← Older revision
Revision as of 21:52, 24 March 2015
Line 24:
Line 24:
Schedule:
Schedule:
+
9:15 - 9:30
9:15 - 9:30
−
+
Welcome, Sign-in,
kickoff
−
Welcome, Sign-in,
Kickoff
+
−
+
−
+
9:30 - 10:30
9:30 - 10:30
−
+
Keynote
, Scaling an Application Security Program
−
Keynote
+
−
+
Glenn Leifheit, Principal Security Architect, Microsoft
Glenn Leifheit, Principal Security Architect, Microsoft
−
+
One of the largest challenges today is the rapid change in speed of software. We will journey on the path of accelerating but maintaining security, From Small Startup to Largest Enterprise, From Waterfall to Agile. Along the way there will be lessons learned, from successes and failures. What steps can you take to bring security to the next level. Application security is not an easy profession, let’s learn together to take us all to the next level.
+
About Glenn
+
Glenn Leifheit is Principal Security Architect for Microsoft Information Technology's ACE (Assessment, Consulting and Engineering) Team. In this role he provides security advice to Microsoft internally as well as external customers. Prior to joining Microsoft, Glenn created, developed and led the application security program for FICO (Fair Isaac Corporation). He also lead FICO’s PCI program. He is also a former co-chair and current member of (ISC)2 Application Security Advisory Council where he helps evangelize for strong application security and advocates for change throughout the industry. Through Glenn's 20 year career in information technology he has focused on security, architecture, OS and middleware design, and operations along with software development. Glenn holds both a CISSP and the CSSLP certifications. He is also passionate about evangelizing security practices to the development community, engaging in over 50 conferences, users groups and code camps as a speaker or panel member. Glenn is also a founding member of TechMasters, a Toastmasters group designed to create a technical speaker community.
10:30 - 11:30
10:30 - 11:30
−
Maximizing Security with Minimal Resources
Maximizing Security with Minimal Resources
+
Chris Maier, Principal Architect, Rackspace
−
Chris Maier
,
Principal Architect
,
Rackspace
+
Ever wonder how to intelligently spend your security dollars on the systems that matter most? Are you faced with the common problem of " I don't have an unlimited security budget but I am required to secure all the things"? This session will present concepts, methodologies, and tooling to help you identify your critical systems, set a prescriptive value on your data assets, and rank the systems and information in a way that helps highlight where you should focus your security efforts and dollars. We will also cover how to present this information in a manner that is more business focused, and to ensure that the business understands the risk vs. reward of securing and protecting each of the assets.
+
About Chris
+
Chris Maier
is a
Principal Architect
at
Rackspace
, and in his current role helps design and implement shared infrastructure systems in a secure and compliant manner. Chris has nearly 18 years of production operations experience on a variety of systems including email, identity, databases, directory servers, and a variety of applications servers. Chris has written scripts and code in Bash, VB, Java, C, C++, and a little python for many of the systems he has supported over the years. Because of the 10 plus years spent on identity and authentication systems, Chris is very cognizant of and familiar with a wide variety of security issues and security best practices. Some of Chris' previous positions have included primary DBA for a SOX & PCI compliant billing system, identity infrastructure lead engineer, hosted exchange lead engineer, infrastructure systems lead engineer, and eLearning lead engineer.
−
11:30 - 12:45
+
11:30 - 12:45
Lunch (provided)
Lunch (provided)
+
12:45 - 1:45
12:45 - 1:45
−
Convincing Your Management, Your Peers, and Yourself that Risk Management Doesn’t Suck
Convincing Your Management, Your Peers, and Yourself that Risk Management Doesn’t Suck
+
Josh Sokol, Information Security Program Owner, National Instruments
−
Josh Sokol
,
Information Security Program Owner
,
National Instruments
+
As security professionals
,
almost every action we take comes down to making a risk-based decision. Web application vulnerabilities
,
malware infections, physical vulnerabilities, and much more all boils down to some combination of the likelihood of an event happening and the impact of that event. Risk management is a relatively simple concept to grasp, but the place where many practitioners fall down is in the tool set.
+
The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It's cumbersome, time consuming, and just plain sucks. After starting a Risk Management program from scratch at a $1B/yr company, I ran into these same barriers and where budget wouldn't let me go down the GRC route, I finally decided to do something about it. SimpleRisk is a simple and free tool to perform risk management activities.
−
1:45 -
2:
45
+
Based entirely on open source technologies and sporting a Mozilla Public License
2
.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time and can be downloaded for free or demoed at http
:
//www.simplerisk.org. With a simple, powerful, and cost-effective tool and some basic risk management knowledge at your disposal, you too can become the security rock star that your business seeks out for risk-based decision making. Let me show you how to convince your management, your peers, and yourself that Risk Management doesn't suck.
−
Automating Security Tests
with
Selenium
+
About Josh
+
Josh Sokol, CISSP, graduated from the University of Texas at Austin
with
a BS in Computer Science in 2002. Since that time, he has worked for several large companies, including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Sokol manages all compliance, security architecture, risk management, and vulnerability management activities for NI. Sokol created the free and open source risk management tool named SimpleRisk, has spoken on dozens of security topics including the much-hyped “HTTPSCan Byte Me” talk at Black Hat 2010, and currently serves on the OWASP Global Board of Directors.
+
+
1:45 - 2:45
+
Automating Security Tests with Selenium
Brady Vitrano, Lead Quality Engineer, Rackspace
Brady Vitrano, Lead Quality Engineer, Rackspace
−
Charles Neill, Security Engineer, Rackspace
Charles Neill, Security Engineer, Rackspace
+
+
Rackspace Quality and Security Engineers are building a framework to automate both functional testing and security testing within the browser. To learn about the basics, this presentation looks at our approach to automating functional testing and security testing for web applications. You will learn about Selenium, and how to write some tests of your own. We will also teach you how to run your test cases using a Selenium grid to speed up the testing process.
+
About Brady
+
Brady is an aspiring mad scientist.
+
+
About Charles
+
Charles is a Security Developer - Test II for Security Engineering team at Rackspace. He enjoys finding new vulnerabilities in everything from webapps to smart TVs.
+
+
2:45 - 3:45
2:45 - 3:45
−
Making Security as Agile as Development: Adding DevOps and TDD to your security program
Making Security as Agile as Development: Adding DevOps and TDD to your security program
−
Matt Tesauro, Application Security Leader, Pearson
Matt Tesauro, Application Security Leader, Pearson
+
Software and application development are not slowing down. Is your AppSec program able to keep pace? With agile development, continuous deployment, DevOps, and Cloud the pace of change in the software industry has only increased. As as AppSec professional, you face rapidly delivered services while making sure they are built reliably and securely. When you are deploying multiple times a day, there is no time to fit in your traditional week long security assessment.
−
3:45 - 4:00
+
In this talk will cover how Matt has put these practices in place at Pearson after doing similar work at Rackspace. What are the key ways to keep your AppSec program agile enough to keep up with the pace of change today. Methods will be discussed for securing infrastructure, apps, APIs and source code. Even if you are not in the DevOps, CI/CD world today, you will be soon enough. Its time to embrace the change and say "Challenge Accepted".
+
About Matt
+
Matt Tesauro is the Application Security Lead Engineer at Pearson and was previously the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He has also presented and provided trainings at various international industry events including DHS Software Assurance Workshop, OpenStack Summit, SANS AppSec Summit, AppSec US, EU and LATAM. His work has included security consulting, penetration testing, threat modeling, code reviews, training and teaching at Texas A&M University. He is a former board member of the OWASP Foundation and project lead for OWASP WTE project, a collection of application security testing tools. He holds two degrees from A&M University and several security and Linux certifications.
+
3:45 - 4:00
Close
Close
+
+
+