OWASP Austin - Past Events
Home Page Chapter Leadership Study Groups Past Events Sponsorship Event Archive
Past Events
2024 2023 2022 2021 2020
(see Past Events Archive for earlier events)
2024
OWASP Austin Chapter Meeting September 2024
When: Tuesday, September 24th 2024 @ 11:30 AM - 1:00 PM
Presentation: The Secure Development Lifecycle in Action: The Point, Purpose, and Rationale
The Secure Development Lifecycle (SDL) is a powerful construct that can advance security for both organizations with established security practices by shifting left, and immature organizations seeking a framework to implement security best practices in agile development. NI has been on a journey over the last several years to improve the security of its products driven by customer requirements, their expectations, and increasingly, regulations that require software to be developed with secure methodologies. Security is as much about a mindset and development culture as it is about tools, vulnerabilities, and security technologies. Learn how NI’s adoption of the Secure Development Lifecycle has created a framework for addressing various security challenges in web applications, microservices, and infrastructure.
Speaker:
Mark Black
Mark Black is the Chief Product Owner for Infrastructure and Security on NI’s enterprise software team. Mark has a passion for security, quality, and a customer-centric mindset. In Mark’s two decades in the industry, he has designed several products from tools for web application development to highly scalable big data and analytics solutions used in device validation and manufacturing. Additionally, Mark has designed the IAM solution for one of NI’s flagship enterprise products, SystemLink, and established the SDL practice used by teams throughout NI’s software development organization.
Link to video to be posted soon.
Austin Security Professionals Happy Hour sponsored by Checkmarx, September 12, 2024
When: Thursday, September 12th, 5:30 pm - 7:30 pm
Where: Lavaca Street Bar at the Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: Checkmarx
OWASP Austin Chapter Meeting July 2024
When: Tuesday, August 27th 2024 @ 11:45 AM - 1:00 PM
Presentation: How to protect WordPress or other CMS websites
In this presentation, we will walk through different types of real anonymized attacked WordPress and other CMS frameworks in how those sites were attacked and how the sites were then protected from future attacks. Everyone attending should leave the presentation able to: - Understand how these sites are attacked - Protects that may have already been in place that didn't work - What measures were then put in place that worked
Speaker:
Mark Spears
Currently a Principal Security Consultant at Solis Security / CFC Response, Mark plays many roles helping customers as a: - Virtual CISO - Virtual Chief Zero Trust Officer - Compromised Web Application – Live Response and Recovery - Internal Mentor Much of his most recent education and skill focus has been on helping companies with their attack surface area by implementing NIST 800-207 Zero Trust Architecture to reduce security risks. If not enjoying his work at Solis Security, he can be found practicing physical security, lock picking, social engineering, or hardware hacking. Otherwise, he is on a Harley Davidson somewhere doing karaoke and playing billiards.
No video
Austin Security Professionals Happy Hour sponsored by Trellix, August 8, 2024
When: Thursday, August 8th, 5:30 pm - 7:30 pm
Where: Lavaca Street Bar at the Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: Trellix
OWASP Austin Chapter Meeting July 2024
When: Tuesday, July 30th 2024 @ 11:45 AM - 1:00 PM
Presentation: Cyber Resilience - Findings from the 2024 Futures Report
We are poised on the precipice of a new era of computing underpinned by new networks, new apps, and a digital-first experience. Hear the latest findings from AT&T Cybersecurity research and learn about: - What high-priority edge computing use cases are across seven industry markets - How to secure and work with the edge ecosystem - How the attack surface is changing - How endpoints are diversifying The data from this research helps audiences understand challenges and opportunities of the future and examines: - Balanced investment strategies - Collaboration and communication needs - Building with dynamic cyber resilience in mind Security is now a critical part of business - learn how to move your team to the future!
Speaker:
Theresa Lanowitz
Theresa Lanowitz is a proven global influencer and speaks on trends and emerging technology poised to help today’s enterprise organizations flourish. Theresa is currently the head of cybersecurity evangelism at AT&T Business. Prior to joining AT&T, Theresa was an industry analyst with boutique analyst firm voke and Gartner. While at Gartner, Theresa spearheaded the application quality ecosystem, championed application security technology, and created the successful Application Development conference. As a product manager at Borland International Software, Theresa launched the iconic Java integrated development environment, JBuilder. While at Sun Microsystems, Theresa led strategic marketing for the Jini project – a precursor to IoT (Internet of Things). Theresa’s professional career began with McDonnell Douglas where she was a software developer on the C-17 military transport plane and held a US Department of Defense Top Secret security clearance. Theresa holds a Bachelor of Science in Computer Science from the University of Pittsburgh, Pittsburgh, PA
Austin Security Professionals Happy Hour sponsored by SecureLayer7, July 11, 2024
When: Thursday, July 11th, 5:30 pm - 7:30 pm
Where: Lavaca Street Bar at the Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: SecureLayer7
OWASP Austin Chapter Meeting June 2024
When: Tuesday, June 25th 2024 @ 11:45 AM - 1:00 PM
Presentation: Full of SaaS and TOTALLY SECURE
Managing shadow IT in the age of SaaS application sprawl is an important component of managing risk, especially since so many of us depend on SaaS/PaaS as part of our critical infrastructure. However, traditional approaches (blocklisting, brute force, etc.) have proven ineffective and are, oftentimes, too late to prevent any real security issues. In this session, we’ll discuss some of the psychology behind why we’re referred to as the “department of NO” as well as how to start shifting that perception. You will also learn of some tactics to identify and mitigate shadow IT as well as proactive measures that may help avoid future sprawl.
Speaker:
Garret Gross
Garrett Gross, a seasoned cybersecurity professional with over twenty years of experience, currently holds the position of Head of Product at Nudge Security. His primary focus is on implementing innovative strategies to address SaaS sprawl and mitigate the risks associated with shadow IT. With a strong background in security operations, incident response, and threat research, Garrett's expertise and dedication to the field are evident. He actively contributes to the cybersecurity community by collaborating with organizations such as OWASP and ISSA, aiming to elevate industry standards and best practices.
Austin Security Professionals Happy Hour sponsored by Checkmarx, June 13, 2024
When: Thursday, June 13th, 5:30 pm - 7:30 pm
Where: Lavaca Street Bar at the Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: Checkmarx
OWASP Austin Chapter Meeting May 2024
When: Tuesday, May 28th 2024 @ 11:45 AM - 1:00 PM
Presentation: Digital Deceit and AI Hallucinations: Safeguarding the Software Supply Chain
The presentation unites Tyler Agypt's expertise in a riveting exploration of software supply chain threats, spanning traditional dangers to the novel challenge of AI Package Hallucination. Agypt, VP of Global Enablement at Checkmarx, exposes the hidden risks in software dependencies and the emerging threat of artificially generated, nonexistent code packages. Through real-world examples and insights from over 1 million malicious packages, he reveals the deceptive practices endangering our digital ecosystem, from Dependency Confusion to Star-Jacking to Repo-Jacking. Agypt advocates for robust defensive strategies, tools and improved dependency management, to counteract these threats. This presentation is a call to action for the developer and cybersecurity community to elevate their vigilance and adopt a proactive stance against the evolving challenges in software supply chain security. Join this enlightening session for a comprehensive understanding of both traditional and AI-induced vulnerabilities, and equip yourself to better face tomorrow's cybersecurity challenges.
Speaker:
Tyler Agypt Tyler Agypt, VP of Global Enablement at Checkmarx, is an Application Security evangelist and tech enthusiast. With a career focused on the intersection of software development and AppSec, Tyler brings a deep understanding of how to combat emerging threats within applications. Known for his voracious appetite for learning and problem-solving, he delves into customer AppSec programs, offering insights into tackling security challenges. Tyler's unique combination of expertise, passion, and approachability makes his speeches a must-see, promising attendees not just valuable learnings but also inspiration to delve deeper into the world of Application Security.
Austin Security Professionals Happy Hour sponsored by Cequence, May 9, 2024
When: Thursday, May 9th, 5:30 pm - 7:30 pm
Where: Lavaca Street Bar at the Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: Cequence
OWASP Austin Chapter Meeting March 2024
When: Tuesday, April 30, 2024 @ 11:45 AM - 1:00 PM
**Presentation: The Truman Show: Real-world application attacks instead of canned demos** In this presentation, Kevin Johnson of Secure Ideas will walk attendees through various scenarios used in penetration testing of applications. These demonstrations will use real attacks and discuss how a penetration tester views applications. This talk will explain the mindset of an attacker, using actual applications as well as demonstration apps to allow for exploitation.
Speaker:
Kevin Johnson Kevin Johnson is CEO of Secure Ideas, a consulting company dedicated to security testing and training. Kevin passionately advocates for cybersecurity through his work with Secure Ideas, as a global board member for OWASP and as a faculty member at IANS. During his over 30 years in the industry, Kevin acted as an instructor and author for the SANS institute. He also contributed to a number of open-source projects, including OWASP SamuraiWTF (a web pen-testing training environment), Laudanum (a collection of injectable web payloads) and Yokoso (an infrastructure fingerprinting project) and was the founder and lead of the BASE project for Snort. Kevin has served as an expert witness in court cases involving cybersecurity.
Austin Security Professionals Happy Hour sponsored by Riscosity, April 11, 2024
When: Thursday, April 11th, 5:30 pm - 7:30 pm
Where: Lavaca Street Bar at the Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: Riscosity
OWASP Austin Chapter Meeting March 2024
When: Tuesday, March 26, 2024 @ 11:45 AM - 1:00 PM
**Presentation: Protecting Sources and Methods – The Magic of Runtime Security.** In this talk, we’re going to dive into “runtime security” – a powerful technology that automatically adds powerful trust boundaries to these dangerous methods without requiring any code or process changes. Runtime security enables all four of these key capabilities: Finding zero-day vulnerabilities in custom code and libraries in real time Finding known vulnerabilities in libraries and understanding their exploitability Preventing vulnerabilities from being exploited in production Creating a digital blueprint of security to drive threat modeling, penetration testing, and risk management In essence, Runtime Security is a comprehensive approach to app/API security that can replace your suite of legacy tools. Runtime security is already in use in hundreds of thousands of critical apps/APIs in some of the biggest companies in the world. During our session, you’ll learn how to use Runtime Security to streamline application security, accelerate innovation, and improve security at the same time.
Speaker:
Jeff Williams Jeff is a veteran application security expert who founded and led OWASP, Aspect Security, and Contrast Security. He also created several highly successful open-source projects, including jbom, jot, OWASP Top Ten, WebGoat, ESAPI, ASVS, and more. Jeff serves as an advisor to NIST, CISA, PCI Council, OASIS SARIF, OWASP CycloneDX, Eclipse Foundation, and advises many companies and agencies on application security. He has a BA from Virginia, an MA from George Mason, and a JD from Georgetown. He's also a two-time master’s basketball national champion who would love to connect on LinkedIn: https://www.linkedin.com/in/planetlevel/
Austin Security Professionals Happy Hour sponsored by IriusRisk, March 14, 2024
When: Thursday, March 14th, 5:30 pm - 7:30 pm
Where: Lavaca Street Bar at the Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: IriusRisk
OWASP Austin Chapter Meeting February 2024
When: Tuesday, February 27, 2024 @ 11:45 AM - 1:00 PM
Presentation: API Security flaws that are commonly exploited.
As more and more development focusses on APIs to make things faster and easier, security needs to be pushed more toward the front. Mistakes that have been corrected in web application security have now returned as APIs aren’t offered the same protections as they are usually out of the normal flow via security tooling such as WAFs. This means identifying and fixing flaws prior to production is important. This discussion will be around lessons learned from testing and breach data with an eye for prevention. This attendees will learn: Application and API stacks are full of dangerous over-powered methods. These lurking menaces are built into libraries, frameworks, appservers, and runtime platforms. They do crazy things (from a security perspective) like start native processes, parse XML documents, evaluate expressions, and deserialize objects. And they are totally unprotected. Developers can use them without restriction, and attackers can target these binary Bambis without being detected or stopped. Unfortunately, the security of the entire digital ecosystem is entirely reliant on getting developers to take the right steps to use these methods safely… but it’s way too hard.
Speaker:
Jason Kent - [email protected]
For over the last 25 years, Jason has been ethically peering into Client Behavior, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organizations secure their assets and intellectual property from unauthorized access. As a consultant he's taken hundreds of organizations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IOT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence's customers safe.
Austin Security Professionals Happy Hour sponsored by Riscosity, February 8, 2024
When: Thursday, February 8th, 5:30 pm - 7:30 pm
Where: Lavaca Street Bar @ Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: Riscosity
OWASP Austin Chapter Meeting January 2024
When: Tuesday, January 30th, 2024 @ 11:30 AM - 1:00 PM
Presentation: Open Mic! (various speakers)
Open Mic! Anyone want to talk about AppSec or other security topics is welcome!
Speaker:
Josh Sokol, Kyle Smith, and others!
No video was recorded.
Austin Security Professionals Happy Hour sponsored by Salvador Technologies, January 11, 2024
When: Thursday, January 11th, 5:30 pm - 7:30 pm
Where: Lavaca Street Bar @ Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: Salvador Technologies
2023
OWASP Austin Chapter Meeting September 2023
When: Tuesday, September 26th, 2023 @ 11:30 AM - 1:00 PM
Presentation: Reducing Alert Fatigue with SCA and Container Scans: Correlate, Prioritize and Filter Based on Usage
Scenario: Your application is composed of 12 Docker containers. Together they have 400 packages. When you run a container scan with an SCA (software composition analysis) tool, you notice that 120 of them have vulnerabilities. Your security team is asking you to fix all the critical and high vulnerabilities, but your dev/devops team doesn’t have the cycles. What do you do? Today, developers and devops engineers are being asked to address vulnerabilities and supply chain risks in container images. However, the volume of noisy security alerts often leads to developers ignoring them entirely or wasting valuable sprint time researching “false positives.” Kiran will focus on how engineering teams can correlate vulnerabilities with runtime information, prioritize alerts based on usage, and filter out false positives that don’t represent a true exposure of a vulnerability. Prioritizing security updates to only used packages in your container image is a highly effective approach to reducing alert fatigue with your container scans. In addition, your DevOps team can even consider removing some of the unused packages and shrink your container images. He'll also include a demonstration of a typical SCA static container scan of a sample open-source test application and then show how an engineering team can filter alerts to reduce the number of vulnerable and used alerts that actually need to be fixed by developers by up to 90%.
Speaker:
Kiran Kamity, Founder & CEO, Deepfactor
Kiran Kamity is a serial Silicon Valley entrepreneur with a passion for building products that meet a need and make a business impact—with Deepfactor that’s empowering engineering teams to create secure cloud native applications. Prior to Deepfactor, Kiran was the Head of Product at Cisco Cloud BU, Founder/CEO at ContainerX (acquired by Cisco), and the Founder/VP at RingCube (acquired by Citrix). Kiran is a TEDx speaker and loves nature, travel, and food.
Austin Security Professionals Happy Hour sponsored by Solis, September 14, 2023
When: Thursday, September 14th, 5:30 pm - 7:30 pm
Where: Lavaca Street Bar @ Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: Solis
OWASP Austin Chapter Meeting August 2023
When: Tuesday, August 29th, 2023 @ 11:30 AM - 1:00 PM
Presentation: Undercover Agent in Chinese Card Shop Ecosystem: Become a Phishing Master
Personal Identifiable Information (PII) leaks have become more frequent in recent years, and losses from credit card fraud in 2022 have set records respectively in the USA. Where did this information get leaked and sold in the first place? The term "Dark web" refers to websites inaccessible without the use of Tor protocol, and given added privacy and anonymity while using Tor, and marketplaces in it are proven to be very attractive to criminals. An anonymous researcher will share experiences of dealing with vendors from card shops on marketplaces among dark web, focused on insights of shops selling American PIIs, and therefore, TTPs of hackers from these card shops. We hope to inspire audiences to rethink how to reduce credit card frauds.
Speaker:
Strawberry Donut
A data scientist specialized in fraud detection and machine learning. Apart from eating strawberry donuts, she is also interested in dark web analysis, threat intelligence, and anti-fraud social engineering. Extensive anti-fraud experiences in the top banks, securities, and internet companies. Invited speaker of BLUE CODE and HITCON. ACAMS (Certified Anti-Money Laundering Specialist) Member.
No video was recorded.
OWASP Austin Chapter Meeting July 2023
When: Tuesday, July 25th, 2023 @ 11:30 AM - 1:00 PM
Presentation: Every Risk is Not a CVE: Bolster up Against Software Supply Chain Attacks
Session Detail: 3rd party and open-source software components are both desired and indispensable ingredients used throughout the development lifecycle, but their consumption comes with considerable security risks, both for the developer herself and her downstream users. The rise of corresponding security incidents demonstrates that adversaries discovered those attack vectors as a viable and scalable attack pattern.
Speaker:
Divya Rao
Divya Rao is a Dependency Management Specialist at Endor Labs. She has a technical background with experience spanning engineering, operations, and sales at Stanford Medical and Indeed before focusing on cybersecurity startups. She is proud to be part of a great team at Endor Labs doing her part in pushing the boundaries of open-source software code governance and application security.
Austin Security Professionals Happy Hour sponsored by SecureLayer7, July 13, 2023
When: Thursday, July 13th, 5:30 pm - 7:30 pm
Where: Lavaca Street Bar @ Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: SecureLayer7
OWASP Austin Chapter Meeting June 2023
When: Tuesday, June 27th, 2023 @ 11:30 AM - 1:00 PM
Presentation: 2023 AT&T Cybersecurity Insights Report: Edge Ecosystem
We are poised on the precipice of a new era of computing underpinned by new networks, new apps, and a digital-first experience. Hear the latest findings from AT&T Cybersecurity research and learn about: - What high-priority edge computing use cases are across seven industry markets - How to secure and work with the edge ecosystem - How the attack surface is changing - How endpoints are diversifying The data from this research helps audiences understand challenges and opportunities of the future and examines: - Balanced investment strategies - Collaboration and communication needs - Building with dynamic cyber resilience in mind Security is now a critical part of business - learn how to move your team to the future!
Speaker:
Theresa Lanowitz
Theresa Lanowitz is a proven global influencer and speaks on trends and emerging technology poised to help today’s enterprise organizations flourish. Theresa is currently the head of cybersecurity evangelism at AT&T Business. Prior to joining AT&T, Theresa was an industry analyst with boutique analyst firm voke and Gartner. While at Gartner, Theresa spearheaded the application quality ecosystem, championed application security technology, and created the successful Application Development conference. As a product manager at Borland International Software, Theresa launched the iconic Java integrated development environment, JBuilder. While at Sun Microsystems, Theresa led strategic marketing for the Jini project – a precursor to IoT (Internet of Things). Theresa’s professional career began with McDonnell Douglas where she was a software developer on the C-17 military transport plane and held a US Department of Defense Top Secret security clearance. Theresa holds a Bachelor of Science in Computer Science from the University of Pittsburgh, Pittsburgh, PA
OWASP Austin Chapter Meeting May 2023
When: Tuesday, May 30th, 2023 @ 11:30 AM - 1:00 PM
Presentation: How Zero Trust can improve your web application security
In this presentation, we will review some of the Zero Trust concepts and roadmapping some adoption schemes. We will dive into some examples of using these concepts to improve and provide better controls around: * Setup and configuration of Zero Trust Services * Developer access and code security gains * Exposing internal web sites securely with MFA (even if not designed with MFA) with user and group driven policies without a VPN * Gain a WAF with exposing internal web sites through browser-based Zero Trust Network Access. * Dealing with 3rd party access to internal web sites
Speaker:
Mark Spears
Currently, Mark is a Principal Security Consultant at Solis Security and having fulfilled significant time as a network defender and vCISO dealing with writing and testing InfoSec Programs and dealing with auditors and endless reporting, he also started the OffSec program at Solis Security. Red Pill or Blue Pill.A lot of his most recent education and skill focus has been on helping companies with their Web Application security through Secure-SDLC practices including configuration of Web Application Firewalls and Zero Trust solutions. If not enjoying his work at Solis Security, he can be found practicing physical security, lock picking, social engineering, or hardware hacking. Otherwise, he is on a Harley Davidson feeding his inner rebel!
Austin Security Professionals Happy Hour sponsored by Optiv, May 11, 2023
When: Thursday, May 11th, 5:00 pm - 7:00 pm
Where: Lavaca Street Bar @ Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: Optiv
OWASP Austin Chapter Meeting April 2023
When: Tuesday, April 25th, 2023 @ 11:30 AM - 1:00 PM
Presentation: The Three Trends Driving Cybersecurity Forward in 2023
Dramatic trend shifts in threat management and data protection are having a profound impact on cybersecurity best practices. This session will explore these trends, with an emphasis on pragmatic use cases, delivered by a 29-year cyber veteran from IBM’s Security business.
Speaker:
Peter Wardrop
Patrick Wardrop is currently the engineering director for the identity and access management products under the Verify brand at IBM Security. He manages a large worldwide enginering organization in nine time zones and eight countries. Patrick has more than twenty years of experience in enterprise software development and security solutions for several industry verticals. He has more than twenty US-issued patents and more than forty worldwide issued patents and obtained the Master inventor designation at IBM.
Austin Security Professionals Happy Hour sponsored by Checkmarx, April 13, 2023
When: Thursday, April 13th, 5:00 pm - 7:00 pm
Where: Lavaca Street Bar @ Domain Northside (Rock Rose District), 11420 Rock Rose Ave #100, Austin, TX 78758.
Sponsor: Checkmarx
OWASP Austin Chapter Meeting March 2023
When: Tuesday, March 28th, 2023 @ 11:30 AM - 1:00 PM
Presentation: API Risk Management
Web applications are prone to various cybersecurity risks. Did you know that 96% of these web applications contain some Open Source? Furthermore, did you know that 99% of such Open Source contain some Web APIs. You may be surprised to know that Web APIs contribute 83% of the traffic over the internet. Unfortunately, this growing API usage also means growing cybersecurity risks. Although, APIs benefit organizations immensely through accelerated innovations, newer business models, competitive differentiation, but organizations are also negatively impacted by APIs due to their weak security posture leading to business disruptions, legal and compliance issues. Gartner has actually predicted that by 2022, API abuses will be the most frequent attack vector resulting in data breaches for web applications. Given the importance of APIs for digital transformation at organizations, it is imperative for their Security, Compliance and Audit professionals to get a handle on APIs to manage various API related risks. This session will provide an overview of an API Governance framework for effective API Risk Management. This framework is inspired by the Zero Trust model that enterprises can use as a “Swiss Knife” for reducing their API related risks. We’ll also highlight best practices and hands-on examples for API Risk Management.
Speaker:
Dr. Baljeet Malhotra
Dr. Baljeet Malhotra, is an award-winning researcher known for his work in Open Source and API Data Management. He conceptualized the world's first "API Composition Analysis" based on source code static analysis. He founded TeejLab in 2017 and steered the team to build API Discovery and Security™, world's first comprehensive end-to-end API Management platform. Prior to TeejLab, he established the R&D unit of Black Duck Software in 2016 (acquired by Synopsys), he has also served as Research Director at SAP. He received a PhD in Computing Science from the University of Alberta and won several awards including NSERC (Canada) scholar in 2005 and Global Young Scientist (Singapore). He concurrently holds Adjunct Professor positions at the University of British Columbia, University of Victoria and University of Northern BC.
OWASP Austin Chapter Meeting February 2023
When: Tuesday, Feburary 28th, 2023 @ 11:30 AM - 1:00 PM
Presentation: AppSecOps - a Scalable Approach to Application Security
Today many unforeseen factors are driving AppSec chaos...We have found about 3-4 TOP challenges every vertical is seeing in today's frugal market. The factors range from simple to hilariously unattainable! I aim to give you a few tips and steps to overcome some if not ALL and create an organization able to ship software fast and secure! All the while addressing current events happening in the market and how to avoid potential potholes.
Speaker:
Luis Guzman
Enterprise Information Security expertise within Management, Pro Services Consulting, Security Architecture, Security Engineering and Sales! The last twelve years he has been laser focused on Security Incident Response, Security Architecture, Compliance Audits, Vulnerability Management, Data Classification, Phishing and Threat Intelligence. Luis is securing the ‘front lines’ of the production environment, protecting critical infrastructure, gathering threat intelligence and implementing best of breed technology for start-ups as well as Fortune 50 organizations! Bringing to play his technical sales ability mixed with a presentation style of a trained theater actor! An Information Security Professional combining technical expertise with business value, wrapped in an orator’s cloak! Most time away from keyboard, when Luis is resting, is Texas Cookouts and Family! He lives in the suburbs of CedarPark/Leander Texas!
OWASP Austin Chapter Meeting January 2023
When: Tuesday, January 31st, 2023 @ 11:30 AM - 1:00 PM
Presentation: Cryptoparty (various speakers)
In 1996, John Perry Barlow, co-founder of the Electronic Frontier Foundation (EFF) wrote 'A Declaration of the Independence of Cyberspace' where he stated "We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity." The Internet of today is an amazing place of knowledge and opportunity, but it unfortunately falls short of Mr. Barlow's original vision. In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to communicate and associate without fear. To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies like TOR, full-disk encryption, GPG, and many more. CryptoParties are free to attend, public, and not commercially aligned. At our January 31, 2023 OWASP Austin meeting, we will host a CryptoParty with the goal of inviting others to join us in learning about the tools and technologies that enable an individual's right to privacy. When the time comes, we will encourage you all to invite your family, friends, and peers to attend this event, but for now, I am looking for others who are willing to give a 10 minute max presentation on a crypto-oriented subject. The presentation will need to be laid out so that novice and experienced alike can take action based on the data presented. All tools must be free and open source. If you are interested in presenting, please e-mail me directly (do not reply to the list) with your name, bio, talk title, and abstract for consideration. This is going to be EPIC!
Speaker:
Josh Sokol (and others!)
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, Information Security Program Owner at National Instruments, and now runs SimpleRisk. In his current role, Sokol manages all aspects of the application, infrastructure, architecture, and business roles for SimpleRisk. Prior to and during all of his roles, Josh has been a key community member for Austin OWASP as well as serving a four year term on the OWASP Global Board of Directors.
Unfortunately, the presentation was not recorded.
2022
OWASP Austin Chapter Meeting September 2022
When: Tuesday, September 27th, 2022 @ 11:30 AM - 1:00 PM
Presentation: Insider’s Guide to Mobile AppSec with OWASP MASVS w/ Brendan Hann
From the birth of MASVS and MSTG in January 2018 to the most recent updates, the OWASP Mobile Security Project has advanced the state of mobile app security testing dramatically. As supporters and contributors to the Mobile Security Project at OWASP, we have pen tested thousands of mobile apps and scanned millions of commercial apps in the app stores over the years… and have identified the most common security issues that plague developers and security teams. Whether you are new to mobile pen testing or a veteran looking for the latest tools and tactics, join this session to learn 10 keys to mobile appsec leveraging OWASP MASVS and practical real-world experience.
Speaker:
Brendan Hann
As Product Marketing Manager for NowSecure, Brendan Hann focuses on equipping developers, security professionals and DevSecOps teams with best-of-breed mobile app security skills, tools and resources. His career has focused on helping organizations deliver innovative, secure applications at scale. Brendan’s track record of success with application and security teams spans NowSecure, Veracode and PayPal. Brendan has presented at OWASP Los Angeles, OWASP Columbus, OWASP Global AppSec 2021, Connect 2021, and DevOps World 2021. With experience in both web and mobile application security testing, Brendan provides a unique perspective on best practices and the successful deployment of DevSecOps.
OWASP Austin Chapter Meeting August 2022
When: Tuesday, August 30th, 2022 @ 11:30 AM - 1:00 PM
Presentation: API Security: When Failure looks like Success w/ Keith Casey
In the last decade, APIs have become fundamental to our teams, partners, and customers. While we’d like to believe it all happened as a carefully executed plan, let’s be honest: There's as much luck as foresight in the mix. Luckily, success drives success so we’ve seen things explode in great ways. Unfortunately, that very success has cost us too.
APIs are becoming a consistent and devastating attack vector for applications that store everything from financial records to passport information to what you’re looking for in a date. In this session, we’ll reconsider some of our earliest assumptions and lay out some strategies for bringing our APIs out of the shadows and protecting ourselves, our partners, and our customers.
Speaker:
Keith Casey
Keith Casey serves on the Product/GTM Team at ngrok helping teams launch their systems faster and easier than ever before. Previously, he served on the Product Team at Okta working on Identity and Authentication APIs, as an early Developer Evangelist at Twilio, and worked to answer the Ultimate Geek Question at the Library of Congress. His underlying goal is to get good technology into the hands of good people to do great things. In his spare time, he writes at CaseySoftware.com and lives in the woods. He is also a co-author of “A Practical Approach to API Design.”
OWASP Austin Chapter Meeting July 2022
When: Tuesday, July 26th, 2022 @ 11:30 AM - 1:00 PM
Presentation: 10lbs of tacos in a 5lb bag: Lessons Learned from Security Operations in a Dynamic and Resource Constrained Environment
Building security processes and teams is never easy but can be especially challenging in an evolving, fast-paced environment. In this presentation, one of the nation’s leading experts in herding cats will share their experience building a security presence, essentially, from the ground up at a company in the middle of its own transformation. Then, they will discuss some of the lessons learned and other takeaways in hopes that it might aid some of you in your journey.
Speaker:
Garrett Gross, Lvl 42 security wizard
Garrett Gross has over 20 years of experience in information security. His shared passion for technology, problem solving, and people has led Garrett to some incredible opportunities in the past but currently is the driving force behind his efforts as Sr Director, technical sales, at Huntress. In this role, Garrett is focused on driving revenue growth by building a global network of technical experts to support the sales enablement processes and effectively communicate the value of Huntress’s service offering.
Prior to that, Garrett has held a variety of technical responsibilities, including technical support, systems administration, network engineering, penetration testing, tools development, and building/leading security operations teams.
Garrett also serves as advisor to several security firms, contributes regularly to podcasts/webinars, competes in CTFs, and looks for ways to mentor those starting out in the security industry.
OWASP Austin Chapter Meeting June 28th 2022
When: Tuesday, June 28th, 2022 @ 11:30 AM - 1:00 PM
Title: Anonymity on the Internet
Presentation providing information about anonymity on the interenet.
Speaker:
Josh Sokol, Chief Executive Officer / Chief Information Security Officer, SimpleRisk
OWASP Austin Chapter Meeting May 31st 2022
When: Tuesday, May 31st, 2022 @ 11:30 AM - 1:00 PM
Title: Hack your APIs in 15 min or less
It is very hard, if not impossible, to secure something you don’t know exist. While security professionals spend countless hours on complex yet interesting issues that *may* be exploitable in the future, basic attacks are occurring every day with little to reviews. For example, a “dated trend” by effective yet lazy hackers is to search for API unknown by security teams, coined “Shadow APIs”, connect to these APIs, and extract data. While SQL Injection used to be the hack of choice, as a few simple SQL commands would either mean “pay dirt” or “move on to the next target”, the same can be said for Shadow API….Find, Connect, Extract. This talk will discuss one of many methods that are used in the wild to target Shadow APIs and export large volumes of data with a few clicks of a button (lines of code in python code :). Attendees will learn about a very basic yet non-so-obvious problem in securing data, and how hackers are using creative methods to steal large volumes of data.
Speaker:
Himanshu Dwivedi is the CEO of Data Theorem, Inc., an application security company focusing on API Security (RESTful & GraphQL), mobile apps (iOS &Android), Cloud Apps (Serverless), and Single Page WebApps (SPAs). Himanshu has been an avid start-up entrepreneur since 1999, where he and 3 friends started the west coast office of @stake, an information security firm that was later acquired by Symantec. In 2004, Himanshu co-founded iSEC Partners, an application security company that was acquired by the NCC Group in 2010. Himanshu has several publications, including six different books (Mobile Application Security, Hacking VoIP, Hacking Exposed: Web 2.0, Hacker’s Challenge 3, Storage Security, and Implementing SSH) as well as the owner of one patent (Patent number 7849504). He has also presented at numerous conferences, including 6-time BlackHat speaker. Himanshu received a B.S. from the Carlson School of Management (University of Minnesota), where he was awarded the Tomato Can Loving Cup Award, which is given to the school’s top graduating student.
OWASP Austin Chapter Meeting April 26th 2022
When: Tuesday, April 26th, 2022 @ 12:00 AM - 1:00 PM
Title: ‘Securing the Edge’
We are moving to a new era of compute that is more democratized than ever, underpinned by 5G networks, and focused on “things enabled” experiences. We are moving closer to the edge! Edge can bring network and security closer together. Compared with legacy security controls, edge security controls need to provide broader, more centralized visibility across the entire attack surface.
Speaker:
Theresa Lanowitz, Head of Cybersecurity Evangelism, AT&T Business revealed the findings of the most recent AT&T Cybersecurity Insights Report and discussed common architectures, use cases, and the perceived risk associated with edge deployments.
OWASP Austin Chapter Meeting March 29th 2022
When: Tuesday, March 29th, 2022 @ 12:00 AM - 1:00 PM
Title: Application security: Where it all started, where it is now, and where we (hope to) see it in 20 years
Twenty years ago acclaimed venture capitalist, Ted Schlein at Kleiner Perkins, asked a question that changed Roger’s life and ultimately changed the way we look at Security. The two would eventually found Fortify Software, the pioneering company that introduced SAST and RASP technologies to the market. Fortify also led an important change in thinking, a so-called “shift left”, placing security responsibility into the realm of software development. A lot has changed over those twenty years. In the early days, it was a challenge to give away software security solutions. Today, the leading software security companies are worth billions. Yet, problems still persist and the landscape for software development has become vastly more complex. In this talk, Roger will share experiences from the early days while working as Fortify’s co-founder & CTO and later in the RASP market as a board member and advisor to Prevoty. He will share advice and insights into how the market and the technologies started, how they have evolved and where they are headed. Roger and Ted are co-founders once again. They recently founded Ballistic Ventures - the early stage venture capital firm solely dedicated to cybersecurity entrepreneurs. In his new role, regularly meets leaders from both commercial industry and government to better understand their security challenges. He also sees fascinating ideas from cyber entrepreneurs on a daily basis. He will also share insights into the challenges that are the most fertile ground for a new generation of entrepreneurs. He might even ask a question that changes your life too.
Speaker:
Roger Thornton is a driving force behind hundreds of technology products and services that have formed and grown companies across a range of industries. As a founder and CTO, his visionary product and technology leadership helped create cybersecurity industry leaders Fortify Software and AlienVault. As an investor, mentor and board member he has helped multiple generations of entrepreneurs build more than 15 successful cybersecurity companies. In his General Partner role at Ballistic, Roger will tap into over 30 years of experience to counsel future generations of cybersecurity founders who are focused on building great products as a foundation for great companies.
OWASP Austin Chapter Meeting February 22nd 2022
When: Tuesday, February 22, 2022 @ 12:00 AM - 1:00 PM
Title: Security Observability 101: Thinking Inside the Box!
Software is incredibly hard to secure because it's a black box. We've spent decades struggling to verify properties of software from the outside by analyzing the source code, scanning, fuzzing, pentesting, etc... The goal of "security observability" is to expose exactly what's going on inside the box while it's running. Analyzing a running application has speed, accuracy, coverage, and scalability advantages that change the way Dev, Sec, and Ops communicate and work together. In this talk, you'll learn how to use the free and open source Java Observability Toolkit (JOT) project to easily create your own powerful "inside out" security tests without coding. You can use JOT to analyze security defenses, identify complex vulnerabilities, create custom sandboxes, and enforce policy at runtime. Ultimately, security observability enables DevSecOps to work together in harmony, so you can focus on delivering value at high velocity.
Speaker:
Jeff Williams. Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by EY. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 10 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown. Please connect on LinkedIn: https://www.linkedin.com/in/planetlevel/
OWASP Austin Chapter Meeting January 26th, 2021
When: Tuesday, January 25th, 2022 @ 12:00 AM - 1:00 PM
Title: CryptoParty
In 1996, John Perry Barlow, co-founder of the Electronic Frontier Foundation (EFF) wrote 'A Declaration of the Independence of Cyberspace' where he stated "We are creating a world that all may enter without privelege or prejudice accorded by race, economic power, military force, or station of birth. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity." The Internet of today is an amazing place of knowledge and opportunity, but it unfortunately falls short of Mr. Barlow's original vision.
In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to to communicate and associate without fear. To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies like TOR, full-disk encryption, GPG, and many more. CryptoParties are free to attend, public, and not commercially aligned.
The Austin Chapter of the OWASP Foundation invites you to join us for our CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.
Speaker:
Josh Sokol
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, Information Security Program Owner at National Instruments, and now runs SimpleRisk. In his current role, Sokol manages all aspects of the application, infrastructure, architecture, and business roles for SimpleRisk. Prior to and during all of his roles, Josh has been a key community member for Austin OWASP as well as serving a four year term on the OWASP Global Board of Directors.
And others!
2021
LASCON 2021
When: Tuesday & Wednesday, October 26-27, 2021 (Pre-Conference Training), Thursday & Friday, October 28-29, 2021 (Conference Sessions)
Where: Norris Conference Center, 2525 W. Anderson Lane, Suite 365, Austin, Texas 78757
It was great to be back to an in-person conference. Many thanks to those who attended!
OWASP Austin Chapter Meeting August 31st, 2021
Title: Securing Terraform State in an Azure DevOps Pipeline.
Terraform is a popular Infrastructure as Code ecosystem whose declarative and idempotent model relies on maintaining a state file which can contain sensitive information. The continuity and security of this file is important and this presentation discusses the investigation, lessons learned, thrills and chills of discovering how to secure and maintain this file in the context of corporate security requirements for a Fortune 75, Azure Cloud, and Azure DevOps.
Speaker:
Garth Boyd
Garth Boyd is a Senior Application Security Architect/Cloud Security Architect specializing in Secure Software Architecture and Ethical Hacking. He supports organizations wishing a designer, creator, and breaker to help them on their security path. A lifelong learner who enjoys crafting solutions to interesting and tough problems through architecture, threat modelling, mitigation design, and penetration testing. Researching new ideas, troubleshooting, communication, and thinking of six impossible things before breakfast are part of the journey. Currently, Garth is the OWASP Ottawa Chapter Leader and an independent consultant working though his own company called Devious Plan.
OWASP Austin Chapter Meeting July 27th, 2021
Title: Make Your MFA Simple.
The number of downloads for Google's mobile 2FA authenticator is ~ 50M. That sounds like a big number ... until you compare it with the overall number of Android users, which is 2.5B. The percent of users utilizing the authenticator is around 2%. You can add other popular authenticators like Symantec VIP, MS, Authy, but the % will be still around 3%. Given that all popular Internet companies do support this type of 2FA, the question arises: why is adoption of these 2FA tools so low? I personally can't think of anything else except usability and natural human's laziness. In my presentation I'll take a look at what's available and how usability of the authenticators can be improved to make them more popular and pervasive.
Speaker:
Oleg Gryb
OWASP Austin Chapter Meeting June 29th, 2021
Title: An alternative approach to security that will make you reassess everything you think you know about security, users, and you life.
Your security ideas are stupid - so I got some weird ideas and forced them to fit a narrative that shows that if we just do a Steve Jobs and "think differently" then maybe, just maybe, we can make a small dent in the security universe. As Abba once said, "Take a chance on me" because let's be honest, what's the worst that could happen? We could keep trying to do the same things and over the next 5 years the OWASP top 10 will look EXACTLY the same as it always has. Or we could try some of my radical ideas and the OWASP top 10 will look exactly the same. Or - bear with me - my radical ideas will change the world as we know it and future developers will laugh as to why the OWASP top 10 was even a thing back in the year 2021. In this talk, I shall convince you that - Psychology IS technology, and we need to understand people better - Logical thinking is a bad idea - Why maths makes us appear clever, but act dumber
Speaker:
Javvad Malik is a security awareness advocate for EMEA at KnowBe4. A security professional of 20 years, Malik has began his career as an IT security administrator. He’s since worked as a consultant, an industry analyst, and a security advocate. Malik is well-known within the information security industry, having spoken at many events and conferences around the world in addition to being a YouTuber, podcaster, blogger, and researcher. With a distinctive style, he takes a fresh and often innovative look at even mundane topics and presents them in an entertaining and informative light. Tackling the most complex issues with ease in this witty style is Malik’s forte.
OWASP Austin Chapter Meeting May 25th, 2021
Title: Scale Your Security by Embracing Secure Defaults & Eliminating Bug Classes
We’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time. Historically, as an industry, we’ve focused on building tools to identify vulnerabilities. While we’ve built impressive tools, these approaches have failed to address the challenges of modern engineering teams. Specifically, these tools often are too slow, require a prohibitive amount of security engineer time and domain expertise to tune, overwhelm users with false positives, and most importantly, do not ultimately raise a company’s security bar. But there’s another way. Rather than investing in finding more bugs, some modern security teams are instead focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks that enforce invariants (properties that must always hold), organizations can solve *classes* of vulnerabilities by construction, preventing bug whack-a-mole. In this talk, we’ll present a practical step-by-step methodology for: Choosing what to focus your AppSec resources on How to combine secure defaults + lightweight invariant enforcement to eradicate entire vulnerability classes How to integrate continuous code scanning into your CI/CD processes in a way that’s fast, high signal, and low friction for developers How to use an open source, lightweight security linting tool to find bugs and anti-patterns specific to your company
Speaker:
Emma Jin is a software engineer at r2c, the company that maintains Semgrep, an open-source syntax-aware code search tool. At r2c, she has added features to Semgrep, such as typed metavariables. Emma recently received her B.S. in Computer Science from Carnegie Mellon University, where she picked up her belief in code guarantees. In her free time, she likes to read, write, and relearn her abandoned childhood skills. She is perpetually working on a novel.
OWASP Austin Chapter Meeting April 27th, 2021
Title: Biometrics and Privacy
The business use of biometric identification technology is becoming more prevalent and with it's growing adoption, there is a growing number of state regulations concerning its use and related privacy and data handling issues. This talk will cover how biometric identification works in general and review the various state regulations and guidelines concerning how this unique form of personally identifiable information should be handled and stored.
Speaker:
Mary Haskett is the CEO and co-founder of Blink Identity, a venture-backed startup developing a unique privacy-preserving face recognition product that can identify people at a full walking speed and in any lighting conditions. She got her start running a skydiving school and went on to start multiple companies which she grew to profitability without outside funding. She is a beekeeper, Techstars alumni and privacy advocate.
OWASP Austin Chapter Meeting March 30, 2021
Title: Successful Customer Engagements using the OWASP Mobile Application Security Verification Standard
The team will be discussing Mobile Application Penetration Testing from the perspectives of original scoping and testing using OWASP’s Mobile Application Security Verification Standard including the various tools and resources available on both Android and IOS. We will be discussing not just the OWASP standard, but also give advice on lessons learned through our engagements highlighting several key issues and obstacles to consider for ensuring a successful experience for both the customer and your team.
Speakers:
Mark Spears, Solis Security - Sr. Security Consultant & Red Team Lead
Sam Danna, Solis Security - Security Consultant
Jon Adderholt, Solis Securiyt - Security Consultant
Angela Lane, Solis Security – Project Manager
Mark, Sam, and Jon comprise the Offensive Security Operations (aka Red Team) at Solis Security performing all sorts of engagements including Network, Web Application (+Mobile, APIs, and etc), Spearphishing, Wifi, Hardware Hacking, and more.
OWASP Austin Chapter Meeting February 23, 2021
Title: AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
Speaker:
Dan Cornell A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.
OWASP Austin Chapter Meeting January 26th, 2021
When: Tuesday, January 26th, 2021 @ 12:00 AM - 1:00 PM
Title: CryptoParty
In 1996, John Perry Barlow, co-founder of the Electronic Frontier Foundation (EFF) wrote 'A Declaration of the Independence of Cyberspace' where he stated "We are creating a world that all may enter without privelege or prejudice accorded by race, economic power, military force, or station of birth. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity." The Internet of today is an amazing place of knowledge and opportunity, but it unfortunately falls short of Mr. Barlow's original vision.
In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to to communicate and associate without fear. To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies like TOR, full-disk encryption, GPG, and many more. CryptoParties are free to attend, public, and not commercially aligned.
The Austin Chapter of the OWASP Foundation invites you to join us for our CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.
Speaker:
Josh Sokol
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, Information Security Program Owner at National Instruments, and now runs SimpleRisk. In his current role, Sokol manages all aspects of the application, infrastructure, architecture, and business roles for SimpleRisk. Prior to and during all of his roles, Josh has been a key community member for Austin OWASP as well as serving a four year term on the OWASP Global Board of Directors.
Mark Spears
Bertold Kolics
Bryn Schulke
2020
OWASP Austin Chapter Meeting October 27th, 2020
When: Tuesday, October 27th, 2020 @ 12:00 AM - 1:00 PM
Title: Mobile Security in a Remote World
Attacks on the endpoint are no longer limited to traditional endpoints like laptops and workstations; mobile devices have been ranked the #1 hardest enterprise asset to defend. Compounded by bring-your-own device policies, enterprises are struggling to protect themselves against a growing variety of mobile threats. In this session, we will dive into the challenges with securing mobile in the enterprise security space and the evolution of mobile device security. Join us to learn about why attackers are shifting to target mobile, validated by investigations from the Cybereason Nocturnus team, and how the enterprise security industry is moving to address them.
Speaker:
Allie Mellen has spent the past decade in engineering, development, and technical consulting roles at multiple venture-backed startups, as well as research roles at MIT and Boston University. Her passion is combining technology and entrepreneurship, having run her own successful iOS development company out of college and been an investment partner at a venture fund investing in student-run startups. She has worked with multiple nonprofits to teach engineering to students and minorities, including the Global App Initiative and WISP, and has mentored business students at Hult Business School. She received her B.S. degree in Computer Engineering, and has been recognized worldwide for her security research at conferences like Black Hat USA, DEFCON, HOPE, and others. She is now a security strategist in the Office of the CSO at Cybereason, where she is a frequent speaker at security conferences globally teaching about security and pushing the boundaries of the industry.
OWASP Austin Chapter Meeting September 29th, 2020
When: Tuesday, September 29th, 2020 @ 12:00 AM - 1:00 PM
Title: The Digital World War: Why You Need Military Veterans on Your Security Team
During this talk we will highlight some of the competencies needed for an effective cyber warrior and compare them with the skills forged through combat readiness training in the military. Furthermore, we will explore how we can create better security teams within our respective organizations to meet today’s information security needs. Finally, we will look at how cyber warfare is replacing traditional battlefields and how today’s transitioning veterans are looking for ways to continue the fight in the civilian world.
Speaker:
Sam Danna is a Security Consultant for Solis Security - an Austin-based security firm that performs DFIR, GRC, MSSP, and Penetration Testing. Sam is currently on the Red Team assisting in a variety of penetration testing projects. Prior to joining Solis, Sam served in the 82nd Airborne Division as paratrooper in the infantry. Sam started his career in cybersecurity in 2019 after completing Microsoft Software and System Academy’s Cybersecurity Program.
Youtube Here!
OWASP Austin Chapter Meeting August 25th, 2020
When: Tuesday, August 25th, 2020 @ 12:00 AM - 1:00 PM Title: Strong network anonymity with mixnets
This talk will motivate the need for anonymity at the network layer and introduce basic anonymity concepts and metrics that are applicable to communication settings. We will review the relevant adversary models and introduce mixnets, a type of anonymous communication system that protects communications against more powerful adversaries than Tor. We will explain the different features that need to be considered when designing mixnet routing protocols and introduce the Nym mixnet architecture, which is currently being developed and implemented by Nym Technologies SA and already available as a testnet.
Speaker:
Claudia Diaz is Chief Scientist of Nym Technologies SA and an Associate Professor at the COSIC research group of the Department of Electrical Engineering (ESAT) at the KU Leuven, where she leads the Privacy Technologies Team. She holds a Master's degree in Telecommunications Engineering at the University of Vigo (Spain, 2000), and a Ph.D. in Engineering at the KU Leuven (Belgium, 2005). Her research is focused on the design, analysis, and applications of technologies to protect online privacy, and in particular technologies that offer protection for metadata to prevent traffic analysis, tracking, localisation, or behavioral profiling. Detailed information is available here: Claudia Diaz
Youtube here!
OWASP Austin Chapter Meeting July 28th, 2020
When: Tuesday, July 28th, 2020 @ 12:00 AM - 1:00 PM
Title:The Spice Must Flow: AppSec for DevOps
Your approach to application security will likely be dictated by your team’s role in the development process. Developers will usually gravitate to SAST and security engineers to DAST but what about everyone in between? Should DevOps try to adopt these strategies, modify them, or reinvent the wheel?
In this session, we’ll discuss several different approaches that you can take when rolling out your application security strategy that keep DevOps top of mind.
Speaker:
Garrett Gross received his first modem at age six and has been plugged in ever since. Today, he is a technical advisor for the VRM practice at Rapid7, specializing in application security. Garrett serves as an interdepartmental liaison, a global escalation layer for the practice, and provides technical enablement across all organizations. He has served in various information technology roles in a myriad of environments, ranging from systems administration in higher education to network engineering at security startups. Garrett has been a hacker and technophile his entire life, loving nothing more than discovering new ways to make and break things.
Youtube: Here!
OWASP Austin Chapter Meeting May 26th, 2020
When: Tuesday, May 26th, 2020 @ 12:00 AM - 1:00 PM
Title: Architecting for Security in the Cloud
Emergency Fill-In Presetnation Josh presented on best-practicies and lesson-learned that he has done while architecting SimpleRisk in cloud providers.
Speaker:
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, Information Security Program Owner at National Instruments, and now runs SimpleRisk. In his current role, Sokol manages all aspects of the application, infrastructure, architecture, and business roles for SimpleRisk. Prior to and during all of his roles, Josh has been a key community member for Austin OWASP as well as serving a four year term on the OWASP Global Board of Directors.
Youtube: Here!
OWASP Austin Chapter Meeting May 26th, 2020
When: Tuesday, May 26th, 2020 @ 12:00 AM - 1:00 PM
Title: Why is Organizational Change Management important in Cybersecurity for healthcare
Digital transformation in the Health Sector has been underway for many years and the issue of security has more increasingly problematic and costly to the healthcare ecosystem. New Innovations, legacy systems create the need to be more secure in order to protect your healthcare data. 2013 Presidential directive put healthcare in the critical infrastructure with other industries. Today with Covid-19 it is more necessary than ever.
Why it is risky not to have a change model to help accelerate adoption and awareness of a better cybersecurity posturing in healthcare and how culture plays an important role to address cybersecurity in healthcare
Speaker:
Hazel arrived in Austin under 2 years ago from the UK having worked in healthcare for over 16 years. She is a highly organised leader, consultant and advisor in EPR deployments in both private and government organizations. Hazel specializes in architecting change to support business transformation leveraging deep industry experience where she headed up ventures in the UK, Ireland, and Europe. She brings value to organizations by ensuring operational readiness, driving faster adoption, getting engagement from the right people to accelerate business change which delivers cost benefits in an efficient and effective manner. Her recent work here in the US has been in cybersecurity in healthcare working with Health2047 which is the innovation and investment organization of The American Medical Association where, Health2047 are transforming healthcare to better protect your patient healthcare data.
Youtube: Here!
OWASP Austin Chapter Meeting
April 28th, 2020
When: Tuesday, April 28th, 2020 @ 11:45 AM - 1:00 PM
Title: Incident Response is haaaaard, But it doesn’t have to be – PREPARE NOW
So your EDR, AV, or other fancy shiny blinky lights security tools alerted you that a system has some suspicious activity. Do you have the details you need to investigate or remediate the system? Can you quickly and easily investigate it? You can enable a lot of things you already have for FREE to help you with your investigations, no matter the tools used. Let’s take a look how we do Incident Response on a system and what you can do to prepare for an inevitable event.
How is your logging? Is it enabled? Configured to some best practice? (hopefully better than an industry standard that is seriously lacking). Have you enabled some critical logs that by default are NOT enable? Do you have a way to run a command, script, or a favorite tool across one or all your systems and retrieve the results? Do you block some well-known exploitable things? How do you know?
Everything mentioned here is FREE and you already have it!
This talk will describe these things and how to prepare, and be PREPARED to do incident Response, yes, even for DevOps. A few tools will be discussed as well that you can use to speed things up.
The attendee can take the information from this talk and immediately start improving their environment to prepare for the inevitable, an incident.
Speaker:
Michael Gough is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic for NCC Group. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael presents at many security and technology conferences helping to educate on security that attendees can go back to work and actually do. Michael is a primary contributor to the Open Source project ARTHIR. Michael is also co-developer of LOG-MD, a free and premium tool that audits Window settings, harvests and reports on malicious Windows log data, and evaluates for malicious system artifacts. Michael also blogs at HackerHurricane.com on various InfoSec topics. For the infosec community at-large, Michael ran BSides Texas entity (managing BSides conferences in Austin, San Antonio, Dallas and Houston) for six years and lead the Austin BSides conference.
OWASP Austin Chapter Meeting March 31st, 2020
When: Tuesday, March 31st, 2020 @ 11:45 AM - 1:00 PM
Title: Secure Application Development (with Cloud)
Most of us have developed software in one form or the other over our careers. Have we paid attention to all domains of the software lifecycle? This is a walkthrough of those domains that should span development from cradle to grave of any software development lifecycle, with a focus on security. We will follow that by a quick demo of how CI/CD and DevSecOps practices can help us address these concerns for deployment to cloud providers like AWS and Azure in a hybrid cloud environment.
Speaker:
Sam Gamare is an Austin Texas based Enterprise Architect who works for Dell Technologies. He has a broad IT background spanning two decades of experience in several roles across several different industries from Fortune 500 (like Dell, General Motors, Citibank, JPMorgan, Wendy’s, and several others) and State government (Texas / Indiana). His work focuses on designing solutions that solve problems for his business customers, with solutions that span several technologies like .NET/Java/Open Source, across several development domains that include the database, network, security, and cloud-based deployments. He has a passion for security and development. He holds several certifications that span AWS Architect Associate, AWS Developer Associate, Certified Scrum Master (CSM), and CISSP. In his free time, he entertains himself with raspberry pi and tech books
OWASP Austin Chapter Meeting February 25, 2020
When: Tuesday, February 25th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: Using Nmap’s XSLT switch to better organize result scan data
Nmap is an old-friend and one of the most-used tools in our box. On scans against large-scale networks, identifying ports with web applications might be easy using some common command line switches, but gathering the normal output to enumerate and identify targets is difficult. This talk is about using Nmap's XML output switch combined with customized XSLT documents to save time and organize the output in a format, such as CSV, that provides penetration testers with richer analysis capabilities or even HTML that is "report ready". We will look more closely at the XML output that Nmap provides (including NSE data) and learn how XSLT can be harnessed to derive usable custom documents. This talk will have application to some or all of the following OWASP Testing procedures: ASVS 9 Communication Security Requirements (9.1.1, 9.2.2) OTG-INFO-004 Enumerate Applications on Web Server OTG-CONFIG-006 Test HTTP Methods OTG-CRYPST-001 Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection …others, as NSE scripts are applicable and the Penetration Testing Execution Standard
Speaker:
Mark Spears is a Sr. Security Consultant for Solis Security - an Austin-based security firm that performs DFIR, GRC, MSSP, and Penetration Testing where he currently leads the Red Team doing a lot IP-based and Web Application testing while mentoring his younger peers.
Throughout Mark's 20+ years in the industry, he has been a:
- Programmer in a wide range of compiled and scripted languages but focused mainly on the Microsoft stack
- Teacher at different schools on all topics of database design, coding, and web development.
- Entrepreneur who wrote payments software as a Level 1 PCI Gateway and acting CISO for 8 years until helping bring the company to a sale.
- Virtual CISO for several companies simultaneously including multiple banks providing monthly security services, audit support, and annual Risk Assessments based on GLBA or other needed compliance frameworks.
- Constant student and teacher seeking mentors while mentoring.
Austin Security Professionals Happy Hour sponsored by Sonatype and NowSecure, February 13, 2020
When: Thursday, February 13th, 5:30 pm - 7:30 pm
Where: Brass Tap @ Domain Austin, 10910 Domain Dr, Austin, TX 78758
Sponsors: Sonatype and NowSecure
OWASP Austin Chapter Meeting, January 28, 2020
When: Tuesday, January 28th @ 11:45 AM - 1:00 PM
Where: National Instruments, 11500 N. Mopac.Building C
Title: OWASP Austin CryptoParty!
In 1996, John Perry Barlow, co-founder of the Electronic Frontier Foundation (EFF) wrote 'A Declaration of the Independence of Cyberspace' where he stated "We are creating a world that all may enter without privelege or prejudice accorded by race, economic power, military force, or station of birth. We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity." The Internet of today is an amazing place of knowledge and opportunity, but it unfortunately falls short of Mr. Barlow's original vision.
In the 21st century we face problems of climate change, energy crisis, state censorship, mass surveillance, and on-going wars. We must be free to to communicate and associate without fear. To realize our right to privacy and anonymity online, we need peer-reviewed, crowd-sourced solutions. CryptoParties provide the opportunity to meet up and learn how to use these solutions to give us all the means with which to assert our right to privacy and anonymity online. Topics include technologies like TOR, full-disk encryption, GPG, and many more. CryptoParties are free to attend, public, and not commercially aligned.
The Austin Chapter of the OWASP Foundation invites you to join us for our CryptoParty where you will learn the tools and techniques to keep you safe from prying eyes.
Speakers: Josh Sokol, Sam Gamare, Pradeep Nambiar
Austin Security Professionals Happy Hour sponsored by Pure Storage, January 9, 2020
When: Thursday, January 9th, 5:30 pm - 7:30 pm
Where: Brass Tap @ Domain Austin, 10910 Domain Dr, Austin, TX 78758
Sponsor: Pure Storage