Security time, courtesy of our host Lyft! We will have three exciting talks, lots of people to meet, & great food.|
5:30 - Doors open
6:00-6:15 - Intro/welcome
6:15-6:45 - Application Layer Cryptography (Jon McLachlan)
6:50-7:20 - DNS man-on-the-side (MOTS) for fun & profit (Mark Adams)
7:25-7:55 - Mobile AppSec 101 (Tony Ramirez)
Talk 1: Application Layer Cryptography
Whats the point of application layer cryptography? What does encrypting sensitive data actually buy us, in terms of threat modeling? Why bother with encrypting data, if we need to decrypt it to realize the datas value? If we dont trust the software thats handling the data, why trust the software to handle the keys? Is there a business case to actually encrypt more (or less) data? If we have to encrypt data, how are we actually supposed to do that, in practice? What algorithms should we use to encrypt? Where do these keys come from? Oh no, I have to expire the keys old keys & start using new encryption keys to provide forward secrecy, over time? !@#$ How do I do that without losing backward compatibility with software Ive already shipped to customers that uses the old encryption scheme? Should I lock into Google KMS or AWS KMS or buy an $50k HSM from Thales integrating with PKCS11, or just build my own system? Wait. What's peacemakr.io?
If youve every wondered about these questions, youre not alone. Well explore where business requirements come from, how product security engineering teams typically respond to these requirements, & discuss the future of application layer cryptography.
Jon has 10+ years industry experience, & 4+ in academia experience, in Product Security that spanned everything from 2 person bootstrapped startup to large companies. He's secured both consumer & enterprise products, across large (Apple), medium (Pure Storage), & small sized companies. Today, he is a Product Security Engineer at Pure Storage by day, and, a Founder & CEO of Peacemakr.io nights & weekends.
Talk 2: DNS man-on-the-side (MOTS) for fun & profit
The Domain Name System binds everything on the internet together connecting web-site names to the actual hosted site. This presentation looks at DNS security from a red-teamers viewpoint, a discussion of Man-on-the-Side (MOTS) vulnerabilities & a demo of a MOTS attack using the open-source Cyberprobe software, with some lessons for managing your DNS security.
Mark Adams is a principal engineer on Lyft's Security team. He has a 25 year of security with a focus on detection: deep packet inspection, cloud-scale & big data analytics for real-time incident detection.
Talk 3: Mobile AppSec 101
A storm of mobile app security & privacy issues continues to intensify, while the skills gap worsens. Security professionals have discovered that web app security practices dont cut it for mobile. Because the tools & methodologies differ, its time for practitioners to learn some new skills leveraging the OWASP Mobile Project resources & patterns found testing thousands of mobile apps. In this talk, youll learn how to crawl, walk, then run in mobile app security testing, with an end goal of having all the tools & knowledge necessary to become a mobile appsec expert. Ultimately, all mobile appsec experts have to start somewhere. If you start off on the right foot, theres no telling what vulnerabilities you may uncover & how your career can grow.
As mobile security analyst at NowSecure, Tony Ramirez leads trainings with customers & performs mobile app penetration testing of iOS & Android apps as part of the NowSecure Services team. Tony holds a masters degree in cyber forensics & security from Illinois Institute of Technology. Tony regularly attends the Chicago OWASP chapter meetups & speaks at OWASP & other security events across the country. While terrible at writing bios for himself, Tony is an avid food experimenter & office prankster.