AppSec Europe 2018 has ended
                                                                                    ***Content is subject to change.***

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

DevOps [clear filter]
Thursday, July 5

10:15am BST

Making Continuous Security a Reality with OWASP’s AppSec Pipeline
Limited Capacity seats available

You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools needed to actually start that testing?  This talk does exactly that.  It provides an overview of the open source AppSec Pipeline tool which has been used in real world companies to do real security work.  Beyond a stand alone tool, the OWASP AppSec Pipeline provides numerous docker containers ready to automate, a specification to customize with the ability to create your own implementation and references to get you started.
The talk will also cover how to add an AppSec Pipeline to your team’s arsenal and provide example templates of how best to run the automated tools provided.  Finally, we’ll briefly cover using OWASP Defect Dojo to store and curate the issues found by your AppSec Pipeline.  The goal of this talk is to share the field-tested methods of two AppSec professionals with nearly 20 years of experience between them.  If you want to start your DevSecOps journey by continuously testing rather then hear about it, this talk is for you.

avatar for Matt Tesauro

Matt Tesauro

Matt Tesauro is currently establishing a SDLC at a large healthcare software provider. Prior to his current role, he was a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security. Previously, he was a founder and CTO of 10Security, a Senior... Read More →
avatar for Aaron Weaver

Aaron Weaver

Application Security Manager, NA Bancard
Aaron Weaver is the Application Security Manager at NA Bancard. Prior to that he was at Cengage Learning and Protiviti where he built out their secure coding practice. Aaron has managed application security programs at large organizations and leads OWASP Philadelphia. Aaron speaks... Read More →

Thursday July 5, 2018 10:15am - 11:00am BST
Westminster - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am BST

Continuous Kubernetes Security
Limited Capacity seats available

Now that we have passed "peak orchestrator" and as Kubernetes eats the world, we are left wondering: how secure is Kubernetes? Can we really run Google-style multi tenanted infrastructure safely? And how can we be sure what we configured yesterday will be in place tomorrow? In this talk we discuss:
- the Kubernetes security landscape
- risks, security models, and best-practices
- how to configure users and applications with least-privilege
- how to isolate and segregate workloads
- persisting configuration across cluster rebuilds

avatar for Andrew Martin

Andrew Martin

Security Engineer, Control Plane
Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is comfortable profiling and securing every tier of a bare metal or cloud native system, and has battle-hardened... Read More →

Thursday July 5, 2018 11:00am - 11:45am BST
Westminster - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am BST

Detecting and Preventing Malicious Domain Registrations in the .eu TLD
Limited Capacity seats available

In this talk, we report on an extensive analysis of 14 months of domain registration in the .eu TLD. In particular, we zoom in into domain names that are registered for malicious purposes (such as spam, phishing, botnets C&C, ...). The goal of our research is to understand and identify large-scale malicious campaigns, and to early detect and prevent malicious registrations.
Overall, the dataset of this study contains 824,121 new domain registrations; 2.53% of which have been flagged as malicious by blacklisting services. We explore the ecosystem and modus operandi of elaborate cybercriminal entities that recurrently register large amounts of domains for one-shot, malicious use. Although these malicious domains are short-lived, we establish that at least 80.04% of them can be framed in to 20 larger campaigns with varying duration and intensity. We further report on insights in the operational aspects of this business and observe, amongst other findings, that their processes are only partially automated.
 In the last past, we report on our most recent results. Based on the insights of the analysis, we have incepted and developed an automatic prediction system, that classifies at registration time wether a domain name will be used malicious or benign. As such, malicious domain registrations can already be detected and prevented before doing any harm. As part of the talk, we will present the first results of this prediction system, which currently runs in production at EURid, the registry of the .eu TLD.

avatar for Lieven Desmet (KU Leuven)

Lieven Desmet (KU Leuven)

Senior Research Manager, KU Leuven
Lieven Desmet is a Senior Research Manager on Software Secure at the imec-DistriNet Research Group (KU Leuven, Belgium), where he coaches researchers in (web) application security and participates in dissemination and valorization activities. His interests are in security of middleware... Read More →

Thursday July 5, 2018 11:45am - 12:30pm BST
Westminster - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm BST

Don't Feed the Hippos
The security community is trying to solve insecurity caused by bugs and flaws in software for many years now, but with what success?
We almost never look in successes and failures experiences in other areas, but we could really learn from. This talk is inspired by Ernesto Sirolli’s TED talk “Want to help someone? Shut up and listen!” about failures in the aid program’s around the world. Listening to Ernesto Sirolli, you cannot miss the similarity with the security community trying to tell developers how to write secure code.  This talk points out common failures of the security community when communicating with developers, trying to solve their problems without understanding what their problems really are.
Using the hippo-analogy for security failures, during the talks those ‘(in-)secure hippos’ are identified, advice on how to avoid them are provided, by anecdotes and best practices from the experience of the past 10 years in the security field as a consultant.

avatar for Martin  Knobloch

Martin Knobloch

Chairmain of the Board, OWASP Foundation

Thursday July 5, 2018 1:30pm - 2:15pm BST
Westminster - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm BST

How Leading Companies Are Scaling Their Security
Limited Capacity seats available

The last decade has seen significant changes in how organizations develop and release software- fleets of servers are provisioned programmatically and new code is pushed to production dozens of times a day. Oftentimes, developers outnumber security engineers by 100:1 or more. How do you keep up?
Join us as we share pro-tips and actionable lessons learned from a number of San Francisco Bay Area software companies with mature security teams. Topics discussed will include:
* Effective ways to get buy-in for new security requirements from security management, security engineers, and developers
* High value engineering projects that can prevent classes of bugs
* An overview of static and dynamic analysis, fundamental trade-offs, and tips on building your own
* How and where to integrate static and dynamic analysis into the CI/CD process to find potential dangers quickly and reduce risk
* Monitoring in production tips - detecting users with malicious intent and adding telemetry to detect successful attacks
* Open source tools that help with one or more of the above, and more
 Attendees will leave with specific steps they can take to improve their organization's security posture, some perspective on how other companies have addressed common security challenges, and a few longer term, more ambitious security process goals

avatar for Clint Gibler

Clint Gibler

Research Director, NCC Group
Dr. Clint Gibler is a senior security consultant and research director at NCC Group, a global information assurance specialist providing organizations with security consulting services. By day, he performs penetration tests of web applications, mobile apps, and networks for companies... Read More →

Thursday July 5, 2018 2:15pm - 3:00pm BST
Westminster - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm BST

Medeival Castles in I.T. Security
Limited Capacity seats available

What can IT security learn from the construction of medieval
castles" The situation with IT security is pretty bad. The thesis of
this talk is that our discipline is so young, our ideas have not had
the time to proof themselves. The evolution has only just begun.
Let's look at other security architectures and see if we can learn
from it.  And given I have a PhD in Medieval History, castles spring
to mind.  I presented 20min version of this talk last week at the
European Forum Alpbach and the organiser thought it a huge success.


Christian Folini

Christian Folini is a medieval historian working as a security engineerand open source enthusiast. He holds a PhD in medieval history andenjoys defending castles across Europe. Unfortunately, defendingmedieval castles is not a big business anymore and therefore, he turnedto defending... Read More →

Thursday July 5, 2018 2:15pm - 3:00pm BST
St James - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm BST

Docker 201 Security
Limited Capacity seats available

Docker containers offer several advantages for developers. Most notably they
fit perfectly in software development processes, they enable fast, reproducible
deployments and when properly done, with little change the same container can
run either in a test or production environment.

Despite threatening information out there Docker offers per se also several
security advantages. However it is important to make use of them and as a
minimum avoid the several security ops pitfalls.  In a worst case scenario this
can lead otherwise to less security or the security benefits which the containment
technology offers are not being used at all.

To avoid most common mistakes and to improve security beyond the default,
the speaker will present Docker Top 10 security bullet points which covers
  • important Do's and Dont's,
  • for advanced needs how to tighten security further,
  • how to check (partly) your Docker and Kubernetes security status yourself.
The talk is based on practical experiences at several costumers and on the
speaker's solid network and systems security expertise.


Dirk Wetter

Dirk Wetter (Ph.D.) is an independent security consultant with more than 20years professional experience in information security with a large technicaland information security management background.His primary focus nowadays is around web application security. He has also asolid background... Read More →

Thursday July 5, 2018 3:30pm - 4:15pm BST
Westminster - 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE
Friday, July 6

10:15am BST

Building an AppSec Program with a Budget of $0: Beyond the OWASP Top 10
Limited Capacity seats available

The premise of this session is how to build an application security program with a budget of $0. The session explores the OWASP universe, and how different open-source projects are connected together as foundational pieces of an application security program.
OWASP is famous for the top 10, but many do not understand the depth and breadth of the different projects. The projects are explained with a focus on how to implement each within a successful program. This talk is more than just a catalog of the OWASP projects. It is also a practitioner’s guide on how to implement the OWASP projects within an AppSec program. The projects are explained and broken into different phases to delineate between the improvements for a new program versus an established program that is adding new capabilities.
The first group of projects is training / awareness and program definition. These projects focus on high-level knowledge, methodology, and training for the application security program. This group includes OWASP Top 10, OWASP Proactive Controls, Software Assurance Maturity Model, and training apps (Juice Shop, DevSlop, and WebGoat). The process for raising awareness with knowledge / training and building out a program are discussed.
The second group is builder or developer. These focus on requirements, code review, best practices, development libraries, and building software without known vulnerabilities. This group includes Security RAT, ASVS, cheat sheets, threat modeling, Java encoder, and Dependency Checker. The end-to-end world of the developer is explored, from requirements through writing code.
The third group is breaker or tester. This group focuses on testing guidance/process and tools, including the testing guide, Offensive Web Testing Framework (OWTF), and ZAP. The testing approach and touch points are discussed, as well as a high-level survey of the tools.
The final group is the defender. These include tools that can be used to protect the application from attackers on the Internet, both at the edge and within the application. This group includes ModSecurity and AppSensor.
 All of these tools work together to form the basis of an application security program with a budget of $0 except for the people resources to implement, and I’ll discuss what is required from the human resources to make a program such as this successful.

avatar for Security Journey

Security Journey

Security Journey
coming soon

Friday July 6, 2018 10:15am - 11:00am BST
Westminster- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am BST

From Rogue One to Rebel Alliance: Building Developers into Security Champions
Limited Capacity seats available

Are you responsible for more than just AppSec? What do you do when you have more teams to support than security experts? How can you make security champions out of dissenters in the development team?
There just aren’t enough security experts to go around. You have to support the multitude of Agile and DevOps teams that are making production software changes anywhere from once a month to several times a day. The lack of resources coupled with the ever increasing responsibilities can make you feel like a rouge warrior in the battle against cybercrime. What’s a security professional to do? Whether you are a team of one or five, there aren’t enough hours in the day and even if there was more budget, good luck finding someone to fill that security role. What if I told you that through careful selection and good training it is possible to build your own army from the very people who own the development process?
What you will learn:
1. Who to recruit as security champions
2. How to train these champions in productive application security
3. How to measure success
4. How to build a scalable security program
 5. What to expect from champions (responsibilities)

avatar for Pete Chestna

Pete Chestna

DevSecOps Transformation Consultant, CA Technologies
Pete Chestna has more than 25 years of experience developing software and leading development teams and has been granted three patents. Pete has been developing web applications since 1996, including one of the first applications to be delivered through a web interface. He led his... Read More →

Friday July 6, 2018 11:00am - 11:45am BST
Westminster- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am BST

Gamifying Developer Education with CTFs
Limited Capacity seats available

CTFs are a staple of the security world. Nearly every conference has one, and the number of available CTFs (as well as competitors) is constantly growing. However, CTFs are rarely put to use outside of the security community. A frequent cause of security issues is human error, and countless incidents in the real world could have been prevented by a deeper understanding of vulnerabilities. CVEs, OWASP top 10, and other such vulnerabilities may now come naturally to security professionals, but this understanding is often left in our domain. We ran a CTF for our employees for a week during security awareness month in order to give hands-on lessons in offensive security concepts. In this talk we’ll go over the process, the challenges, the successes and failures, and how you can integrate a CTF into your security program.

avatar for Max Feldman

Max Feldman

Max Feldman is on the Product Security team at Slack, where he works on the bug bounty and security assessments of Slack features, as well as the development of security tools and automation. He was previously a member of the Product Security team at Salesforce.
avatar for John Sonnenschein

John Sonnenschein

Red Team Lead, Slack
John works on the Vulnerability Discovery and Product Security teams at Slack, finding bugs before the bad guys do and developing security tools and automation to help

Friday July 6, 2018 11:45am - 12:30pm BST
Westminster- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm BST

Building a Valid Threat Library for Cloud Based Applications
Limited Capacity seats available

Tapping the power of various inherent cloud monitoring and log components in order to build a dynamic threat library that can substantiate your threat model is very possible.  In this talk we'll look at both Azure and AWS compnents to leverage when adding threat context and ultimately an amazing threat library to your application threat model. We'll look at exemplifying these techniques across mission critical infrastructure in Energy and Transportation.

avatar for Tony UcedaVelez

Tony UcedaVelez

CEO/ Owner, VerSprite
Tony UV is CEO at VerSprite, an Atlanta based security services firm assisting global MNCs on various areas of cyber security, secure software development, threat modeling, application security, governance, and risk management. Tony has worked and led teams in the areas of application... Read More →

Friday July 6, 2018 1:30pm - 2:15pm BST
Westminster- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm BST

Securing Containers on the High Seas
Limited Capacity seats available

It can be a difficult challenge for most organizations to migrate to containers and develop a secure strategy for implementation and management. Making the shift from legacy virtualization and monolithic deployments to containers requires a solid strategy for securely making the jump. Containers offer many security benefits but it’s important to adopt controls and good practices throughout the lifecycle, across all of the systems and interfaces with which they interact. From container registries, through development and deployment, it’s important to enforce security and eliminate risks as they’re easily introduced.
A robust enterprise container strategy requires focusing on infrastructure, architecture, tooling, policies, and processes. Hardening your containers and ensuring they remain free of known vulnerabilities is important, but this is not a comprehensive approach. Containers, their runtime behavior, and capabilities are influenced by other systems such as container orchestration platforms and schedulers. While organizations are focused on hardening individual containers and services, they also need to think about how to limit lateral movement and post-exploitation steps by attackers through sound architectural choices.
 This presentation will focus on scaling container security within an enterprise and building security controls at different layers to provide comprehensive coverage. We will discuss the modern container landscape including multiple container runtimes and standards such as Open Container Initiative (OCI) and Container Storage Interface (OSI) as well as their their impact on security moving forward. We will explore the container lifecycle from your developer’s laptop through your production environment and examine the key security problems to mitigate. By the end of the presentation the audience should confidently be able to develop a secure approach to their organization’s container strategy.

avatar for Jack Mannino

Jack Mannino

CEO, nVisium
Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world's largest software teams enhance... Read More →
avatar for Abdullah Munawar

Abdullah Munawar

Director of Professional Services, nVisium
Abdullah Munawar is the Director of Professional Services at nVisium who specializes in application security testing and helping clients build application security programs. He previously worked on the security teams for various federal and financial organizations, with over 10 years... Read More →

Friday July 6, 2018 2:15pm - 3:00pm BST
Westminster- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm BST

Jumpstarting Your DevSecOps Pipeline with IAST and RASP
Limited Capacity seats available

DevSecOps is so much more than "automating the scan button." In this talk, we will create a continuous, effective, and scalable DevSecOps pipeline using only *free* tools.  We'll use IAST (Interactive Application Security Testing) to accurately pinpoint vulnerabilities in real time without scanning. Then we'll set up RASP (Runtime Application Self-Protection) to gain comprehensive visibility of attacks in operations and prevent exploits.  And we'll integrate all of this security vulnerability and attack telemetry into the tools your teams are already using.  

* We will enable developers with real-time security feedback right in their IDE
* We will also ensure that libraries are frameworks are analyzed continuously for vulnerabilities
* We'll integrate security into the CI/CD process so that we can easily fail a build
* We'll identify application layer attacks and create a whole new level of visibility for your SOC
* We'll even prevent exploitation of newly discovered vulnerabilities in open source libraries

After this talk, you'll be able to establish your own DevSecOps pipeline immediately. This reference architecture can be adapted easily to almost any tools and processes -- even legacy applications and waterfall style projects.

avatar for Jeff Williams

Jeff Williams

Co-founder and CTO, Contrast Security
I've been in security since the late 1980's and have been blessed with the opportunity to help start three great application security organizations: Contrast Security, OWASP, and Aspect Security (recently sold to EY).I'm coming to LASCON to meet *you*. I'm easy to find :-) and love... Read More →

Friday July 6, 2018 3:30pm - 4:15pm BST
Westminster- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE