Mountain Lake
OWASP BC AppSec Day
FwdSec_logo_colorA.png
Bugcrowd-Logo.png
logowebsec_blanco.png

Agenda

Talks

10:00 AM
Gary Perkins

Keynote

10:30 AM
Nancy Gariche & Tanya Janca

Security: Catching Up and Keeping Up with DevOps

11:30 AM
Lex Vorona

Modern Micro-services Authentication Challenges

12:30 PM
Wesley Wineberg

Android Application Analysis

13:30 PM
Farshad Abasi

Securing Modern API and Microservices-based Applications by Design

14:30 PM
Amiran Alavidze

Managed Kubernetes Threat Model

15:30 PM
Betsy Thomas

Pursuit of [secure] API-ness

16:30 PM
AMA

AKA Ask Me Anything

17:00 PM
Closing Remarks

Happy Hour

Workshops Etc.

10:00 AM
Gary Perkins

Keynote

10:30 AM
Joaquin Puga

Burp Suite 101

12:30 PM
Jeevan Singh

Threat Modeling 101

14:30 PM
Paul Ionescu

Security Code Review 101

16:30 PM
AMA

AKA Ask Me Anything

17:00 PM
Closing Remarks

Happy Hour

 

Speakers

Gary Perkins

Keynote

Bio

Gary Perkins is the Chief Information Security Officer (CISO) for the Government of British Columbia.  As the Executive Director of the Information Security Branch, Perkins is responsible for providing cybersecurity services in support of the province.  He has more than 18 years of experience in information technology, risk management and cybersecurity. Prior to joining the BC Government, Perkins worked in the private sector as chief of staff for security at TELUS and, earlier in his career, led teams responsible for incident response, operations, delivery and architecture for both corporate and managed security services customers.  A CISSP since 2004, Perkins also holds an MBA from Simon Fraser University’s Management of Technology program.

Tanya Janca

Security: Catching Up and Keeping Up

with DevOps

https://www.linkedin.com/in/tanya-janca/

In this quest to be first to market, DevOps has been a strategy of choice to improve agility in development teams. As these teams push code to production faster and faster, slow and manual security assessments need to be replaced with new ways for application security assessments. We’ll learn about dealing with security considerations with demos of tools and integrations in action.

 

During this talk, we will explore how we can use tooling and automation to include security early on and throughout a continuous integration/continuous delivery (CI/CD) pipeline. Scanning the platform for vulnerabilities and the code for 3rd-party components with known vulnerabilities, using security unit testing, static code analysis and performing dynamic security testing are some of the strategies we will use to ensure that security can catch up and keep up with the speed of DevOps.

Bio

Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won numerous awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion and kindness, which shines through in her countless initiatives.

 

Founder: We Hack Purple (Academy, Community and Podcast), WoSEC International (Women of Security), OWASP DevSlop, OWASP Victoria, #CyberMentoringMonday

Nancy Gariche

Security: Catching Up and Keeping Up

with DevOps

https://www.linkedin.com/in/nancygariche/

In this quest to be first to market, DevOps has been a strategy of choice to improve agility in development teams. As these teams push code to production faster and faster, slow and manual security assessments need to be replaced with new ways for application security assessments. We’ll learn about dealing with security considerations with demos of tools and integrations in action.

 

During this talk, we will explore how we can use tooling and automation to include security early on and throughout a continuous integration/continuous delivery (CI/CD) pipeline. Scanning the platform for vulnerabilities and the code for 3rd-party components with known vulnerabilities, using security unit testing, static code analysis and performing dynamic security testing are some of the strategies we will use to ensure that security can catch up and keep up with the speed of DevOps.

Bio

In the early 2000s, Nancy joined the Canadian federal government as a computer science CO-OP student and never left. In 2009, she moved to Ottawa from Montreal, her beloved hometown, to land her first IT security job as a security analyst. This multi-hatted role gave her the opportunity to take on duties in multiple disciplines ranging from incident handling, to project and risk management. Involved in her local infosec community, she aspires to welcome and empower a new generation of industry professionals into the workforce. She is currently leading her federal Department’s Security Assessment and Authorization Program and she is the founder of BDB Skills, a community that helps cybersecurity professionals and enthusiasts obtain the skills and certifications required to kickstart or level up their career. Nancy is also the co-leader of the Ottawa Chapter of the Open Web Application Security Project (OWASP) and of the OWASP DevSlop project.

Joaquin Puga

Burp Suite 101

https://www.linkedin.com/in/joaquinpugadelrio/

 

Do you want to start diving into the waters of web application security testing but do not know where to start? This workshop will provide you the answer to that question: Know your tools. And the gold standard tool for web application penetration testing is BURP Suite. You will be introduced to Burp Suite, will learn how to configure it, its functionality and how to apply it to find vulnerabilities in web applications. You will have the opportunity to work on hands-on exercises to learn what Burp Suite component to use for testing for a particular vulnerability and how to do it.

 

The intended audience of this workshop is people without previous experience to Burp Suite or web application security testing but interested in learning about it.

 

Requirements

Bio

Joaquin is a Security Consultant based in Vancouver. He works for a large enterprise where he performs internal vulnerability and web application security assessments. He is passionate about working with developers and helping them build more secure applications.

Lex Vorona

Modern Micro-services Authentication Challenges

https://www.linkedin.com/in/alekseyvorona/

In the world of modern micro-services it is often the case when the developers need to add an authentication layer to the services. This talk covers the story of one migration from a monolith to micro-services with the focus on mistakes we made and lesson learned. It includes an overview of OAuth2 subset that it useful in such a situation.

Bio

Lex is a software engineer with two decades of experience. His interests drove the career path through working on a mobile social network, to highload gaming applications, big data ML processing and reliability engineering.

Wesley Wineberg

Android Application Analysis

https://www.linkedin.com/in/wineberg/

This talk will cover many of the common security issues that affect mobile applications, with a specific focus on Android applications. Not only will common issues be introduced, but how to easily test for each of these will be covered. While application testing is almost always easier with access to the application's source code, this talk will cover how any Android application can be tested even without source code access.

Bio

Wesley Wineberg has worked in the computer security industry for the last 12 years doing everything from web security to firmware reverse engineering. Wes currently works as a full time bug bounty hunter. He previously was a member of the Azure Red Team at Microsoft, and enjoys the offense side of security the most.

Jeevan Singh

Threat Modeling 101

https://www.linkedin.com/in/jeevansecurity

Threat Modeling is a great way to discover and remediate threats in your system before they are even created. It is commonly performed by security professionals, but threat modeling can be done by anyone. This hands-on workshop will cover the threat modeling workflow, common classes of vulnerabilities and hands on examples that will have *you* discover threats in different system.

Bio

Jeevan Singh is a Staff Security Engineer for a software company, where he is embedding security into all aspects of the software development process. Jeevan enjoys building security culture within organizations and educating staff on security best practices. Jeevan is responsible for a wide variety of tasks including: architecting security solutions, working with development teams to resolve security vulnerabilities and building out security features. Before life in the security space, Jeevan had a wide variety of development and leadership roles over the past 15 years.

Farshad Abasi

Securing Modern API and Microservices-based Applications by Design

https://www.linkedin.com/in/farshadabasi/

This talk provides the audience with a high level understanding of modern API and microservices-based application architectures, awareness of key security concerns with these architectures, and knowledge on how to best secure microservices and their APIs. The speaker leverages existing concepts and his years of experience with building security architecture patterns and solutions in this domain for one of world's largest Global financial institutions to present actionable architectural take-aways.

Bio

An innovative technologist with over twenty years of experience in security, software design and development, network and system architecture and management. Farshad has worked for companies of all shapes and sizes from small start-ups to global firms such as Intel and Motorola, most recently spending 9 years as a senior member of HSBC’s IT security team. He currently leads OWASP’s Vancouver chapter and is a member of MARS who organize BSides Vancouver. He is a UBC Alumni, a CISSP designate, and spends most of his time addressing software security and business challenges when he is not collecting or playing music.

Amiran Alavidze

Managed Kubernetes Threat Model

https://twitter.com/airman604

It’s clear that Kubernetes has won the container orchestration wars and is here to stay. The complexity, flexibility and rapid development cycle of Kuberenetes mean that Kubernetes security landscape varies significantly across deployments and is not well understood generally.

 

This talk will provide a high-level threat model for managed cloud Kubernetes deployments, which provide decently secure baseline that addresses many of the general recommendations you’ll find on the Internet. You’ll come out equipped with understanding of the Kubernetes security landscape and actionable recommendations for securely running workloads in Kubernetes.

Bio

Cyber security veteran with over 15 years of experience behind his belt, advocating practical, business-focused approach to security. Amiran is currently Director, Security and Risk Management at Tasktop, managing Tasktop's product security program. Amiran is also volunteering at OWASP Vancouver chapter and is Defcon604 group co-organizer.

 

Security is not just a job, it’s a passion.

Paul Ionescu

Security Code Review 101 Workshop

https://www.linkedin.com/in/pionescu

 

Code review is, hopefully, part of regular development practices for any organization. Adding security elements to code review is the most effective measure in preventing vulnerabilities, even before the first commit. This workshop is a primer that includes the basic elements to get you started. We will review several software examples in order to figure out the good from the ugly.

Bio

Paul Ionescu is a co-leader from OWASP Ottawa chapter and the project leader for the OWASP Secure Coding Dojo, an open source security training platform for developers.

Betsy Thomas

Pursuit of [secure] API-ness

https://www.linkedin.com/in/betsythomas22/

 

Software today are driven by APIs, which enable developers to write data-driven and flexible applications that all end-users and organizations require and desire. But these APIs are creating a rapidly growing attack surface. In this talk, we will dive into the top API security risks presented in the OWASP API Top 10. From API-specific issues like broken object-level authorization and excessive data exposure to more familiar issues like injection and insufficient logging and monitoring risks, the list rounds up the most critical API threats, while also providing example attack scenarios and protection recommendations. Finally, we will go over methods to test and discover these vulnerabilities.

Bio

Betsy Thomas is a Security Engineer on the team at Amazon that is responsible for securing all the applications in Amazon's Consumer Payments Infrastructure. Prior to this, she was a Product Security Engineer for the Salesforce AppExchange and other core Salesforce products. Having spent most of her career in application security, she is passionate about proactive security and developer enablement. She was an active member of the Bay Area security community and hopes to do the same with her recent move to Vancouver.