I’m looking forward to seeing everyone next week at OWASP AppSec California in Santa Monica and hearing some of the great talks planned, but I’m mostly interested to see if Zach Lanier wears the same fabulous onesie (It’s probably a sweater, but I’m holding out hope that its a onesie) he is wearing in his profile picture.
I’m speaking on Wednesday at 11:30am, I’ll be demonstrating the new vulnerable test app, Hackazon. Join me for “Hackazon – Stop hacking like its 1999”. If you will be attending the conference this year, please find me and tell me what you were hacking in 1999!
I was excited to see that there are more and more women speaking at these security conferences. Here is a list of the women speaking next week.
Ksenia Dmitrieva from Cigital – Fixing XSS with Content Security Policy
Adrienne Porter Felt from Google – Making SSL Warnings Work
Kelly Lum from Tumblr – .NET Reversing and Exploitation for Cool Kids
Katie Moussouris from HackerOne – Keynote
Parisa Tabriz from Google – Chrome Security Health & Wellness
Ping Yan from Salesforce.com – Devil in the Haystack
Well, what seemed like a lot is actually only about 11% (6 out of 56). Even so its great progress considering that a few years ago having even just one was great to see.
There are many great talks, and for some hours there are some tough choices to make. The only easy choice is Wednesday at 11:30am. Here is my planned schedule for the conference.
Tuesday
9:30am: Opening keynote by Alex Stamos from Yahoo. I’m actually planning to arrive on time for a conference for the first time in my life, just to hear this keynote from Alex.
11:00 am: “Fixing XSS with Content Security Policy” by Ksenia Dmitrieva from Cigital. It looks like Ksenia can dance circles around most of us when it comes to CSP, so I am looking forward to learning from her.
12:00: Im struggling to choose between these two talks from Caleb Queern and Devdatta Akhawe.
Option 1: “No Better ROI: HTTP Headers for Security” by Caleb Queern from Cyveillance looks interesting enough to ignore the lame buzzy business term ROI.
Option 2: “The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers” by Devdatta Akhawe (https://twitter.com/frgx) from Dropbox. The security of these online password managers is a personal curiosity to me.
1:45pm: I am looking forward to hearing about “Levelling up an application security program” by David Rook from Riot Games. [I will even try to refrain from playing League of Legends while hes talking].
2:45pm: Hoping to see an awkward onesie, I will be sitting in on “API = Authentications Poorly Implemented” by Zach Lanier from Accuvant who I mentioned previously. I really hope he discusses solutions such as WSDL 2.0 for REST, WADL and Swagger.
4:15pm: “Making SSL Warnings Work” by Adrienne Porter Felt (https://twitter.com/__apf__) from Google. Adrienne is part of the Chrome security team, and I’m sure this will be centered around SSL for web browsers, but I would like to ask her about the topic of security notifications for mobile apps as well.
5:15pm: This is another tough choice for me. I am interested in “The Savage Curtain : Mobile SSL Failures” by Tushar Dalvi and Tony Trummer from LinkedIn. But I am not sure I can handle two straight hours of SSL talk, I am curious how their “attack” differs from the one presented by Yair Amit and Adi Sharabani at AppSecUSA 2014, “Mobile Security Attacks: A Glimpse from the Trenches.”
My alternate option will be “We All Know What You Did Last Summer: Privacy and the Internet of Things” by Ken Westin from Tripwire. I am a huge fan of the IoT topic, and this looks like an interesting aspect of it.
Wednesday
9:30am: Opening keynote by Katie Moussouris. OK, I think Katie is awesome, but there’s probably no chance I will get up early enough two days in a row to fight rush hour(s) traffic (driving from Orange County) to be able to see this one.
10:30am: I will likely be trying to do last minute work on my slides, but will likely either sit in on “Chrome Security Health & Wellness” by Parisa Tabriz from Google. The other talk that looks interesting is “Caspr and Friends (Content-Security-Policy Reporting and Aggregation)” by Stuart Larsen from MTU if I am up for more CSP after Ksenia’s talk on Tuesday.
11:30am: “Hackazon – Stop hacking like its 1999” by the brilliant and talented Dan Kuykendall from NT OBJECTives. Be there or be square!
Dont be tempted to check out any other talk during this hour, because rest assured you wont miss anything! Jim Manico will just be waxing poetic about SSL hacks and how doomed we all are. Patrick Wardle will just be talking about that old mobile crap that only *everyone* is interested in. And Jeff Williams will just be making brilliant points about applying CI concepts to security. Boring! (j/k)
2:00pm: “Building a Modern Security Engineering Organization” by Zane Lackey from Signal Sciences.
“How Building a Better Hacker Accidentally Built a Better Defender” by Casey Ellis from Bugcrowd. I think these bug bounty programs are a very interesting new
3:00pm: “DevOps, CI, APIs, Oh My!: Security Gone Agile” by Matt Tesauro from Pearson. Matt is a sharp guy, and I have appreciated his work since his days at Rackspace, so I am looking forward to hearing Matt’s view on this topic that I have been focusing alot of our companies efforts on.I think this is a critical piece of the security puzzle. Unfortunately I will have to miss out on the SQLViking talk, but look forward to getting my hands on that tool (plus some free time).
4:00pm: “Why Do We Suck at Infosec?” by Charlie Miller from Twitter. I appreciate these chances to step back from our good efforts to examine some of the stupidity we have accepted as baseline practices. Sometimes those baselines are facts we have to deal with, but sometimes we need to simply look at the problem differently and adjust accordingly.