Agenda
Talks
10:00 AM
Gary Perkins
Keynote
10:30 AM
Nancy Gariche & Tanya Janca
Security: Catching Up and Keeping Up with DevOps
11:30 AM
Lex Vorona
Modern Micro-services Authentication Challenges
12:30 PM
Wesley Wineberg
Android Application Analysis
13:30 PM
Farshad Abasi
Securing Modern API and Microservices-based Applications by Design
14:30 PM
Amiran Alavidze
Managed Kubernetes Threat Model
15:30 PM
Betsy Thomas
Pursuit of [secure] API-ness
16:30 PM
AMA
AKA Ask Me Anything
17:00 PM
Closing Remarks
Happy Hour
Workshops Etc.
10:00 AM
Gary Perkins
Keynote
10:30 AM
Joaquin Puga
Burp Suite 101
12:30 PM
Jeevan Singh
Threat Modeling 101
14:30 PM
Paul Ionescu
Security Code Review 101
16:30 PM
AMA
AKA Ask Me Anything
17:00 PM
Closing Remarks
Happy Hour
Speakers
Gary Perkins
Keynote
Bio
Gary Perkins is the Chief Information Security Officer (CISO) for the Government of British Columbia. As the Executive Director of the Information Security Branch, Perkins is responsible for providing cybersecurity services in support of the province. He has more than 18 years of experience in information technology, risk management and cybersecurity. Prior to joining the BC Government, Perkins worked in the private sector as chief of staff for security at TELUS and, earlier in his career, led teams responsible for incident response, operations, delivery and architecture for both corporate and managed security services customers. A CISSP since 2004, Perkins also holds an MBA from Simon Fraser University’s Management of Technology program.
Tanya Janca
Security: Catching Up and Keeping Up
with DevOps
https://www.linkedin.com/in/tanya-janca/
​
In this quest to be first to market, DevOps has been a strategy of choice to improve agility in development teams. As these teams push code to production faster and faster, slow and manual security assessments need to be replaced with new ways for application security assessments. We’ll learn about dealing with security considerations with demos of tools and integrations in action.
During this talk, we will explore how we can use tooling and automation to include security early on and throughout a continuous integration/continuous delivery (CI/CD) pipeline. Scanning the platform for vulnerabilities and the code for 3rd-party components with known vulnerabilities, using security unit testing, static code analysis and performing dynamic security testing are some of the strategies we will use to ensure that security can catch up and keep up with the speed of DevOps.
Bio
Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security’. She is also the founder of We Hack Purple, an online learning academy, community and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won numerous awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats; startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion and kindness, which shines through in her countless initiatives.
Founder: We Hack Purple (Academy, Community and Podcast), WoSEC International (Women of Security), OWASP DevSlop, OWASP Victoria, #CyberMentoringMonday
Nancy Gariche
Security: Catching Up and Keeping Up
with DevOps
https://www.linkedin.com/in/nancygariche/
​
In this quest to be first to market, DevOps has been a strategy of choice to improve agility in development teams. As these teams push code to production faster and faster, slow and manual security assessments need to be replaced with new ways for application security assessments. We’ll learn about dealing with security considerations with demos of tools and integrations in action.
During this talk, we will explore how we can use tooling and automation to include security early on and throughout a continuous integration/continuous delivery (CI/CD) pipeline. Scanning the platform for vulnerabilities and the code for 3rd-party components with known vulnerabilities, using security unit testing, static code analysis and performing dynamic security testing are some of the strategies we will use to ensure that security can catch up and keep up with the speed of DevOps.
Bio
In the early 2000s, Nancy joined the Canadian federal government as a computer science CO-OP student and never left. In 2009, she moved to Ottawa from Montreal, her beloved hometown, to land her first IT security job as a security analyst. This multi-hatted role gave her the opportunity to take on duties in multiple disciplines ranging from incident handling, to project and risk management. Involved in her local infosec community, she aspires to welcome and empower a new generation of industry professionals into the workforce. She is currently leading her federal Department’s Security Assessment and Authorization Program and she is the founder of BDB Skills, a community that helps cybersecurity professionals and enthusiasts obtain the skills and certifications required to kickstart or level up their career. Nancy is also the co-leader of the Ottawa Chapter of the Open Web Application Security Project (OWASP) and of the OWASP DevSlop project.
Joaquin Puga
Burp Suite 101
https://www.linkedin.com/in/joaquinpugadelrio/
Do you want to start diving into the waters of web application security testing but do not know where to start? This workshop will provide you the answer to that question: Know your tools. And the gold standard tool for web application penetration testing is BURP Suite. You will be introduced to Burp Suite, will learn how to configure it, its functionality and how to apply it to find vulnerabilities in web applications. You will have the opportunity to work on hands-on exercises to learn what Burp Suite component to use for testing for a particular vulnerability and how to do it.
The intended audience of this workshop is people without previous experience to Burp Suite or web application security testing but interested in learning about it.
Requirements
-
Burp Suite (https://portswigger.net/burp)
Bio
Joaquin is a Security Consultant based in Vancouver. He works for a large enterprise where he performs internal vulnerability and web application security assessments. He is passionate about working with developers and helping them build more secure applications.
Lex Vorona
Modern Micro-services Authentication Challenges
https://www.linkedin.com/in/alekseyvorona/
In the world of modern micro-services it is often the case when the developers need to add an authentication layer to the services. This talk covers the story of one migration from a monolith to micro-services with the focus on mistakes we made and lesson learned. It includes an overview of OAuth2 subset that it useful in such a situation.
Bio
Lex is a software engineer with two decades of experience. His interests drove the career path through working on a mobile social network, to highload gaming applications, big data ML processing and reliability engineering.
Wesley Wineberg
Android Application Analysis
https://www.linkedin.com/in/wineberg/
This talk will cover many of the common security issues that affect mobile applications, with a specific focus on Android applications. Not only will common issues be introduced, but how to easily test for each of these will be covered. While application testing is almost always easier with access to the application's source code, this talk will cover how any Android application can be tested even without source code access.
Bio
Wesley Wineberg has worked in the computer security industry for the last 12 years doing everything from web security to firmware reverse engineering. Wes currently works as a full time bug bounty hunter. He previously was a member of the Azure Red Team at Microsoft, and enjoys the offense side of security the most.
Jeevan Singh
Threat Modeling 101
https://www.linkedin.com/in/jeevansecurity
Threat Modeling is a great way to discover and remediate threats in your system before they are even created. It is commonly performed by security professionals, but threat modeling can be done by anyone. This hands-on workshop will cover the threat modeling workflow, common classes of vulnerabilities and hands on examples that will have *you* discover threats in different system.
Bio
Jeevan Singh is a Staff Security Engineer for a software company, where he is embedding security into all aspects of the software development process. Jeevan enjoys building security culture within organizations and educating staff on security best practices. Jeevan is responsible for a wide variety of tasks including: architecting security solutions, working with development teams to resolve security vulnerabilities and building out security features. Before life in the security space, Jeevan had a wide variety of development and leadership roles over the past 15 years.
Farshad Abasi
Securing Modern API and Microservices-based Applications by Design
https://www.linkedin.com/in/farshadabasi/
​
This talk provides the audience with a high level understanding of modern API and microservices-based application architectures, awareness of key security concerns with these architectures, and knowledge on how to best secure microservices and their APIs. The speaker leverages existing concepts and his years of experience with building security architecture patterns and solutions in this domain for one of world's largest Global financial institutions to present actionable architectural take-aways.
Bio
An innovative technologist with over twenty years of experience in security, software design and development, network and system architecture and management. Farshad has worked for companies of all shapes and sizes from small start-ups to global firms such as Intel and Motorola, most recently spending 9 years as a senior member of HSBC’s IT security team. He currently leads OWASP’s Vancouver chapter and is a member of MARS who organize BSides Vancouver. He is a UBC Alumni, a CISSP designate, and spends most of his time addressing software security and business challenges when he is not collecting or playing music.
Amiran Alavidze
Managed Kubernetes Threat Model
It’s clear that Kubernetes has won the container orchestration wars and is here to stay. The complexity, flexibility and rapid development cycle of Kuberenetes mean that Kubernetes security landscape varies significantly across deployments and is not well understood generally.
This talk will provide a high-level threat model for managed cloud Kubernetes deployments, which provide decently secure baseline that addresses many of the general recommendations you’ll find on the Internet. You’ll come out equipped with understanding of the Kubernetes security landscape and actionable recommendations for securely running workloads in Kubernetes.
Bio
Cyber security veteran with over 15 years of experience behind his belt, advocating practical, business-focused approach to security. Amiran is currently Director, Security and Risk Management at Tasktop, managing Tasktop's product security program. Amiran is also volunteering at OWASP Vancouver chapter and is Defcon604 group co-organizer.
Security is not just a job, it’s a passion.
Paul Ionescu
Security Code Review 101 Workshop
https://www.linkedin.com/in/pionescu
Code review is, hopefully, part of regular development practices for any organization. Adding security elements to code review is the most effective measure in preventing vulnerabilities, even before the first commit. This workshop is a primer that includes the basic elements to get you started. We will review several software examples in order to figure out the good from the ugly.
Bio
Paul Ionescu is a co-leader from OWASP Ottawa chapter and the project leader for the OWASP Secure Coding Dojo, an open source security training platform for developers.
Betsy Thomas
Pursuit of [secure] API-ness
https://www.linkedin.com/in/betsythomas22/
Software today are driven by APIs, which enable developers to write data-driven and flexible applications that all end-users and organizations require and desire. But these APIs are creating a rapidly growing attack surface. In this talk, we will dive into the top API security risks presented in the OWASP API Top 10. From API-specific issues like broken object-level authorization and excessive data exposure to more familiar issues like injection and insufficient logging and monitoring risks, the list rounds up the most critical API threats, while also providing example attack scenarios and protection recommendations. Finally, we will go over methods to test and discover these vulnerabilities.
Bio
Betsy Thomas is a Security Engineer on the team at Amazon that is responsible for securing all the applications in Amazon's Consumer Payments Infrastructure. Prior to this, she was a Product Security Engineer for the Salesforce AppExchange and other core Salesforce products. Having spent most of her career in application security, she is passionate about proactive security and developer enablement. She was an active member of the Bay Area security community and hopes to do the same with her recent move to Vancouver.