Owner at National Instruments, and now runs SimpleRisk. In his current role, Sokol manages all aspects of the application, infrastructure, architecture, and business roles for SimpleRisk. Prior to and during all of his roles, Josh has been a key community member for Austin OWASP as well as serving a four year term on the OWASP Global Board of Directors.
Unfortunately, the presentation was not recorded.
2022
OWASP Austin Chapter Meeting September 2022
When: Tuesday, September 27th, 2022 @ 11:30 AM - 1:00 PM
Presentation: Insider’s Guide to Mobile AppSec with OWASP MASVS w/ Brendan Hann
From the birth of MASVS and MSTG in January 2018 to the most recent updates, the OWASP Mobile Security Project has advanced the state of mobile app security testing dramatically. As supporters and contributors to the Mobile Security Project at OWASP, we have pen tested thousands of mobile apps and scanned millions of commercial apps in the app stores over the years… and have identified the most common security issues that plague developers and security teams. Whether you are new to mobile pen testing or a veteran looking for the latest tools and tactics, join this session to learn 10 keys to mobile appsec leveraging OWASP MASVS and practical real-world experience.
Speaker:
Brendan Hann
As Product Marketing Manager for NowSecure, Brendan Hann focuses on equipping developers, security professionals and DevSecOps teams with best-of-breed mobile app security skills, tools and resources. His career has focused on helping organizations deliver innovative, secure applications at scale. Brendan’s track record of success with application and security teams spans NowSecure, Veracode and PayPal. Brendan has presented at OWASP Los Angeles, OWASP Columbus, OWASP Global AppSec 2021, Connect 2021, and DevOps World 2021. With experience in both web and mobile application security testing, Brendan provides a unique perspective on best practices and the successful deployment of DevSecOps.
OWASP Austin Chapter Meeting August 2022
When: Tuesday, August 30th, 2022 @ 11:30 AM - 1:00 PM
Presentation: API Security: When Failure looks like Success w/ Keith Casey
In the last decade, APIs have become fundamental to our teams, partners, and customers. While we’d like to believe it all happened as a carefully executed plan, let’s be honest: There's as much luck as foresight in the mix. Luckily, success drives success so we’ve seen things explode in great ways. Unfortunately, that very success has cost us too.
APIs are becoming a consistent and devastating attack vector for applications that store everything from financial records to passport information to what you’re looking for in a date. In this session, we’ll reconsider some of our earliest assumptions and lay out some strategies for bringing our APIs out of the shadows and protecting ourselves, our partners, and our customers.
Speaker:
Keith Casey
Keith Casey serves on the Product/GTM Team at ngrok helping teams launch their systems faster and easier than ever before. Previously, he served on the Product Team at Okta working on Identity and Authentication APIs, as an early Developer Evangelist at Twilio, and worked to answer the Ultimate Geek Question at the Library of Congress. His underlying goal is to get good technology into the hands of good people to do great things. In his spare time, he writes at CaseySoftware.com and lives in the woods. He is also a co-author of “A Practical Approach to API Design.”
OWASP Austin Chapter Meeting July 2022
When: Tuesday, July 26th, 2022 @ 11:30 AM - 1:00 PM
Presentation: 10lbs of tacos in a 5lb bag: Lessons Learned from Security Operations in a Dynamic and Resource Constrained Environment
Building security processes and teams is never easy but can be especially challenging in an evolving, fast-paced environment. In this presentation, one of the nation’s leading experts in herding cats will share their experience building a security presence, essentially, from the ground up at a company in the middle of its own transformation. Then, they will discuss some of the lessons learned and other takeaways in hopes that it might aid some of you in your journey.
Speaker:
Garrett Gross, Lvl 42 security wizard
Garrett Gross has over 20 years of experience in information security. His shared passion for technology, problem solving, and people has led Garrett to some incredible opportunities in the past but currently is the driving force behind his efforts as Sr Director, technical sales, at Huntress. In this role, Garrett is focused on driving revenue growth by building a global network of technical experts to support the sales enablement processes and effectively communicate the value of Huntress’s service offering.
Prior to that, Garrett has held a variety of technical responsibilities, including technical support, systems administration, network engineering, penetration testing, tools development, and building/leading security operations teams.
Garrett also serves as advisor to several security firms, contributes regularly to podcasts/webinars, competes in CTFs, and looks for ways to mentor those starting out in the security industry.
OWASP Austin Chapter Meeting June 28th 2022
When: Tuesday, June 28th, 2022 @ 11:30 AM - 1:00 PM
Title: Anonymity on the Internet
Presentation providing information about anonymity on the interenet.
Speaker:
Josh Sokol, Chief Executive Officer / Chief Information Security Officer, SimpleRisk
OWASP Austin Chapter Meeting May 31st 2022
When: Tuesday, May 31st, 2022 @ 11:30 AM - 1:00 PM
Title: Hack your APIs in 15 min or less
It is very hard, if not impossible, to secure something you don’t know exist. While security professionals spend countless hours on complex yet interesting issues that *may* be exploitable in the future, basic attacks are occurring every day with little to reviews. For example, a “dated trend” by effective yet lazy hackers is to search for API unknown by security teams, coined “Shadow APIs”, connect to these APIs, and extract data. While SQL Injection used to be the hack of choice, as a few simple SQL commands would either mean “pay dirt” or “move on to the next target”, the same can be said for Shadow API….Find, Connect, Extract. This talk will discuss one of many methods that are used in the wild to target Shadow APIs and export large volumes of data with a few clicks of a button (lines of code in python code :). Attendees will learn about a very basic yet non-so-obvious problem in securing data, and how hackers are using creative methods to steal large volumes of data.
Speaker:
Himanshu Dwivedi is the CEO of Data Theorem, Inc., an application security company focusing on API Security (RESTful & GraphQL), mobile apps (iOS &Android), Cloud Apps (Serverless), and Single Page WebApps (SPAs). Himanshu has been an avid start-up entrepreneur since 1999, where he and 3 friends started the west coast office of @stake, an information security firm that was later acquired by Symantec. In 2004, Himanshu co-founded iSEC Partners, an application security company that was acquired by the NCC Group in 2010. Himanshu has several publications, including six different books (Mobile Application Security, Hacking VoIP, Hacking Exposed: Web 2.0, Hacker’s Challenge 3, Storage Security, and Implementing SSH) as well as the owner of one patent (Patent number 7849504). He has also presented at numerous conferences, including 6-time BlackHat speaker. Himanshu received a B.S. from the Carlson School of Management (University of Minnesota), where he was awarded the Tomato Can Loving Cup Award, which is given to the school’s top graduating student.
OWASP Austin Chapter Meeting April 26th 2022
When: Tuesday, April 26th, 2022 @ 12:00 AM - 1:00 PM
Title: ‘Securing the Edge’
We are moving to a new era of compute that is more democratized than ever, underpinned by 5G networks, and focused on “things enabled” experiences. We are moving closer to the edge! Edge can bring network and security closer together. Compared with legacy security controls, edge security controls need to provide broader, more centralized visibility across the entire attack surface.
Speaker:
Theresa Lanowitz, Head of Cybersecurity Evangelism, AT&T Business revealed the findings of the most recent AT&T Cybersecurity Insights Report and discussed common architectures, use cases, and the perceived risk associated with edge deployments.
OWASP Austin Chapter Meeting March 29th 2022
When: Tuesday, March 29th, 2022 @ 12:00 AM - 1:00 PM
Title: Application security: Where it all started, where it is now, and where we (hope to) see it in 20 years
Twenty years ago acclaimed venture capitalist, Ted Schlein at Kleiner Perkins, asked a question that changed Roger’s life and ultimately changed the way we look at Security. The two would eventually found Fortify Software, the pioneering company that introduced SAST and RASP technologies to the market. Fortify also led an important change in thinking, a so-called “shift left”, placing security responsibility into the realm of software development. A lot has changed over those twenty years. In the early days, it was a challenge to give away software security solutions. Today, the leading software security companies are worth billions. Yet, problems still persist and the landscape for software development has become vastly more complex. In this talk, Roger will share experiences from the early days while working as Fortify’s co-founder & CTO and later in the RASP market as a board member and advisor to Prevoty. He will share advice and insights into how the market and the technologies started, how they have evolved and where they are headed. Roger and Ted are co-founders once again. They recently founded Ballistic Ventures - the early stage venture capital firm solely dedicated to cybersecurity entrepreneurs. In his new role, regularly meets leaders from both commercial industry and government to better understand their security challenges. He also sees fascinating ideas from cyber entrepreneurs on a daily basis. He will also share insights into the challenges that are the most fertile ground for a new generation of entrepreneurs. He might even ask a question that changes your life too.
Speaker:
Roger Thornton is a driving force behind hundreds of technology products and services that have formed and grown companies across a range of industries. As a founder and CTO, his visionary product and technology leadership helped create cybersecurity industry leaders Fortify Software and AlienVault. As an investor, mentor and board member he has helped multiple generations of entrepreneurs build more than 15 successful cybersecurity companies. In his General Partner role at Ballistic, Roger will tap into over 30 years of experience to counsel future generations of cybersecurity founders who are focused on building great products as a foundation for great companies.
OWASP Austin Chapter Meeting February 22nd 2022
When: Tuesday, February 22, 2022 @ 12:00 AM - 1:00 PM
Title: Security Observability 101: Thinking Inside the Box!
Software is incredibly hard to secure because it's a black box. We've spent decades struggling to verify properties of software from the outside by analyzing the source code, scanning, fuzzing, pentesting, etc... The goal of "security observability" is to expose exactly what's going on inside the box while it's running. Analyzing a running application has speed, accuracy, coverage, and scalability advantages that change the way Dev, Sec, and Ops communicate and work together. In this talk, you'll learn how to use the free and open source Java Observability Toolkit (JOT) project to easily create your own powerful "inside out" security tests without coding. You can use JOT to analyze security defenses, identify complex vulnerabilities, create custom sandboxes, and enforce policy at runtime. Ultimately, security observability enables DevSecOps to work together in harmony, so you can focus on delivering value at high velocity.
Speaker:
Jeff Williams. Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by EY. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 10 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown. Please connect on LinkedIn: https://www.linkedin.com/in/planetlevel/
OWASP Austin Chapter Meeting January 26th, 2021
When: Tuesday, January 25th, 2022 @ 12:00 AM - 1:00 PM
Title: CryptoParty
In 1996, John Perry Barlow, co-founder of the Electronic Frontier Foundation (EFF) wrote 'A Declaration of the Independence of Cyberspace' where he stated "We are creating a world that all may enter without privelege or prejudice accorded by race, economic power, military force, or station of birth. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity." The Internet of today is an amazing place of knowledge and opportunity, but it unfortunately falls short of Mr. Barlow's original vision.
In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to to communicate and associate without fear. To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies like TOR, full-disk encryption, GPG, and many more. CryptoParties are free to attend, public, and not commercially aligned.
The Austin Chapter of the OWASP Foundation invites you to join us for our CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.
Speaker:
Josh Sokol
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, Information Security Program Owner at National Instruments, and now runs SimpleRisk. In his current role, Sokol manages all aspects of the application, infrastructure, architecture, and business roles for SimpleRisk. Prior to and during all of his roles, Josh has been a key community member for Austin OWASP as well as serving a four year term on the OWASP Global Board of Directors.
And others!
2021
LASCON 2021
When: Tuesday & Wednesday, October 26-27, 2021 (Pre-Conference Training), Thursday & Friday, October 28-29, 2021 (Conference Sessions)
Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
It was great to be back to an in-person conference. Many thanks to those who attended!
OWASP Austin Chapter Meeting August 31st, 2021
Title: Securing Terraform State in an Azure DevOps Pipeline.
Terraform is a popular Infrastructure as Code ecosystem whose declarative and idempotent model relies on maintaining a state file which can contain sensitive information. The continuity and security of this file is important and this presentation discusses the investigation, lessons learned, thrills and chills of discovering how to secure and maintain this file in the context of corporate security requirements for a Fortune 75, Azure Cloud, and Azure DevOps.
Speaker:
Garth Boyd
Garth Boyd is a Senior Application Security Architect/Cloud Security Architect specializing in Secure Software Architecture and Ethical Hacking. He supports organizations wishing a designer, creator, and breaker to help them on their security path. A lifelong learner who enjoys crafting solutions to interesting and tough problems through architecture, threat modelling, mitigation design, and penetration testing. Researching new ideas, troubleshooting, communication, and thinking of six impossible things before breakfast are part of the journey. Currently, Garth is the OWASP Ottawa Chapter Leader and an independent consultant working though his own company called Devious Plan.
OWASP Austin Chapter Meeting July 27th, 2021
Title: Make Your MFA Simple.
The number of downloads for Google's mobile 2FA authenticator is ~ 50M. That sounds like a big number ... until you compare it with the overall number of Android users, which is 2.5B. The percent of users utilizing the authenticator is around 2%. You can add other popular authenticators like Symantec VIP, MS, Authy, but the % will be still around 3%. Given that all popular Internet companies do support this type of 2FA, the question arises: why is adoption of these 2FA tools so low? I personally can't think of anything else except usability and natural human's laziness. In my presentation I'll take a look at what's available and how usability of the authenticators can be improved to make them more popular and pervasive.
Speaker:
Oleg Gryb
OWASP Austin Chapter Meeting June 29th, 2021
Title: An alternative approach to security that will make you reassess everything you think you know about security, users, and you life.
Your security ideas are stupid - so I got some weird ideas and forced them to fit a narrative that shows that if we just do a Steve Jobs and "think differently" then maybe, just maybe, we can make a small dent in the security universe. As Abba once said, "Take a chance on me" because let's be honest, what's the worst that could happen? We could keep trying to do the same things and over the next 5 years the OWASP top 10 will look EXACTLY the same as it always has. Or we could try some of my radical ideas and the OWASP top 10 will look exactly the same. Or - bear with me - my radical ideas will change the world as we know it and future developers will laugh as to why the OWASP top 10 was even a thing back in the year 2021. In this talk, I shall convince you that - Psychology IS technology, and we need to understand people better - Logical thinking is a bad idea - Why maths makes us appear clever, but act dumber
Speaker:
Javvad Malik is a security awareness advocate for EMEA at KnowBe4. A security professional of 20 years, Malik has began his career as an IT security administrator. He’s since worked as a consultant, an industry analyst, and a security advocate. Malik is well-known within the information security industry, having spoken at many events and conferences around the world in addition to being a YouTuber, podcaster, blogger, and researcher. With a distinctive style, he takes a fresh and often innovative look at even mundane topics and presents them in an entertaining and informative light. Tackling the most complex issues with ease in this witty style is Malik’s forte.
OWASP Austin Chapter Meeting May 25th, 2021
Title: Scale Your Security by Embracing Secure Defaults & Eliminating Bug Classes
We’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time. Historically, as an industry, we’ve focused on building tools to identify vulnerabilities. While we’ve built impressive tools, these approaches have failed to address the challenges of modern engineering teams. Specifically, these tools often are too slow, require a prohibitive amount of security engineer time and domain expertise to tune, overwhelm users with false positives, and most importantly, do not ultimately raise a company’s security bar. But there’s another way. Rather than investing in finding more bugs, some modern security teams are instead focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks that enforce invariants (properties that must always hold), organizations can solve *classes* of vulnerabilities by construction, preventing bug whack-a-mole. In this talk, we’ll present a practical step-by-step methodology for: Choosing what to focus your AppSec resources on How to combine secure defaults + lightweight invariant enforcement to eradicate entire vulnerability classes How to integrate continuous code scanning into your CI/CD processes in a way that’s fast, high signal, and low friction for developers How to use an open source, lightweight security linting tool to find bugs and anti-patterns specific to your company
Speaker:
Emma Jin is a software engineer at r2c, the company that maintains Semgrep, an open-source syntax-aware code search tool. At r2c, she has added features to Semgrep, such as typed metavariables. Emma recently received her B.S. in Computer Science from Carnegie Mellon University, where she picked up her belief in code guarantees. In her free time, she likes to read, write, and relearn her abandoned childhood skills. She is perpetually working on a novel.
OWASP Austin Chapter Meeting April 27th, 2021
Title: Biometrics and Privacy
The business use of biometric identification technology is becoming more prevalent and with it's growing adoption, there is a growing number of state regulations concerning its use and related privacy and data handling issues. This talk will cover how biometric identification works in general and review the various state regulations and guidelines concerning how this unique form of personally identifiable information should be handled and stored.
Speaker:
Mary Haskett is the CEO and co-founder of Blink Identity, a venture-backed startup developing a unique privacy-preserving face recognition product that can identify people at a full walking speed and in any lighting conditions. She got her start running a skydiving school and went on to start multiple companies which she grew to profitability without outside funding. She is a beekeeper, Techstars alumni and privacy advocate.
OWASP Austin Chapter Meeting March 30, 2021
Title: Successful Customer Engagements using the OWASP Mobile Application Security Verification Standard
The team will be discussing Mobile Application Penetration Testing from the perspectives of original scoping and testing using OWASP’s Mobile Application Security Verification Standard including the various tools and resources available on both Android and IOS. We will be discussing not just the OWASP standard, but also give advice on lessons learned through our engagements highlighting several key issues and obstacles to consider for ensuring a successful experience for both the customer and your team.
Speakers:
Mark Spears, Solis Security - Sr. Security Consultant & Red Team Lead
Sam Danna, Solis Security - Security Consultant
Jon Adderholt, Solis Securiyt - Security Consultant
Angela Lane, Solis Security – Project Manager
Mark, Sam, and Jon comprise the Offensive Security Operations (aka Red Team) at Solis Security performing all sorts of engagements including Network, Web Application (+Mobile, APIs, and etc), Spearphishing, Wifi, Hardware Hacking, and more.
OWASP Austin Chapter Meeting February 23, 2021
Title: AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
Speaker:
Dan Cornell A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.
OWASP Austin Chapter Meeting January 26th, 2021
When: Tuesday, January 26th, 2021 @ 12:00 AM - 1:00 PM
Title: CryptoParty
In 1996, John Perry Barlow, co-founder of the Electronic Frontier Foundation (EFF) wrote 'A Declaration of the Independence of Cyberspace' where he stated "We are creating a world that all may enter without privelege or prejudice accorded by race, economic power, military force, or station of birth. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity." The Internet of today is an amazing place of knowledge and opportunity, but it unfortunately falls short of Mr. Barlow's original vision.
In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to to communicate and associate without fear. To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies like TOR, full-disk encryption, GPG, and many more. CryptoParties are free to attend, public, and not commercially aligned.
The Austin Chapter of the OWASP Foundation invites you to join us for our CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.
Speaker:
Josh Sokol
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, Information Security Program Owner at National Instruments, and now runs SimpleRisk. In his current role, Sokol manages all aspects of the application, infrastructure, architecture, and business roles for SimpleRisk. Prior to and during all of his roles, Josh has been a key community member for Austin OWASP as well as serving a four year term on the OWASP Global Board of Directors.
Mark Spears
Bertold Kolics
Bryn Schulke
2020
OWASP Austin Chapter Meeting October 27th, 2020
When: Tuesday, October 27th, 2020 @ 12:00 AM - 1:00 PM
Title: Mobile Security in a Remote World
Attacks on the endpoint are no longer limited to traditional endpoints like laptops and workstations; mobile devices have been ranked the #1 hardest enterprise asset to defend. Compounded by bring-your-own device policies, enterprises are struggling to protect themselves against a growing variety of mobile threats. In this session, we will dive into the challenges with securing mobile in the enterprise security space and the evolution of mobile device security. Join us to learn about why attackers are shifting to target mobile, validated by investigations from the Cybereason Nocturnus team, and how the enterprise security industry is moving to address them.
Speaker:
Allie Mellen has spent the past decade in engineering, development, and technical consulting roles at multiple venture-backed startups, as well as research roles at MIT and Boston University. Her passion is combining technology and entrepreneurship, having run her own successful iOS development company out of college and been an investment partner at a venture fund investing in student-run startups. She has worked with multiple nonprofits to teach engineering to students and minorities, including the Global App Initiative and WISP, and has mentored business students at Hult Business School. She received her B.S. degree in Computer Engineering, and has been recognized worldwide for her security research at conferences like Black Hat USA, DEFCON, HOPE, and others. She is now a security strategist in the Office of the CSO at Cybereason, where she is a frequent speaker at security conferences globally teaching about security and pushing the boundaries of the industry.
OWASP Austin Chapter Meeting September 29th, 2020
When: Tuesday, September 29th, 2020 @ 12:00 AM - 1:00 PM
Title: The Digital World War: Why You Need Military Veterans on Your Security Team
During this talk we will highlight some of the competencies needed for an effective cyber warrior and compare them with the skills forged through combat readiness training in the military. Furthermore, we will explore how we can create better security teams within our respective organizations to meet today’s information security needs. Finally, we will look at how cyber warfare is replacing traditional battlefields and how today’s transitioning veterans are looking for ways to continue the fight in the civilian world.
Speaker:
Sam Danna is a Security Consultant for Solis Security - an Austin-based security firm that performs DFIR, GRC, MSSP, and Penetration Testing. Sam is currently on the Red Team assisting in a variety of penetration testing projects. Prior to joining Solis, Sam served in the 82nd Airborne Division as paratrooper in the infantry. Sam started his career in cybersecurity in 2019 after completing Microsoft Software and System Academy’s Cybersecurity Program.
Youtube Here!
OWASP Austin Chapter Meeting August 25th, 2020
When: Tuesday, August 25th, 2020 @ 12:00 AM - 1:00 PM Title: Strong network anonymity with mixnets
This talk will motivate the need for anonymity at the network layer and introduce basic anonymity concepts and metrics that are applicable to communication settings. We will review the relevant adversary models and introduce mixnets, a type of anonymous communication system that protects communications against more powerful adversaries than Tor. We will explain the different features that need to be considered when designing mixnet routing protocols and introduce the Nym mixnet architecture, which is currently being developed and implemented by Nym Technologies SA and already available as a testnet.
Speaker:
Claudia Diaz is Chief Scientist of Nym Technologies SA and an Associate Professor at the COSIC research group of the Department of Electrical Engineering (ESAT) at the KU Leuven, where she leads the Privacy Technologies Team. She holds a Master's degree in Telecommunications Engineering at the University of Vigo (Spain, 2000), and a Ph.D. in Engineering at the KU Leuven (Belgium, 2005). Her research is focused on the design, analysis, and applications of technologies to protect online privacy, and in particular technologies that offer protection for metadata to prevent traffic analysis, tracking, localisation, or behavioral profiling. Detailed information is available here: Claudia Diaz
Youtube here!
OWASP Austin Chapter Meeting July 28th, 2020
When: Tuesday, July 28th, 2020 @ 12:00 AM - 1:00 PM
Title:The Spice Must Flow: AppSec for DevOps
Your approach to application security will likely be dictated by your team’s role in the development process. Developers will usually gravitate to SAST and security engineers to DAST but what about everyone in between? Should DevOps try to adopt these strategies, modify them, or reinvent the wheel?
In this session, we’ll discuss several different approaches that you can take when rolling out your application security strategy that keep DevOps top of mind.
Speaker:
Garrett Gross received his first modem at age six and has been plugged in ever since. Today, he is a technical advisor for the VRM practice at Rapid7, specializing in application security. Garrett serves as an interdepartmental liaison, a global escalation layer for the practice, and provides technical enablement across all organizations. He has served in various information technology roles in a myriad of environments, ranging from systems administration in higher education to network engineering at security startups. Garrett has been a hacker and technophile his entire life, loving nothing more than discovering new ways to make and break things.
Youtube: Here!
OWASP Austin Chapter Meeting May 26th, 2020
When: Tuesday, May 26th, 2020 @ 12:00 AM - 1:00 PM
Title: Architecting for Security in the Cloud
Emergency Fill-In Presetnation Josh presented on best-practicies and lesson-learned that he has done while architecting SimpleRisk in cloud providers.
Speaker:
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, Information Security Program Owner at National Instruments, and now runs SimpleRisk. In his current role, Sokol manages all aspects of the application, infrastructure, architecture, and business roles for SimpleRisk. Prior to and during all of his roles, Josh has been a key community member for Austin OWASP as well as serving a four year term on the OWASP Global Board of Directors.
Youtube: Here!
OWASP Austin Chapter Meeting May 26th, 2020
When: Tuesday, May 26th, 2020 @ 12:00 AM - 1:00 PM
Title: Why is Organizational Change Management important in Cybersecurity for healthcare
Digital transformation in the Health Sector has been underway for many years and the issue of security has more increasingly problematic and costly to the healthcare ecosystem. New Innovations, legacy systems create the need to be more secure in order to protect your healthcare data. 2013 Presidential directive put healthcare in the critical infrastructure with other industries. Today with Covid-19 it is more necessary than ever.
Why it is risky not to have a change model to help accelerate adoption and awareness of a better cybersecurity posturing in healthcare and how culture plays an important role to address cybersecurity in healthcare
Speaker:
Hazel arrived in Austin under 2 years ago from the UK having worked in healthcare for over 16 years. She is a highly organised leader, consultant and advisor in EPR deployments in both private and government organizations. Hazel specializes in architecting change to support business transformation leveraging deep industry experience where she headed up ventures in the UK, Ireland, and Europe. She brings value to organizations by ensuring operational readiness, driving faster adoption, getting engagement from the right people to accelerate business change which delivers cost benefits in an efficient and effective manner. Her recent work here in the US has been in cybersecurity in healthcare working with Health2047 which is the innovation and investment organization of The American Medical Association where, Health2047 are transforming healthcare to better protect your patient healthcare data.
Youtube: Here!
OWASP Austin Chapter Meeting
April 28th, 2020
When: Tuesday, April 28th, 2020 @ 11:45 AM - 1:00 PM
Title: Incident Response is haaaaard, But it doesn’t have to be – PREPARE NOW
So your EDR, AV, or other fancy shiny blinky lights security tools alerted you that a system has some suspicious activity. Do you have the details you need to investigate or remediate the system? Can you quickly and easily investigate it? You can enable a lot of things you already have for FREE to help you with your investigations, no matter the tools used. Let’s take a look how we do Incident Response on a system and what you can do to prepare for an inevitable event.
How is your logging? Is it enabled? Configured to some best practice? (hopefully better than an industry standard that is seriously lacking). Have you enabled some critical logs that by default are NOT enable? Do you have a way to run a command, script, or a favorite tool across one or all your systems and retrieve the results? Do you block some well-known exploitable things? How do you know?
Everything mentioned here is FREE and you already have it!
This talk will describe these things and how to prepare, and be PREPARED to do incident Response, yes, even for DevOps. A few tools will be discussed as well that you can use to speed things up.
The attendee can take the information from this talk and immediately start improving their environment to prepare for the inevitable, an incident.
Speaker:
Michael Gough is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic for NCC Group. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael presents at many security and technology conferences helping to educate on security that attendees can go back to work and actually do. Michael is a primary contributor to the Open Source project ARTHIR. Michael is also co-developer of LOG-MD, a free and premium tool that audits Window settings, harvests and reports on malicious Windows log data, and evaluates for malicious system artifacts. Michael also blogs at HackerHurricane.com on various InfoSec topics. For the infosec community at-large, Michael ran BSides Texas entity (managing BSides conferences in Austin, San Antonio, Dallas and Houston) for six years and lead the Austin BSides conference.
OWASP Austin Chapter Meeting March 31st, 2020
When: Tuesday, March 31st, 2020 @ 11:45 AM - 1:00 PM
Title: Secure Application Development (with Cloud)
Most of us have developed software in one form or the other over our careers. Have we paid attention to all domains of the software lifecycle? This is a walkthrough of those domains that should span development from cradle to grave of any software development lifecycle, with a focus on security. We will follow that by a quick demo of how CI/CD and DevSecOps practices can help us address these concerns for deployment to cloud providers like AWS and Azure in a hybrid cloud environment.
Speaker:
Sam Gamare is an Austin Texas based Enterprise Architect who works for Dell Technologies. He has a broad IT background spanning two decades of experience in several roles across several different industries from Fortune 500 (like Dell, General Motors, Citibank, JPMorgan, Wendy’s, and several others) and State government (Texas / Indiana). His work focuses on designing solutions that solve problems for his business customers, with solutions that span several technologies like .NET/Java/Open Source, across several development domains that include the database, network, security, and cloud-based deployments. He has a passion for security and development. He holds several certifications that span AWS Architect Associate, AWS Developer Associate, Certified Scrum Master (CSM), and CISSP. In his free time, he entertains himself with raspberry pi and tech books
OWASP Austin Chapter Meeting February 25, 2020
When: Tuesday, February 25th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Using Nmap’s XSLT switch to better organize result scan data
Nmap is an old-friend and one of the most-used tools in our box. On scans against large-scale networks, identifying ports with web applications might be easy using some common command line switches, but gathering the normal output to enumerate and identify targets is difficult. This talk is about using Nmap's XML output switch combined with customized XSLT documents to save time and organize the output in a format, such as CSV, that provides penetration testers with richer analysis capabilities or even HTML that is "report ready". We will look more closely at the XML output that Nmap provides (including NSE data) and learn how XSLT can be harnessed to derive usable custom documents. This talk will have application to some or all of the following OWASP Testing procedures: ASVS 9 Communication Security Requirements (9.1.1, 9.2.2) OTG-INFO-004 Enumerate Applications on Web Server OTG-CONFIG-006 Test HTTP Methods OTG-CRYPST-001 Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection …others, as NSE scripts are applicable and the Penetration Testing Execution Standard
Speaker:
Mark Spears is a Sr. Security Consultant for Solis Security - an Austin-based security firm that performs DFIR, GRC, MSSP, and Penetration Testing where he currently leads the Red Team doing a lot IP-based and Web Application testing while mentoring his younger peers.
Throughout Mark's 20+ years in the industry, he has been a:
- Programmer in a wide range of compiled and scripted languages but focused mainly on the Microsoft stack
- Teacher at different schools on all topics of database design, coding, and web development.
- Entrepreneur who wrote payments software as a Level 1 PCI Gateway and acting CISO for 8 years until helping bring the company to a sale.
- Virtual CISO for several companies simultaneously including multiple banks providing monthly security services, audit support, and annual Risk Assessments based on GLBA or other needed compliance frameworks.
- Constant student and teacher seeking mentors while mentoring.
Austin Security Professionals Happy Hour sponsored by Sonatype and NowSecure, February 13, 2020
When: Thursday, February 13th, 5:30 pm - 7:30 pm
Where: Brass Tap @ Domain Austin, 10910 Domain Dr, Austin, TX 78758
Sponsors: Sonatype and NowSecure
OWASP Austin Chapter Meeting, January 28, 2020
When: Tuesday, January 28th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: OWASP Austin CryptoParty!
In 1996, John Perry Barlow, co-founder of the Electronic Frontier Foundation (EFF) wrote 'A Declaration of the Independence of Cyberspace' where he stated "We are creating a world that all may enter without privelege or prejudice accorded by race, economic power, military force, or station of birth. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity." The Internet of today is an amazing place of knowledge and opportunity, but it unfortunately falls short of Mr. Barlow's original vision.
In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to to communicate and associate without fear. To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies like TOR, full-disk encryption, GPG, and many more. CryptoParties are free to attend, public, and not commercially aligned.
The Austin Chapter of the OWASP Foundation invites you to join us for our CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.
Speakers: Josh Sokol, Sam Gamare, Pradeep Nambiar
Austin Security Professionals Happy Hour sponsored by Pure Storage, January 9, 2020
When: Thursday, January 9th, 5:30 pm - 7:30 pm
Where: Brass Tap @ Domain Austin, 10910 Domain Dr, Austin, TX 78758
Sponsor: Pure Storage
2019
LASCON X
When: Tuesday & Wednesday, October 22-23, 2019 (Pre-Conference Training), Thursday & Friday, October 24-25, 2019 (Conference Sessions)
Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
We had a great time celebrating our 10th year anniversary of LASCON. Many thanks to those who attended!
OWASP Austin Chapter Meeting, September 24, 2019
When: Tuesday, September 24th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: OAuth 2.0 Misimplementation, Vulnerabilities and Best Practices
OAuth 2.0 is an authorization framework that enables third party applications to obtain temporary limited authorization to access a protected resource on behalf of a resource owner. The framework is defined by authorization interactions that are each scoped to the type of client obtaining authorization and the type or types of resource owners that must grant access. Diverging from these defined scopes can open up various interception and redirect attack vectors that can grant a malicious actor access to protected resources. For this talk, we will be discussing Public Clients vs Confidential Clients, User Authentication vs Client Authentication, Proof Key for Code Exchange (PKCE) for Public Clients, and how restricting certain OAuth flows to either Public or Confidential Clients is required to mitigate unauthorized access to protected resources.
Speaker: Pak Foley
Pak Foley is a Security Engineer at Procore Technologies. He has specialized in Identity and Access Management with a focus on architecting enterprise OAuth and SAML solutions for authentication and authorization throughout distributed systems. With a passion for OAuth in particular, he has spent much of his time seeking out and mitigating vulnerabilities from misimplemented OAuth solutions and contributed to the open source Rails OAuth provider, Doorkeeper. His passion for securing web applications has prompted his recent move from IAM to security.
Austin Security Professionals Happy Hour sponsored by Synack, September 12, 2019
When: Thursday, September 12th, 5:00 pm - 7:00 pm
Where: Baby A’s, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: Synack
OWASP Austin Chapter Meeting, August 27, 2019
When: Tuesday, August 27th @ 11:45 AM - 1:00 PM
Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin TX 78757
Title: A Standards-Based Approach to Assessing Your Organization’s Cybersecurity Maturity
We were tasked with creating a roadmap for the National Instruments Information Security Program. While we had previously used a Gartner Maturity Model to figure out how far along our organization was, we found their recommendations to be too high level to define an actionable roadmap. After some discussion, we determined that we could use the NIST Cybersecurity Framework to not only assess our maturity, but also define risk in our environment, and create a roadmap. This talk will not only show you how we did it, but how you can do it too!
Speaker: Josh Sokol and Alex Polimeni
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and recently completed a four year term serving on the OWASP Global Board of Directors.
Alex Polimeni runs the IT Compliance program at National Instruments. He gave his first security talk at BSides Austin in 2019 and is excited about sharing his experience with the OWASP crowd. He is a former boxer and once got stuck in a cave.
OWASP Austin Chapter Meeting, July 30, 2019
When: Tuesday, July 30th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Data Loss Prevention
Data is being produced and consumed at an exponentially increasing rate by organizations and individuals. Can firewalls truly prevent the loss, misuse, or unauthorized access of the sensitive data? What are the standard methods for Data Loss Prevention? Who needs them? Are there any methods overlooked or underutilized? Why should a DLP strategy be the top priority for the organization?.
Speaker: Shirish Patil
Shirish Patil has over 20 years of experience leading and implementing enterprise data management and architecture solutions for public and private sector organizations. His focus has been on enterprise wide information and data management strategy, data architecture, data governance, data quality, data modeling, database performance and business intelligence capabilities. Shirish is based in Austin, Texas with vast experience in IT and management consulting, has been leveraging data, technologies and common sense to create strategies and solutions to achieve organizational goals for clients. . Shirish is a consulting Lead Enterprise Data Architect in Advanced Digital Technology and Analytics group at Grant Thornton in Austin TX on defining their Enterprise Information and Data Management Strategy for short term and long term. As a Lead Enterprise Data Architect at Sitek Inc., an IT consulting and Services firm, Shirish has designed and architected several data-centric solutions for Texas Health and Human Services Commission (HHSC) and Duke Energy. The solutions were wide ranged starting from basic database designs to laying the foundation for application scalability to enterprise wide data initiatives and strategy for one of the largest Integrated Eligibility application in United States. Previous to engaging with Sitek Inc., Shirish has consulted for Verizon Wireless and Deloitte. Before his time with these organizations, Shirish has worked for European analytics and regulatory reporting firm FRSGlobal and major US lending company Mortgage Cadence through their partner firms. Shirish developed and managed regulatory reports, database platform migration and enhanced performance of the database design for these organizations and was recognized for the leadership and ability to execute with innovative approaches to database management. Shirish has presented at many international conferences as a keynote speaker on data management and data security topics. He currently serves on Editorial Board, Technical Program Committee and Reviewer for several international journals and conferences on Databases and Data Mining, Database Management Systems, Computer Science, Cyber Security, Information Technology and Software Engineering.
Austin Security Professionals Happy Hour sponsored by Contrast Security, July 11, 2019
When: Thursday, July 11th, 5:00 pm - 7:00 pm
Where: Baby A’s, 9505-B Stonelake Blvd, Austin, Texas 78759.
Sponsor: Contrast Security
OWASP Austin Chapter Meeting, June 25, 2019
When: Tuesday, June 25th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Passwords are Secure
Do passwords really work? Can they? What are the alternatives? This talk will be a conversation about alternatives, and an open interchange of ideas. Everyone knows passwords are very difficult for users to deal with.
Speaker: Dovell Bonnett – “The Password Guy”
Dovell Bonnett has been creating computer security solutions for over 20 years. His passionate belief that technology should work for humans, and not the other way around, has lead him to create innovative solutions that protect businesses from cyber-attacks, free individual computer users from cumbersome security policies, and put IT administrators back in control of their networks.
He has spent most of his career solving business security needs, incorporating multiple applications onto single credentials using both contact and contactless smartcards. The most famous example of his work is the ID badge currently carried by all Microsoft employees.
In 2005, he founded Access Smart LLC to provide logical access control solutions to businesses. His premiere product, Power LogOn, is an Identity Management solution that combines Multi-Factor Authentication and enterprise password management. Power LogOn is used by corporations, hospitals, educational institutions, police departments, government agencies, and more around the world.
Dovell is a frequent speaker and sought-after consultant on the topic of passwords, cybersecurity, and building secure, affordable and appropriate computer authentication infrastructures. His recent book is Making Passwords Secure: How to Fix the Weakest Link in Cybersecurity and his new social media column is the Guardians of the Gateway..
OWASP Austin Chapter Meeting, May 28, 2019
When: Tuesday, May 28th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Schrodinger’s SOC - The Human Element of Information Security
People are what drive security, elements of that include: salary, innovation, mission, education and peace of mind. Security as a career field is exhausting, even straining, leaders in these spaces need to ask and listen to their practioners. Anecdoctally: I've witnessed security organizations ignored, however praised by leadership for their work. Thus, does the security operation exist? Or is too much of a cost center? How can leaders utilize their security assets for organizational and personnel growth? How can the security worker look towards a better work/life balance?
Speaker: Ricky Banda
Security professional with 8 years of experience in the field, 12 IT/Security certifications, 25 years old. Professional career began as a DoD intern for the 24th Air Force at age 17, due to success with the Cyber Patriot program. Recognized by the state of Texas, and outspoken volunteer for public education cybersecurity initiatives. Specialty in incident handling, security architecture, and forensic analysis.
Austin Security Professionals Happy Hour sponsored by Qualys, May 9, 2019
When: Thursday, May 9th, 5:00 pm - 7:00 pm
Where: Baby A’s, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: Qualys
OWASP Austin Chapter Meeting, April 30, 2019
When: Tuesday, April 30th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Securing AWS: A Real-World Case Study
Using cloud first governance driven approach to reduce and mitigate risks managing privileged access and identities in an AWS environment, we’ll review a real world example how a Fortune 500 company how they perform: * Management of privileged access to AWS workloads * Real-time monitoring and enforcement of baseline security policies on their AWS infrastructure * Access visibility’ of federated identities to AWS Objects’ on a periodic basis with continuous compliance controls * Periodic certification process for critical resources hosted in their AWS ecosystem to ensure only authorized individuals have access to their AWS ecosystem * AWS Role lifecycle management and governance
Speaker: Diana Volere
Diana is a strategist, architect and communicator on digital identity, governance and security, with a passion for organizational digital transformation. She has designed solutions for and driven sales at Fortune 500 companies around the world, and has an emphasis on healthcare and financial verticals. In her role as a Principal Solution Architect at Saviynt she works as a technical evangelist and strategist with partners and customers to help them derive business value from technical capabilities. Her past twenty years have been spent in product and services organizations in the IAM space. Outside of work she loves travel, gastronomy, sci-fi, and most other activities associated with being a geek.
OWASP Austin Chapter Meeting, March 26, 2019
When: Tuesday, March 26th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Browser Hardening, Personal Security and Privacy Measures
In this day and age, it is becoming increasingly difficult to stay secure and private online. In this talk, we will show you how to harden your browser, along with a set of best practices aimed at improving one's security and privacy.
Speaker: Héctor Quartino
Héctor is the manager of the Product Security Engineering team at Oracle+NetSuite. He has been a software developer for more than 15 years in multiple technologies (Java, .NET and Web).
OWASP Austin Chapter Meeting, February 26, 2019
When: Tuesday, February 26th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Angular for AppSec Professionals
One of the most popular web frameworks is Angular. While you don't need to become an expert in new JavaScript frameworks to be able to conduct successful assessments of Angular applications, knowing the fundamentals and building blocks of that framework can definitely give you an advantage during the initial phases of an application security assessment. This talk aims to introduce application security professionals to the basics of AngularJS and Angular applications from a security standpoint. We will also demonstrate how to dynamically debug Angular code from the browser console. This allows us to change the behavior on an application by manipulating Angular components. With that knowledge in hand, we can start conducting a more in-depth analysis of Angular based applications.
Speaker: Alex Useche
Alex is an Application Security Consultant at nVisium and has over 12 years of experience in the IT industry as a software developer, security engineer, and penetration tester. As a software developer, he has worked with and architected mobile and web applications in a wide range of languages and frameworks, including Angular, .NET and Django. While his expertise is in application security, Alex also has experience conducting penetration tests of internal and external networks. In his previous position, Alex led several projects aimed at building secure coding and DevOps processes for a mid-sized consultancy agency, as well as automating security analysis tasks. Alex has a Bachelors in Information Technology and a Masters in Software Engineering. He has also conducted and published research on artificial intelligence technologies. Alex is actively working on developing security tools written in Go and participating in various bug bounties.
Austin Security Professionals Happy Hour sponsored by Secure | Austin, February 7, 2019
When: Thursday, February 7th, 6:00 pm - 8:30 pm
Where: 77º Rooftop Bar, 11500 E Rock Rose Ave, Austin, TX 78758
Sponsor: Secure | Austin. |
OWASP Austin Chapter Meeting, January 29, 2019
When: Tuesday, January 29th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: OWASP Austin CryptoParty!
- Introduction (Josh Sokol)
- Phone as Security: the trifecta of Signal, Password Manager, and MFA (Dan Ehrlich)
- Hardware Security Keys (Ryan Breed)
- You are the captain of your Data (Shirish Patil)
2018
LASCON 2018
When: Tuesday & Wednesday, October 23-24, 2018 (Training Days), Thursday & Friday, October 25-26, 2018 (Conference Sessions)
Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
What: The Lonestar Application Security Conference (LASCON) is an OWASP conference held annually in Austin, TX. It is a gathering of 400+ web app developers, security engineers, mobile developers and information security professionals. LASCON is held in Texas where more Fortune 500 companies call home than any other state and it is held in Austin which is a hub for startups in the state of Texas. At LASCON, leaders at these companies along with security architects and developers gather to share cutting-edge ideas, initiatives, and technology advancements.
Presentations and other information
OWASP Austin Chapter Meeting, September 25, 2018
When: Tuesday, September 25th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Scaling Your Cyber Security Threat Modeling
There are two schools of thought around threat modeling. One school advocates the creation of attack trees and data flow diagrams. This requires extensive, cross-functional, security skills and is not a scalable approach. The other school encourages organic insertion of defenses based only on current context without “boiling the ocean”. This lack of systems thinking leaves applications vulnerable as exploits in a weaker component can open the door to critical systems. Part of the problem is threat modeling today is largely an art. We need to inject more science in this domain and derive a repeatable and auditable approach that maps to risk. Such a model should abstract away the non-scalable elements and still provide a high degree of assurance in today’s faster velocity business context. This presentation will outline a threat modeling framework that abstracts traditional methods into systems, data, and people components. You will come away with an approach that takes away some of the scalability problems of traditional threat modeling, yet provides sufficient rigor and systems thinking to help manage risk.
Speaker: Pranoy De - Software Engineer
Pranoy currently works as a backend developer at Security Compass, helping to develop industry-leading application security products. Over the years, Pranoy has taken on a variety of roles, which included working as a software consultant, working as a network engineer, and writing software for the VFX industry. As a network engineer, Pranoy has primarily spent his time developing and conducting planned DDoS attacks for companies testing their defenses. This was his first position in the world of cybersecurity, and it eventually lead to his current role in application security.
Austin Security Professionals Happy Hour, September 13, 2018 sponsored by LOG-MD
When: Thursday, September 13th, 5:00 pm - 7:00 pm
Where: Baby A’s, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: Thanks to our last-minute sponsor, Michael Gough with LOG-MD.
OWASP Austin Chapter Meeting, August 28, 2018
When: Tuesday, August 28th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Deploying a Secure NodeJS app with Docker and Kubernetes
Learn how to secure a NodeJS application from development to production. We will walk you through best practices of developing a NodeJS application with Docker and deploying it with Kubernetes while building security into each step of the process.
Speaker: Brett Stewart
Brett Stewart is Co-Founder and CTO of truFable. He has been a leader in the startup scene, previously serving as the lead software architect and advisor to CrowdFunder.com. Brett has consulted for some of the top brands in the tech and media industry and has spoken at several DevOps and security events. He works with organizations such as WeWork and Bunker Labs, assisting Veterans looking to take their tech startups to the next level.
OWASP Austin Chapter Meeting, July 31, 2018
When: Tuesday, July 31st @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Introduction to Electron Security
Electron allows developers to build cross platform desktop apps with JavaScript, HTML, and CSS. Electron is a framework for creating native applications with web technologies. More and more companies such as Slack, Microsoft, and Docker have adopted Electron for desktop applications. This talk will go over the basics and the security implications.
Speaker: Marcus J. Carey
Marcus J. Carey is the founder and CEO of Threatcare. He is a hacker who helps organizations build, measure, and maintain cybersecurity programs. Marcus started his technology voyage in U.S. Navy Cryptology and working at the National Security Agency (NSA).
Austin Security Professionals Happy Hour, July 12, 2018 sponsored by Rapid7
When: Thursday, July 12th, 5:00 pm - 7:00 pm
Where: Baby A’s, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: Rapid7
OWASP Austin Chapter Meeting, June 26, 2018
When: Tuesday, June 26th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: The State of DevSecOps
Call it what you will - DevSecOps, DevOpsSec, Rugged, Agile Application Security, Shift Left Unicorn Dust AppSec,... The face of security is changing. We'll go through the results of the DevSecOps Community Survey and examine the trends. Then we'll lead a group discussion on the topic. How have you tried to make security part of your SDLC? What have you seen work? What hasn't? What's important to you?
Speakers: Ernest Mueller and James Wickett
Austin Security Professionals Happy Hour sponsored by SecureWorks, June 14, 2018
When: Thursday, June 14th, 5:00 pm - 7:00 pm
Where: Baby A’s, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: SecureWorks
OWASP Austin Chapter Meeting, May 29, 2018
When: Tuesday, May 29th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Trust: Designing Privacy, Consent, & Security into Your Products
Most software today collects and tracks as much data as possible with no concern for privacy or user consent. Consumers and regulations are starting to demand change. It's time to focus on building trust with our users. Our products should collect only what data is necessary, should always receive consent before collecting data, and should have proper security in place to protect collected data.
Speaker: Taylor McCaslin
Taylor McCaslin is a multi-disciplinary technologist and Product Manager living in Austin, Texas. He currently works as a Mobile Product Manager at Duo Security. Taylor is an advocate and defender of privacy, consent, and inclusion. Taylor graduated from The University of Texas at Austin, where he studied business, theatre, computer science, and digital art & media. For the past 6 years, he’s worked at enterprise-scale, hyper-growth technology companies including WP Engine, Indeed.com, and Bazaarvoice. Taylor also enjoys volunteering with local human rights and LGBTQ organizations around central Texas. https://www.taylormccaslin.com/
https://www.linkedin.com/in/taylormccaslin
https://twitter.com/digital_SaaS
Austin Security Professionals Happy Hour sponsored by DirectDefense, May 10, 2018
When: Thursday, May 10th, 5:00 pm - 7:00 pm
Where: Baby A’s, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: DirectDefense
OWASP Austin Chapter Meeting, April 24, 2018
When: Tuesday, April 24th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Cloud Jacking
Subdomain hijacking presents significant security risks to organizations. Everything from credential theft to phishing can be made possible with a few keystrokes and click of a mouse. This talk focuses on how these risks materialize within an AWS cloud environment, how to enumerate their existence, and options to quickly mitigate them.
Speaker: Bryan McAninch
Austin Security Professionals Happy Hour sponsored by Cisco, April 12, 2018
When: Thursday, April 12th, 5:00 pm - 7:00 pm
Where: Baby A’s, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: Cisco
OWASP Austin Chapter Meeting, March 27, 2018
When: Tuesday, March 27th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Cryptocurrencies - More than just bubbles, money and Dogecoins
Speaker: Arthur Kendrick
Austin Security Professionals Happy Hour sponsored by Critical Start and Mimecast, March 7, 2018
When: Wednesday, March 7th, 5:00 pm - 7:00 pm
Where: Baby A’s, 9505-B Stonelake Blvd, Austin, Texas 78759
Co-sponsors: Critical Start and Mimecast
OWASP Austin Chapter Meeting, February 27, 2018
When: Tuesday, February 27th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: DevSecOps Unplugged (Results from our latest research on DevSecOps)
There is a confluence of forces that disrupt the ability for organizations to implement DevSecOps effectively. We continue to increase our dependence on software but teams are still relatively immature in developing securely. Our systems continue to grow exponentially complex. With IoT starting to take off, there is no clear industry vision for security these devices. Cybersecurity threats continue to rise. Even the most diligent teams find themselves subtly gaining technical debt because they are unable to do the job right. This impact is felt across industries: telecommunications, financial, software development, transportation, and medical just to name a few. So what is our response as security professionals? We have software tools and databases like OWASP Top 10, CWE/CVE, SANS Top 25 and so on. But what we need is a set of patterns and anti-patterns on implementing DevSecOps. Our talk will highlight what we’ve observed in conducting research from Tier 1 peer reviewed articles from 2016 to the present. We will present what seems to be emerging as a set of best practices as well as anti-patterns in DevSecOps.
Speaker: Altaz Valani
[https://vimeo.com/channels/owaspaustin/262482415 Vimeo]
Austin Security Professionals Happy Hour sponsored by RSA, February 8, 2018
When: Thursday, February 8th, 5:00 pm - 7:00 pm
Where: Baby A’s, 9505-B Stonelake Blvd, Austin, Texas 78759
Sponsor: RSA
OWASP Austin Chapter Meeting, January 23, 2018
When: Tuesday, January 23rd @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: CryptoParty
In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to communicate and associate without fear.
To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies for securing your chats, your phone calls, your e-mails, and your computer documents.
The Austin Chapter of the OWASP Foundation invites you to join us for our CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.
Speakers: Josh Sokol, Bankim Tejani, Dave Sanford, David Vas, Michael Marotta, and Nate Sanders
[https://vimeo.com/channels/owaspaustin/254361873 Vimeo]
Presentation slides:
- [https://www.owasp.org/images/a/ac/OWASP-Austin-Mtg-2018Jan-CryptoParty-Josh-Sokol.pdf Josh Sokol - Introduction]
- [https://www.owasp.org/images/c/ca/OWASP-Austin-Mtg-2018Jan-CryptoParty-Bankim-Tejani.pdf Bankim Tejani - Secure Communication and Data Sharing with PGP]
- [https://www.owasp.org/images/8/89/OWASP-Austin-Mtg-2018Jan-CryptoParty-Dave-Sanford.pdf Dave Sanford - Decentralized IDs and Verifiable Claim]
- [https://www.owasp.org/images/8/8b/OWASP-Austin-Mtg-2018Jan-CryptoParty-Michael-Marotta.pdf Michael Marotta - Charles Babbage: Codebreaker]
- [https://www.owasp.org/images/9/9e/OWASP-Austin-Mtg-2018Jan-CryptoParty-David-Vas.pdf David Vas - Zero Knowledge Bets]
- [https://www.owasp.org/images/1/1a/OWASP-Austin-Mtg-2018Jan-CryptoParty-Nate-Sanders.pdf Nate Sanders - Keybase]
2017
LASCON 2017
When: Tuesday & Wednesday, October 24-25, 2017 (Training Days), Thursday & Friday, October 26-27, 2017 (Conference Sessions)
Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
What: The Lonestar Application Security Conference (LASCON) is an OWASP conference held annually in Austin, TX. It is a gathering of 400+ web app developers, security engineers, mobile developers and information security professionals. LASCON is held in Texas where more Fortune 500 companies call home than any other state and it is held in Austin which is a hub for startups in the state of Texas. At LASCON, leaders at these companies along with security architects and developers gather to share cutting-edge ideas, initiatives, and technology advancements.
[https://lascon.org/lascon2017/ Presentations and other information]
OWASP Austin Chapter Meeting, September 26, 2017
When: Tuesday, September 26th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: How to create Purple Team Exercises, using the Cyber Kill Chain and Extended CKC as a framework
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. You don’t necessarily need a ‘red team’, anyone can do it. This talk will show how to build and plan cyber exercises, using the Cyber Kill chain and Extended Cyber Kill Chain as a framework.
Speaker: Haydn Johnson
Austin Security Professionals Happy Hour, September 14, 2017
When: Thursday, September 14th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758
Sponsor: Contrast Security
OWASP Austin Chapter Meeting, August 29, 2017
When: Tuesday, August 29th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledge Proofs
You can ignore the Blockchain hype for identity solutions, it is superb marketing; but suboptimal technology. You can also ignore biometrics for a spell. Instead, the real breakthroughs, especially in authentication, will be based on elegant math and crypto, e.g., Zero-Knowledge Proofs (ZKP). These have the added benefit of being privacy-preserving, and amenable to user control of identity attributes. ZKP has been identified as a category for many other solutions in the future, not just identity. Conceived at MIT in 1985 by Shafi Goldwasser, ZKP is still young. You will see it in many other contexts as appreciation and recognition evolves.
Speaker: Clare Nelson, CISSP, CIPP/E
Clare's focus combines security, privacy, and identity. Her middle name is MFA, and she loves all things identity. She forges identity solution roadmaps and tracks emerging technologies, especially in light of EU regulations including GDPR and PSD2.
Clare’s early technical background includes software development of encrypted TCP/IP variants for NSA. She has held leadership positions in product management, marketing, and technology for companies including EMC2, Dell, Novell, and TeaLeaf Technology (IBM).
Clare is a co-founder of the mentoring organization, C1ph3r_Qu33ns. She headed ClearMark Consulting for 14 years, and she is currently Director, Office of the CTO at AllClear ID. She has a B.S. in Mathematics from Tufts University, and is a lifelong fitness enthusiast.
[https://vimeo.com/channels/owaspaustin/231902811 Vimeo] (apologies for the low audio)
Austin Security Professionals Happy Hour, August 10, 2017
When: Thursday, August 10th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758
Sponsor: Rapid7
OWASP Austin Chapter Meeting, July 25, 2017
When: Tuesday, July 25th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Frontline Web App Security
According to the Verizon DBIR (Data Breach Investigation Report) for 2016, web application attacks are the #1 source of data breaches. Web applications account for only 8 percent of overall reported incidents. However, attacks on web applications accounted for over 40 percent of incidents resulting in a data breach, and were the single-biggest source of data loss.
With those threats in mind, it has never been more important to ensure that companies have visibility into what is happening with their web apps. The most effective way to address application flaws and preemptively block unknown attacks is to have a close relationship with your web application firewall.
Static, signature based blocking is not enough to address never before seen attacks. In this talk, we will walk through scenarios that we have observed, talk about coding practices that enable your web app to be secured, and describe the steps that are taken to defend against critical web applications attacks.
Speakers: Paul Scott and Jason Payne
Paul Scott is an OWASP Houston chapter leader and the Manager of Alert Logic’s Web Application Security Team. Jason Payne ran the Alert Logic Global Security Operations Center for nearly a decade and is now engineering solutions to defend systems, networks, and application on premises and in the cloud.
[https://vimeo.com/channels/owaspaustin/231902836 Vimeo]
Austin Security Professionals Happy Hour, July 13, 2017
When: Thursday, July 13th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758
Sponsor: Technology Navigators
OWASP Austin Chapter Meeting, June 27, 2017
When: Tuesday, June 27th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Making Vulnerability Management Less Painful with OWASP DefectDojo
DefectDojo was created in 2013 when one security engineer at Rackspace stupidly opened his mouth in front of his leadership team. Vulnerability management is traditionally tedious, time consuming, and mentally draining. DefectDojo attempts to streamline vulnerability management with automation centered around templating, report generation, metrics, scanner consolidation, and baseline self-service tools. DefectDojo is currently used by multiple large enterprises and has core contributors from five different companies. It has made several engineers' lives much easier, and it can help you too. Got a ton of findings to consolidate and report on? DefectDojo has you covered. Need to have a dashboard of your team’s work? DefectDojo has you covered. Tired of boilerplate report generation? DefectDojo does that for you. Come check out how to make vulnerability management less painful and speed up your appsec program in this talk with demo.
Speaker: Greg Anderson
Greg Anderson is a security professional with diverse experience ranging from vulnerability assessments to intrusion detection and root cause analysis. His recent work has focused on advanced security automation to get the most out of application security programs. Greg's previous work, which was featured at DEFCON, focused on unconventional attack vectors and how to maximize their impact while avoiding detection. Greg is the creator of DefectDojo and was a Chapter Leader of OWASP San Antonio for two years. Feel free to chat him up about anything and everything.
[https://vimeo.com/223334540 Vimeo]
Austin Security Professionals Happy Hour, June 8, 2017
When: Thursday, June 8th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758
Sponsor: Cyberbit
OWASP Austin Chapter Meeting, May 30, 2017
When: Tuesday, May 30th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Annoying web app vulnerabilities: HTTP Request Smuggling, HTTP Response Splitting and Cross-Origin Resource Sharing Misconfigurations.
Part 1:
**Abstract:** HTTP Request Smuggling is an attack capable of bypassing security protections and "poisoning the well" for caching web proxies. In this talk we'll be discussing attack scenarios and their security implications. **Speaker:** Gabriel has been actively involved in the security industry since 2007 and currently holds the position of security analyst at Rapid7.
Part 2:
**Abstract:** HTTP Response Splitting is a web application vulnerability that is often misunderstood, but can lead to a serious compromise. This talk will walk through the basics of Response Splitting, how an attack works, and what you can do to defend against it. **Speaker:** Ben Columbus is a security analyst for Rapid7, who specializes in network and web application penetration testing. He has been working in security for the last eight years in various positions and was previously a penetration tester for the State of Texas.
Part 3:
**Abstract: **The talk will provide information about headers used for Cross-Origin Resource Sharing (CORS) and how servers use these headers to communicate access policy to browsers. The possible security implications of misconfigured CORS headers will be discussed. **Speaker:** Jacob enjoys learning about security vulnerabilities and their usage in the real world.
[https://vimeo.com/219563653 Vimeo]
Austin Security Professionals Happy Hour, May 3, 2017
When: Wednesday, May 3rd, 5:00 pm - 7:00 pm
Where: Mister Tramps Sports Pub and Cafe, 8565 Research Blvd, Austin TX 78758 (different location and date to coincide with BSides Austin)
Sponsor: Rapid7
OWASP Austin Chapter Meeting, April 25, 2017
When: Tuesday, April 25th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: The CISO Playbook
The era of CISO-as-dictator is at an end. Growing cybersecurity with the business can be tricky and requires security leaders to find ways to get to “yes” with the business. This session will cover solid tactics to lead successful change throughout your organization.
Speaker: John McLeod
John McLeod is the CISO at AlienVault, responsible for cyber security in the enterprise and their products. John is a former Air Force Special Agent with over 20 years of experience in information security including but not limited to criminal, counter-intelligence, fraud and computer crime investigations. Prior to joining Alienvault, he served as the Director of Information Security for National Oilwell Varco. His experience includes management roles for Halliburton, Mandiant, Guidance Software, and Mantech International. The US Intelligence community recognized him for his work in steganography. As a consultant, he responded to some of the highly publicized cyber-attacks, including: Moonlight Maze, Titian Rain, Night Dragon, TJX and Operation Aurora. He holds a B.S. in Information Systems Management from the University of Maryland University College, and M.S. in Network Security from Capitol College in Maryland. Additionally, he is a Certified Information Systems Security Professional (CISSP).
[https://vimeo.com/214731194 Vimeo] | [https://www.owasp.org/images/b/b5/OWASP-Austin-Chapter-2017-04_CISO-Playbook.pdf Presentation Slides] |
Austin Security Professionals Happy Hour, April 6, 2017
When: Thursday, April 6th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
Sponsor: Amazon
OWASP Austin Chapter Meeting, March 28, 2017
When: Tuesday, March 28th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: DevSecOps Lessons from Detroit to Deming
In 1982, the city of Detroit saw 15,000 vehicles roll off its production lines every day. To achieve this goal, Detroit's line workers were being measured on velocity, often at the expense of quality. At the same time, auto workers in Japan -- applying lessons from W. Edwards Deming -- were implementing new supply chain management practices which enabled them to manufacture higher quality vehicles, for less cost, at higher velocity. As a result, from 1962 to 1982, the Detroit auto industry lost 20% of its domestic market to Japan. The parallels between the auto industry of 35 years ago and software development practices in place today are remarkable. DevOps teams around the world are consuming billions of open source components and containerized applications to improve productivity at a massive scale. The good news: they are accelerating time to market. The bad news: many of the components and containers they are using are fraught with defects including critical security vulnerabilities. This session aimed to enlighten Security, DevOps, and development professionals by sharing results from the 2017 State of the Software Supply Chain Report -- a blend of public and proprietary data with expert research and analysis. The presentation also revealed findings from the 2017 DevSecOps Community survey where over 2,200 professionals shared their experiences blending DevOps and security practices together. Throughout the discussion, Derek shared lessons that Deming employed decades ago to help us accelerate adoption of the right DevSecOps culture, practices, and measures today.
Speaker: Derek E. Weeks
After flying to 40 countries and racing through a half-Ironman competition, Derek woke up one morning on the top of Kilimanjaro and saw the world in a new light. Soon after, Derek become a huge advocate of applying proven supply chain management principles into AppSec practices to improve efficiencies and sustain long-lasting competitive advantages. He currently serves as vice president and DevSecOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation. Derek is also the co-founder of the All Day DevOps conference and the lead researcher behind the annual State of the Software Supply Chain report.
[https://vimeo.com/210478219 Vimeo]
Austin Security Professionals Happy Hour, March 9, 2017
When: Thursday, March 9th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
Sponsor: Rapid7
OWASP Austin Chapter Meeting, February 28, 2017
When: Tuesday, February 28th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Building and Breaking Password Reset Mechanisms
It happens to everyone, you forgot your password. Now you need to get back into your account and prove you are who you say, but without using your password as proof. How, then, can that be done securely? More interestingly, how can it be done insecurely? This talk will dissect a number of security vulnerabilities found in real-world password reset mechanisms, and discuss how password reset mechanisms should be built.
Speaker: Dan Crowley
Daniel Crowley is a Senior Security Engineer and Regional Research Director for NCC Group Austin, tasked with finding and exploiting flaws in everything from Web applications and cryptosystems to ATMs, smart homes, and industrial control systems. He denies all allegations of unicorn smuggling and questions your character for even suggesting it. He has been working in information security since 2004. Daniel is TIME’s 2006 Person of the Year. He has developed and released various free security tools such as MCIR, a powerful Web application exploitation training and research platform, and FeatherDuster, an automated modular cryptanalysis tool. He does his own charcuterie and brews his own beer. He is a frequent speaker at conferences including Black Hat, DEFCON, Shmoocon, Chaos Communications Camp, and SOURCE. Daniel can open a door lock with his computer but still can’t launch ICBMs by whistling into a phone. He has been interviewed by various print and television media including Forbes, CNN, and the Wall Street Journal. He holds the noble title of Baron in the micronation of Sealand. His work has been included in books and college courses.
Austin Security Professionals Happy Hour, February 9, 2017
When: Thursday, February 9th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill, 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
Sponsor: Vectra Networks
OWASP Austin Chapter Meeting, January 31, 2017
When: Tuesday, January 31st @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Random Number Generation - Lava Lamps, Clouds and the IoT
Random numbers are the basis of security for all cryptography, yet they are often taken for granted. Learn why random numbers are so hard to generate and validate, compare different technologies in use today across virtualized environments, and discuss operational steps to take the risk out of random numbers and help secure cryptosystems even into the era of quantum computers.
Speaker: Richard Moulds
[https://vimeo.com/202234199 Vimeo]
Austin Security Professionals Happy Hour, January 12, 2017
When: Thursday, January 12th, 5:00 pm - 7:00 pm
Where: Sherlock’s Baker St. Pub & Grill], 9012 Research Blvd, Austin, TX 78758 (corner of Hwy 183 and Burnet Rd).
Sponsors: Bugcrowd and Rapid7