Our industry experts are playing with power. Don’t miss live Q&A chats with our brilliant keynote speakers to get your burning questions answered.
Code in your world, learn in ours. Unlock useful resources and interact with our co-sponsors to power up your secure coding strategies.
With a click of a button, enter another realm with others on the same quest to share your ideas around code security.
What’s a game without hidden prizes? Hunt for Easter eggs to boost your player score for a chance to win a PlayStation 5!
Simone Curzi, Microsoft | Justin Hutchings, GitHub | Shiri Ivtsan, WhiteSource
We live today in a software-dependent world. It’s no wonder that organizations are making it a top priority to release secure apps. Yet – we still continuously face security vulnerabilities and grabbing headlines around security breaches, which often could have be prevented through writing better and more secure code from the get-go. This poses several questions: What are the current security pitfalls and how can we overcome this? How can we level up our secure coding strategies? What roles should security & development teams play when it comes to code security? What is the bigger picture organizations should be considering?
We live today in a software-dependent world. It’s no wonder that organizations are making it a top priority to release secure apps. Yet – we still continuously face security vulnerabilities and grabbing headlines around security breaches, which often could have be prevented through writing better and more secure code from the get-go. This poses several questions: What are the current security pitfalls and how can we overcome this? How can we level up our secure coding strategies? What roles should security & development teams play when it comes to code security? What is the bigger picture organizations should be considering?
Vandana Verma Sehgal, OWASP
We are all heading towards the modernization of applications. However, we still see the companies being impacted with the most common website vulnerabilities like SQL Injection, Sensitive data exposure, security misconfiguration, etc. OWASP has many projects which can be tied seamlessly into the application development pipeline structure. However, firstly we don’t know if the projects exist, second, if we know about the projects, we do not know the exact working of the projects. In the talk, I will be talking about how to run an AppSec program with open source projects (OWASP Projects).
We are all heading towards the modernization of applications. However, we still see the companies being impacted with the most common website vulnerabilities like SQL Injection, Sensitive data exposure, security misconfiguration, etc. OWASP has many projects which can be tied seamlessly into the application development pipeline structure. However, firstly we don’t know if the projects exist, second, if we know about the projects, we do not know the exact working of the projects. In the talk, I will be talking about how to run an AppSec program with open source projects (OWASP Projects).
Sarah Young, Microsoft
Moving to the cloud and deploying containers? In this talk I discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments with some real life examples. We’ll also be looking at my ongoing research about how easy (or not) it is to get a container or Kubernetes cluster hacked on purpose.
Moving to the cloud and deploying containers? In this talk I discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments with some real life examples. We’ll also be looking at my ongoing research about how easy (or not) it is to get a container or Kubernetes cluster hacked on purpose.
Keith Casey, Okta
APIs have become fundamental to our teams. While we’d like to believe it was a carefully executed plan, let’s be honest – there’s as much luck as foresight in the mix. Luckily, success drives success so it’s worked. Unfortunately, that success has cost us. APIs have become a devastating attack vector for apps that store everything from financial records to passport information to your dating interests. In this session, we’ll reconsider some of our earliest assumptions and lay out some strategies for bringing our APIs out of the shadows and protecting ourselves, our partners, and our customers.
APIs have become fundamental to our teams. While we’d like to believe it was a carefully executed plan, let’s be honest – there’s as much luck as foresight in the mix. Luckily, success drives success so it’s worked. Unfortunately, that success has cost us. APIs have become a devastating attack vector for apps that store everything from financial records to passport information to your dating interests. In this session, we’ll reconsider some of our earliest assumptions and lay out some strategies for bringing our APIs out of the shadows and protecting ourselves, our partners, and our customers.
Chris Romeo, Security Journey
Developers are everywhere because software is everywhere. The challenge with developers is that most do not have a foundation in application security. To effectively engage them requires a four-phase process of application security connection – open their eyes, fill their brains, task their hands, and embrace the gathering. In this session, Chris provides guidance on each phase of this process so that organizations can launch an application security program with developers who understand the foundational lessons of application security and how to apply those lessons in their code.
Developers are everywhere because software is everywhere. The challenge with developers is that most do not have a foundation in application security. To effectively engage them requires a four-phase process of application security connection – open their eyes, fill their brains, task their hands, and embrace the gathering. In this session, Chris provides guidance on each phase of this process so that organizations can launch an application security program with developers who understand the foundational lessons of application security and how to apply those lessons in their code.
Izar Tarandach, Squarespace | Matthew Coles, Dell
In this talk we will introduce the audience to the concept of Threat Modeling, its objectives and the part it plays in the SDLC. We will explore the recently published Threat Modeling Manifesto as a framework to develop your own Threat Modeling practice, see the fundamental concepts of system modeling and threat elicitation, and time permitting end up with a view of threat-modeling-with-code and an Open Source framework to support it.
In this talk we will introduce the audience to the concept of Threat Modeling, its objectives and the part it plays in the SDLC. We will explore the recently published Threat Modeling Manifesto as a framework to develop your own Threat Modeling practice, see the fundamental concepts of system modeling and threat elicitation, and time permitting end up with a view of threat-modeling-with-code and an Open Source framework to support it.
Matt Tesauro, 10Security
Software development continues to move faster with the rise of Agile, DevOps, and CI/CD, while traditional AppSec continues with slow delivery and failure to scale. In this talk, we’ll discuss lessons learned from forward thinking software development at a multitude of companies, and show you how to apply them to your org. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec program and ascend out of traditional AppSec pitfalls.
Software development continues to move faster with the rise of Agile, DevOps, and CI/CD, while traditional AppSec continues with slow delivery and failure to scale. In this talk, we’ll discuss lessons learned from forward thinking software development at a multitude of companies, and show you how to apply them to your org. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec program and ascend out of traditional AppSec pitfalls.
Richard Greenberg, Security Advisors LLC
Is your company integrating Information Security into the Software Development Life Cycle? Does your security team have a good working relationship with Application Development, the Project Management Office, and Operations? Are you following a basic framework and good standards for coding and at the various steps throughout the development process? Join me as I share my 15 years as a CISO working with all of the above teams to help you understand the best practices to follow to ensure your software projects are done professionally and securely.
Is your company integrating Information Security into the Software Development Life Cycle? Does your security team have a good working relationship with Application Development, the Project Management Office, and Operations? Are you following a basic framework and good standards for coding and at the various steps throughout the development process? Join me as I share my 15 years as a CISO working with all of the above teams to help you understand the best practices to follow to ensure your software projects are done professionally and securely.
Jeroen Willemsen, Xebia
So you want to create your own pipeline to do some basic security verification? Join us for some demos with which you can quickly get the first steps working. In this talk we will go over some of the basics that you can consider when trying to automate the security checks of your applications and their infrastructure. We were able to use these steps to do some basic verification within a week!
So you want to create your own pipeline to do some basic security verification? Join us for some demos with which you can quickly get the first steps working. In this talk we will go over some of the basics that you can consider when trying to automate the security checks of your applications and their infrastructure. We were able to use these steps to do some basic verification within a week!
Dr. Phillipe de Ryck, Pragmatic Web Security
Does the rise of APIs result in the downfall of security? Why are there so many vulnerabilities and incidents involving APIs? How can you ensure that your APIs are secure? In this session, we use real-world cases to dive into best practices for securing your APIs. We discuss the attack surface of an API, common authorization problems, and best practice techniques to avoid these problems. At the end of this session, you will have an actionable set of guidelines to assess and improve the security of your own APIs.
Does the rise of APIs result in the downfall of security? Why are there so many vulnerabilities and incidents involving APIs? How can you ensure that your APIs are secure? In this session, we use real-world cases to dive into best practices for securing your APIs. We discuss the attack surface of an API, common authorization problems, and best practice techniques to avoid these problems. At the end of this session, you will have an actionable set of guidelines to assess and improve the security of your own APIs.
Matthew Butler, Laurel Lye
Threat Modeling is fundamental to understanding risk. We do it every day: driving a car, crossing a street, walking alone at night in a strange city. Darkness, isolation, insecurity, vulnerability all trigger our threat modeling instincts. And that’s exactly where our systems operate. In this talk, we’ll see how to use threat modeling to find the worst vulnerabilities hidden in the complexity of our systems by uncovering architectural flaws early, exposing attack surfaces, identifying attack vectors. You can’t code your way out of a bad architecture but you can threat model your way out.
Threat Modeling is fundamental to understanding risk. We do it every day: driving a car, crossing a street, walking alone at night in a strange city. Darkness, isolation, insecurity, vulnerability all trigger our threat modeling instincts. And that’s exactly where our systems operate. In this talk, we’ll see how to use threat modeling to find the worst vulnerabilities hidden in the complexity of our systems by uncovering architectural flaws early, exposing attack surfaces, identifying attack vectors. You can’t code your way out of a bad architecture but you can threat model your way out.
Matias Madou, Secure Code Warrior
In the ancient times of software creation, we had AppSec, and we had developers. Generally, AppSec was aware of security problems and potential fixes. Developers cranked out features in a fast, functional way, but released their code for security review as late as possible. Why? To shorten the AppSec feedback window, ensuring their out-of-context recommendations would hit after the release window and not halt proceedings. Today, the DevSecOps movement creates an optimum environment of shared responsibility for security, and with the right training and tools, security-aware developers can take advantage.
In the ancient times of software creation, we had AppSec, and we had developers. Generally, AppSec was aware of security problems and potential fixes. Developers cranked out features in a fast, functional way, but released their code for security review as late as possible. Why? To shorten the AppSec feedback window, ensuring their out-of-context recommendations would hit after the release window and not halt proceedings. Today, the DevSecOps movement creates an optimum environment of shared responsibility for security, and with the right training and tools, security-aware developers can take advantage.
Global Board of Directors, OWASP
CyberSecurity Principal Consultant, Microsoft
API Problem Solver, Okta
Director of Product Management, GitHub
Security Architect, Microsoft
Director of Product, WhiteSource
Senior Principal Product Security Engineer, Dell
Principal Security Engineer, Squarespace
CEO and co-founder, Security Journey
Principal Security Architect, Xebia
Senior Partner, 10 Security
Web Security Expert, Founder, Pragmatic Web Security
Founder and CEO, Security Advisors LLC
Principal Engineer, Laurel Lye
CTO and Co-founder, Secure Code Warrior
Moderator, MediaOps
Submit your suggested speaking session here!