AppSec Europe 2018 has ended
                                                                                    ***Content is subject to change.***

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

CISO [clear filter]
Thursday, July 5

10:15am BST

Current Research and Standards for Security Automation
Limited Capacity seats available

Today, securing an enterprise involves collecting and sifting mountains of data to defend against attackers moving at network speed. Automating aspects of enterprise security is the only way to deal with this situation at scale, but the term "security automation" is frequently overhyped and the promised benefits are often hard to realize. This talk will provide an overview of several ongoing security automation efforts that are supported by the US government and international standards bodies. These efforts seek to provide concrete advances that can support a faster, more efficient, and more effective way to defend networks through automation with the creation and promulgation of open specifications that can be employed by all nations and vendors.

avatar for Charles M. Schmidt

Charles M. Schmidt

Group Lead, The MITRE Corporation
Charles Schmidt is a Group Lead at the MITRE corporation, where he has worked for over 18 years in the field of cybersecurity. He has spent most of that time supporting security automation research and developing cybersecurity standards. He holds a Bachelors degree in both Mathematics... Read More →

Thursday July 5, 2018 10:15am - 11:00am BST
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am BST

IoT Stakeholder Role in Compliance of GDPR
Limited Capacity seats available

This talk will take GDPR compliance away from just the data operator and data controller and show how all stakeholders have a role to play in IoT device security and compliance. The device this talk will focus on are those related to smart buildings, smart cities, etc.
The talk will consider secure by design, privacy by design, secure procurement, secure installation, and secure configuration.
This talk will be based on some of the content from a White Paper I'm writing, to be available in early May, before the EU GDPR is due to be enforced.
As this talk is based on a White Paper, I can adapt it as necessary, but I believe that the focus should deviate from the fact that every stakeholder involved in supplying corporate organisations with "smart" solutions has a role to play in ensuring that not only is the solution secure at manufacture but has been installed and configured correctly for the environment it is operating in.

avatar for Sarb Sembhi

Sarb Sembhi

CTO & CISO, Virtually Informed
I came into security from a development background. I researched into the vulnerabilities of network CCTV systems 10 before it became fashionable to do so. I have been involved with IoT related projects for many years especially Smart Building and Smart City projects. I'm very interested... Read More →

Thursday July 5, 2018 11:00am - 11:45am BST
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am BST

Deconstructing Threat Modeling
Limited Capacity seats available

Threat Modelling has now been recognized as one of the core foundations of a solid architectural security program. Yet as the technique has spread, so too has the confusion over what it actually entails. Contradictory methodologies and advice are everywhere, and it often seems like no two people have the same definition of threat modelling.
Yet out of this confusion there can come opportunity. The one thing these different approaches all have in common is that they are all giving benefit to everyone using them. Can we take advantage of that to break these approaches down and use the parts to build a process that suits our case, rather than trying to apply a "one size fits all" approach?
In this session we'll get back to basics on what a threat model is, and then look to see how we can apply different techniques to drive out threats. We'll also go into the different ways that threats can be organized and used once they've been identified, and how modern Agile testing techniques can help us verify our models.  Finally we'll apply this approach to an unorthodox situation for threat modelling, and see how being flexible can help you design a process to fit your situation, rather than try to force yourself to fit a process.

avatar for Ciaran Conliffe

Ciaran Conliffe

Technologist, Liberty IT
Ciaran is a technologist at Liberty IT; a Belfast and Dublin based company that focuses on creating world class IT solutions for parent company Liberty Mutual. There he’s been working in the space between development and security for the last seven years, after ten previous years... Read More →

Thursday July 5, 2018 11:45am - 12:30pm BST
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm BST

Development to Risk Management Dashboard: Managing Cyber Risks in an Agile Environment
Limited Capacity full

One of the most challenging tasks Information Security management has in a competitive agile development environment is how to measure Cyber risks.
Following NIST standards on this subject, security teams assess risk using these frameworks but very little is explain how to do this in practice , such as :
  • How to asses cyber risks when teams use Agile methodologies?
  • How to do proper monitoring using Agile tools such as JIRA?
  • How to make use of SecDevOps pipeline tools to achieve this?
In this training, we will go from theory of the Risk management frameworks to real scenarios  and tools and how to apply practical solutions in an always changing, and agile environment.

avatar for Johanna Curiel

Johanna Curiel

Security Engineer and Researcher, Mobiquity
Johanna Curiel is a security engineer and researcher with 18 years experience in programming, testing and quality control. Her early encounters with hackers and cybercrime was a turning point in her career to work in the area of Cyber security.Between 2005 and 2007, she worked as... Read More →

Thursday July 5, 2018 1:30pm - 2:15pm BST
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm BST

Threat Perspectives
Limited Capacity seats available

Jacky Fox - Cyber Lead, Deloitte Ireland & Gina Dollard – Cyber Threat Intelligence Lead, Allied Irish Bank

​G​ina and Jacky will share their perspectives on threat intelligence based testing and red teaming. Intelligence based tests mimic the tactics techniques and procedures (TTPs) of real attacks against high risk assets helping organisations focus their testing where it matters most. Jacky’s role leading the Deloitte Cyber practice in Ireland gives her insight into how organisations from multiple sectors are and can benefit from using threat intelligence to focus their testing and will share her thoughts on how to make this work. Gina leads the Cyber threat intelligence team for Allied Irish Bank and will share her experience of putting threat intelligence based testing into practice in a financial services organisation. The new TIBER-EU framework will bring common standards across Europe in this area and will accelerate the demand for this type of service.


Gina Dollard

Division Head Cyber Threat Intelligence, Allied Irish Banks (AIB)
Ms Dollard is Head of Threat Intelligence for AIB. In her current role she has established and manages the threat intelligence and security incident response functions. The Threat Intelligence Team provides actionable intelligence to highlight cyber risks to the business; performs... Read More →
avatar for Jacky Fox

Jacky Fox

Cyber & IT Forensic Lead | Risk Advisory, Deloitte
Jacky Fox, leads the cybersecurity and IT Forensic practice for Deloitte in Ireland. Jacky lectures on the MSc in Cyber Security for University College Dublin. She has 20+ years’ experience working in technology and security, and advises leading Irish and international organisations... Read More →

Thursday July 5, 2018 2:15pm - 3:00pm BST
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm BST

Adding Privacy by Design in Secure Application Development
Limited Capacity seats available

We will address the complex GDPR challenges for developers as part of a Secure Development Lifecycle.
This will cover:
• GDPR requirements covering design, data lifecycle, users and end of life aspects
• Privacy by Design challenge
• Including GDPR in the Secure Development Life Cycle
• Mapping OWASP SAMM to the GDPR
• Integrating privacy in application security classification, awareness training, guidelines, AppSec champions, threat modeling, 3rd parties, security testing and incident management
• Introducing GDPR risk patterns
The talk will focus on practical implementation aspects and demonstrations of real life use cases encountered in our software security and privacy projects.
Sebastien Deleersnyder (@SebaDele), Managing Application Security Consultant at Toreon, will share his practical secure development and privacy challenges experience. Sebastien led engagements in the domain of ICT-security, Web and Mobile Security with several customers in the private and public sector. Sebastien is the Belgian OWASP Chapter Leader, served as vice-chair of the global OWASP Foundation Board and performed several public presentations on Web Application, Mobile and Web Services Security. Furthermore, Sebastien co-founded the yearly BruCON conference.
(attached is version as delivered in Feb-2018 which will be updated for the AppSec Europe conference)

avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

Seba is co-founder and CEO of Toreon. He started the Belgian OWASP chapter, co-leads the OWASP SAMM project, and co-founded the yearly BruCON conference. With a background in development and many years of experience in security, Seba has trained countless developers to create more... Read More →

Thursday July 5, 2018 3:30pm - 4:15pm BST
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE
Friday, July 6

10:15am BST

A View from Above: How Organizations Are Managing their AppSec Program
Limited Capacity seats available

Assuring application security (AppSec) is much more than a technology problem – it requires coordinating the actions of numerous people, which means organization and process. Roles and responsibilities must be defined; budgets must be approved; people need to be hired, educated, and enabled to develop skills; culture needs to be created; tools need to be selected and acquired; and policies and processes must be defined.
Do you wonder how others are wrangling this challenge?
 In this presentation, we will present insights and observations from a study of AppSec program management. In 2017, we reviewed over 75 published articles and talks and interviewed 16 application security practitioners to understand the problem space AppSec practitioners face. We learned a lot and will share our observations of the boundaries used to define the scope of an application security program, the goals of the people responsible for assuring the security of application software, the metrics and measurements that they employ in the pursuit of these goals, and the tools that they used to measure and track application security metrics.

avatar for Chris Horn

Chris Horn

Code Dx, Inc.
Chris Horn helps guide product development at Code Dx and is a Researcher at Secure Decisions, an R&D division of Applied Visions. Code Dx Enterprise helps teams prioritize and manage security vulnerabilities by providing a single set of correlated results in a powerful application... Read More →

Friday July 6, 2018 10:15am - 11:00am BST
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am BST

Threat Modeling for IoT Systems
Limited Capacity seats available

The Internet of Things (IoT) is an exciting and emerging area of technology allowing individuals and businesses to make radical changes to how they live their lives and conduct commerce. The challenge with this trend is that IoT devices are just computers with sensors running applications. Because IoT devices interact with our personal lives the proliferation of these devices exposes an unprecedented amount of personal sensitive data to significant risk. In addition, IoT security is not only about the code running on the device. These IoT devices are connected to systems that include supporting web services as well as other client applications that allow for management and reporting.
A critical step to understanding the security of any system is building a threat model. This helps to enumerate the components of the system as well as the paths that data takes as it flows through the system. Combining this information with an understanding of trust boundaries helps provide system designers with critical information to mitigate systemic risks to the technology and architecture. This presentation looks at how Threat Modeling can be applied to IoT systems to help build more security systems during the design process, as well as how to use Threat Modeling when testing the security of IoT systems.

avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 20 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies... Read More →

Friday July 6, 2018 11:00am - 11:45am BST
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am BST

Seconds out! When algorithms don’t play nice with our applications and lives.
Limited Capacity seats available

This talk isn’t a detailed technical talk and does not require prior knowledge of Machine Learning or Artificial Intelligence.  AI based algorithms have proved to be very successful at learning to do very complicated tasks including playing games like Chess, Atari games from the 80’s and Go. It is only a matter of time before these same techniques get applied on the offensive side to attack and exploit applications. On the flip side, there are a number of solutions that claim to use AI and Machine learning to defend against those pesky hackers, let alone those persistent computer algorithms. The reality is that the odds are stacked against the defenders with the AI and machine learning problem more suited to offensive than defensive applications. This presentation takes a high-level look at the state of the art in machine learning and AI with respect to Application Security examining how these may be used in both offensive and defensive applications. The presentation will examine how clever algorithms including reinforcement learning and math hacks may be used to trivially evade state of the art defensive applications. We also look at what our defensive options are. The presentation finishes by predicting where all this may lead and the impact on application security.

Key takeaways from the presentation are:
  • A very high-level understanding of key concepts
  • An introduction to the new threat models that AI & ML may introduce
  • Provide some insight to ask the right questions of your suppliers by hopefully imbuing  a healthy level of scepticism around some outlandish claims
  • Thoughts and practical examples on the type of problems  AI & ML can solve
  • Predictions on where I believe this is all going  by drawing analogies to the Cybersecurity world
  • A high-level roadmap on how to get up to speed with AI & ML as I believe this will  become as core to most jobs as computing is today
  • Make some suggestions for next steps every business should take

Warning: The presentation does contain gratuitous references and images of Zulus, cats, Zombies and Charlie Sheen.

avatar for Etienne Greeff

Etienne Greeff

Founder & CTO, SecureData Europe
I became involved with information security industry long before it was a thing, having founded and grown a number of information security businesses over the past 20 years. It is with increasing bewilderment that I observe how computer science, mathematics and engineering are rapidly... Read More →

Friday July 6, 2018 11:45am - 12:30pm BST
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm BST

The Consequences of Poor Security of the Hospital Sites
Limited Capacity seats available

Hospitals are attractive places for criminal hackers. With access to critical medical records and personally identifiable information, there is great opportunity to exploit the patients and the employee. I see vulnerabilities on all levels and in all roles and locations in the hospital – in site of the hospital, software, devices, and with humans. The consequences of bad security are huge and can cause harm, both to the patient and to employees. Criminal behaviour can go unnoticed for long periods. Without proper security controls, patient records can be manipulated. You can imagine the consequences that could happen. The site of the hospitals is used not just for sharing the informations about the hospitals but also for sharing the medical documents and communication between the patients self and the medics, but also for private, professional or educative talka, between medics from the inside, but also outside of the hospitals. Enough reasons to understand that we need a really good secured site. Sadly the situation isn't as good as we hope and want it to be. In this presentation we will like to present
1.The research of site of 97 hospitals in The Netherlands and 100 hospitals in USA, The research was on HTTP/HTTPS SSL certificate using Observatory by mozilla Ipv4/Ipv6
2. Re-research year later/the results In this research nmap was used too.
3. The tech info about what and how the infromation at the site can be manipulated, by Xavier Mertens and John Opdenakker. They will also show the demo
4. The organisation and communication problem Communication from outside (reports) with IT department trying to reach the people from infosec Organisation at the hospitals that should also care about security of the site
5. The consequences, for the patient and for the employee.
6. Connecting research to OWASP 10
 Security needs to be built from the ground up, starting with making the sites of the hospital secure and by that safe online environment in the healthcare

avatar for Xavier Mertens

Xavier Mertens

Freelance Cyber Security Consultant, Xavier Mertens Consulting
Xavier Mertens, is a freelance cyber security consultant based in Belgium. His daily job focuses on protecting his customer’s assets by applying “offensive” (pentesting) as well as “defensive” security (incident handling, forensics, log management, SIEM, security visualisation... Read More →
avatar for Jelena Milosevic

Jelena Milosevic

Paediatrician and ICU nurse
Jelena Milosevic is a paediatrician and ICU nurse with a lot of experience, having worked at many different hospitals in the Netherlands since 1995, and before that having spent 10 years working in the ICU at the University Children's Hospital in Belgrade.Over the past three years... Read More →

Friday July 6, 2018 1:30pm - 2:15pm BST
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm BST

Security is Everybody's Job... Literally.
Limited Capacity seats available

In DevOps everyone performs security work, whether they like it or not.  With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody's job.

avatar for Tanya Janca

Tanya Janca

CEO and Founder, We Hack Purple
Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and weekly podcast that revolves around creating secure software. Tanya has been coding and... Read More →

Friday July 6, 2018 2:15pm - 3:00pm BST
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm BST

Regular to Enterprise-Ready Apps with Cybersecurity APIs
Limited Capacity seats available

Generally, applications often struggle to break into the enterprise sector because they are missing vital compliance and data protection features. Without knowing what sensitive data their applications store and how it is used, they cannot meet the rigorous requirements needed by business applications.
The solution to this predicament is to, of course, include security features into applications, but that implies a lot of extra work and time going into the building process. But what if there was another, easier way to do it? APIs, cloud services and RAD methodologies have become common in development after all. Why not solve the problem through Cybersecurity APIs and well documented SDKs?
Firstly, because very few existed and even those that do, usually offer very limited applicability. Until now that is.
As Software Architect and Security Engineer, I lead the development of ground-breaking APIs for sensitive data analysis and classification that were born out of my vision for more data secure applications starting at platform level. These APIs allow developers to inject cyber security features at the core of tools and applications with full SDKs and language specific set of tools and helpers. They discover sensitive data with protection and compliance profiles for HIPAA, PCI-DSS, GDPR, and others and use a scanner to create a solid, risk-free application with minimum development effort. Personal and corporate owned data can also be separated through a classification module that uses advanced data modeling techniques and machine learning.
 In my presentation, I want to talk about and show attendees how these APIs can be added to existing applications using just language specific SDKs to simplify the road to enterprise-readiness and offer applications a boost in security.

avatar for Ovidiu Cical

Ovidiu Cical

Security Architect, https://cyscale.com
OWASP Cluj (Transylvania) Chapter (Leader since 2018).Cybersecurity enthusiast with 15 years experience in the field of information technology, working with Go, Big Data, Python and Linux. I worked as Software Developer at Sophos/Astaro, Software Security Engineer at CoSoSys where... Read More →

Friday July 6, 2018 3:30pm - 4:15pm BST
Abbey - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE