March 24th 10 am – 6 pm ET

Code Security: Game On

After the success of last year’s virtual quest, we’re proud to announce Secure Coding V2: The Adventure Continues. We’re back and bigger
than ever. Welcome to the next level.

Join us on March 24, 2021, to hear from industry-leading AppSec and DevSecOps practitioners, analysts, and visionaries as they share their best pro tips and power ups to level up your code security.

Can’t-Miss Industry Players

Our industry experts are playing with power. Don’t miss live Q&A chats with our brilliant keynote speakers to get your burning questions answered.

Unlock Educational Opportunities

Code in your world, learn in ours. Unlock useful resources and interact with our co-sponsors to power up your secure coding strategies.

Discover a New World of Networking

With a click of a button, enter another realm with others on the same quest to share your ideas around code security.

Win Cool Prizes

What’s a game without hidden prizes? Hunt for Easter eggs to boost your player score for a chance to win a PlayStation 5!

10:00-11:00

Game On: How to Achieve the Highest Level of Code Security

Simone Curzi, Microsoft | Justin Hutchings, GitHub | Shiri Ivtsan, WhiteSource

We live today in a software-dependent world. It’s no wonder that organizations are making it a top priority to release secure apps. Yet – we still continuously face security vulnerabilities and grabbing headlines around security breaches, which often could have be prevented through writing better and more secure code from the get-go. This poses several questions: What are the current security pitfalls and how can we overcome this? How can we level up our secure coding strategies? What roles should security & development teams play when it comes to code security? What is the bigger picture organizations should be considering?

10:00-11:00

Game On: How to Achieve the Highest Level of Code Security

We live today in a software-dependent world. It’s no wonder that organizations are making it a top priority to release secure apps. Yet – we still continuously face security vulnerabilities and grabbing headlines around security breaches, which often could have be prevented through writing better and more secure code from the get-go. This poses several questions: What are the current security pitfalls and how can we overcome this? How can we level up our secure coding strategies? What roles should security & development teams play when it comes to code security? What is the bigger picture organizations should be considering?

11:00-11:45

Effective DevSecOps Program With Open Source Tools

Vandana Verma Sehgal, OWASP

We are all heading towards the modernization of applications. However, we still see the companies being impacted with the most common website vulnerabilities like SQL Injection, Sensitive data exposure, security misconfiguration, etc. OWASP has many projects which can be tied seamlessly into the application development pipeline structure. However, firstly we don’t know if the projects exist, second, if we know about the projects, we do not know the exact working of the projects. In the talk, I will be talking about how to run an AppSec program with open source projects (OWASP Projects).

11:00-11:45

Effective DevSecOps Program With Open Source Tools

We are all heading towards the modernization of applications. However, we still see the companies being impacted with the most common website vulnerabilities like SQL Injection, Sensitive data exposure, security misconfiguration, etc. OWASP has many projects which can be tied seamlessly into the application development pipeline structure. However, firstly we don’t know if the projects exist, second, if we know about the projects, we do not know the exact working of the projects. In the talk, I will be talking about how to run an AppSec program with open source projects (OWASP Projects).

11:45-12:30

How to Loose a Container in 10 Minutes

Sarah Young, Microsoft

Moving to the cloud and deploying containers? In this talk I discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments with some real life examples. We’ll also be looking at my ongoing research about how easy (or not) it is to get a container or Kubernetes cluster hacked on purpose.

11:45-12:30

How to Loose a Container in 10 Minutes

Moving to the cloud and deploying containers? In this talk I discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments with some real life examples. We’ll also be looking at my ongoing research about how easy (or not) it is to get a container or Kubernetes cluster hacked on purpose.

12:30-13:00

API Security: When Failure Looks Like Success

Keith Casey, Okta

APIs have become fundamental to our teams. While we’d like to believe it was a carefully executed plan, let’s be honest – there’s as much luck as foresight in the mix. Luckily, success drives success so it’s worked. Unfortunately, that success has cost us. APIs have become a devastating attack vector for apps that store everything from financial records to passport information to your dating interests. In this session, we’ll reconsider some of our earliest assumptions and lay out some strategies for bringing our APIs out of the shadows and protecting ourselves, our partners, and our customers.

12:30-13:00

API Security: When Failure Looks Like Success

APIs have become fundamental to our teams. While we’d like to believe it was a carefully executed plan, let’s be honest – there’s as much luck as foresight in the mix. Luckily, success drives success so it’s worked. Unfortunately, that success has cost us. APIs have become a devastating attack vector for apps that store everything from financial records to passport information to your dating interests. In this session, we’ll reconsider some of our earliest assumptions and lay out some strategies for bringing our APIs out of the shadows and protecting ourselves, our partners, and our customers.

13:00-13:30

How to Transform Developers Into Security People

Chris Romeo, Security Journey

Developers are everywhere because software is everywhere. The challenge with developers is that most do not have a foundation in application security. To effectively engage them requires a four-phase process of application security connection – open their eyes, fill their brains, task their hands, and embrace the gathering. In this session, Chris provides guidance on each phase of this process so that organizations can launch an application security program with developers who understand the foundational lessons of application security and how to apply those lessons in their code.

13:00-13:30

How to Transform Developers Into Security People

Developers are everywhere because software is everywhere. The challenge with developers is that most do not have a foundation in application security. To effectively engage them requires a four-phase process of application security connection – open their eyes, fill their brains, task their hands, and embrace the gathering. In this session, Chris provides guidance on each phase of this process so that organizations can launch an application security program with developers who understand the foundational lessons of application security and how to apply those lessons in their code.

13:30-14:30

Threat Modeling, a Manifesto and Some Code

Izar Tarandach, Squarespace | Matthew Coles, Dell

In this talk we will introduce the audience to the concept of Threat Modeling, its objectives and the part it plays in the SDLC. We will explore the recently published Threat Modeling Manifesto as a framework to develop your own Threat Modeling practice, see the fundamental concepts of system modeling and threat elicitation, and time permitting end up with a view of threat-modeling-with-code and an Open Source framework to support it.

13:30-14:30

Threat Modeling, a Manifesto and Some Code

In this talk we will introduce the audience to the concept of Threat Modeling, its objectives and the part it plays in the SDLC. We will explore the recently published Threat Modeling Manifesto as a framework to develop your own Threat Modeling practice, see the fundamental concepts of system modeling and threat elicitation, and time permitting end up with a view of threat-modeling-with-code and an Open Source framework to support it.

14:30-15:00

Taking the Best of Agile, DevOps and CI/CD Into Security

Matt Tesauro, 10Security

Software development continues to move faster with the rise of Agile, DevOps, and CI/CD, while traditional AppSec continues with slow delivery and failure to scale. In this talk, we’ll discuss lessons learned from forward thinking software development at a multitude of companies, and show you how to apply them to your org. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec program and ascend out of traditional AppSec pitfalls.

14:30-15:00

Taking the Best of Agile, DevOps and CI/CD Into Security

Software development continues to move faster with the rise of Agile, DevOps, and CI/CD, while traditional AppSec continues with slow delivery and failure to scale. In this talk, we’ll discuss lessons learned from forward thinking software development at a multitude of companies, and show you how to apply them to your org. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec program and ascend out of traditional AppSec pitfalls.

15:00-15:30

Overview of Software Security Best Practices

Richard Greenberg, Security Advisors LLC

Is your company integrating Information Security into the Software Development Life Cycle? Does your security team have a good working relationship with Application Development, the Project Management Office, and Operations? Are you following a basic framework and good standards for coding and at the various steps throughout the development process? Join me as I share my 15 years as a CISO working with all of the above teams to help you understand the best practices to follow to ensure your software projects are done professionally and securely.

15:00-15:30

Overview of Software Security Best Practices

Is your company integrating Information Security into the Software Development Life Cycle? Does your security team have a good working relationship with Application Development, the Project Management Office, and Operations? Are you following a basic framework and good standards for coding and at the various steps throughout the development process? Join me as I share my 15 years as a CISO working with all of the above teams to help you understand the best practices to follow to ensure your software projects are done professionally and securely.

15:30-16:00

Creating an AppSec Pipeline With Containers In A Week

Jeroen Willemsen, Xebia

So you want to create your own pipeline to do some basic security verification? Join us for some demos with which you can quickly get the first steps working. In this talk we will go over some of the basics that you can consider when trying to automate the security checks of your applications and their infrastructure. We were able to use these steps to do some basic verification within a week!

15:30-16:00

Creating an AppSec Pipeline With Containers In A Week

So you want to create your own pipeline to do some basic security verification? Join us for some demos with which you can quickly get the first steps working. In this talk we will go over some of the basics that you can consider when trying to automate the security checks of your applications and their infrastructure. We were able to use these steps to do some basic verification within a week!

16:00-16:30

Getting API Security Right

Dr. Phillipe de Ryck, Pragmatic Web Security

Does the rise of APIs result in the downfall of security? Why are there so many vulnerabilities and incidents involving APIs? How can you ensure that your APIs are secure? In this session, we use real-world cases to dive into best practices for securing your APIs. We discuss the attack surface of an API, common authorization problems, and best practice techniques to avoid these problems. At the end of this session, you will have an actionable set of guidelines to assess and improve the security of your own APIs.

16:00-16:30

Getting API Security Right

Does the rise of APIs result in the downfall of security? Why are there so many vulnerabilities and incidents involving APIs? How can you ensure that your APIs are secure? In this session, we use real-world cases to dive into best practices for securing your APIs. We discuss the attack surface of an API, common authorization problems, and best practice techniques to avoid these problems. At the end of this session, you will have an actionable set of guidelines to assess and improve the security of your own APIs.

16:30-17:30

Threat Modeling: Finding the Worst Vulnerabilities You’ll Never Write

Matthew Butler, Laurel Lye

Threat Modeling is fundamental to understanding risk. We do it every day: driving a car, crossing a street, walking alone at night in a strange city. Darkness, isolation, insecurity, vulnerability all trigger our threat modeling instincts. And that’s exactly where our systems operate. In this talk, we’ll see how to use threat modeling to find the worst vulnerabilities hidden in the complexity of our systems by uncovering architectural flaws early, exposing attack surfaces, identifying attack vectors. You can’t code your way out of a bad architecture but you can threat model your way out.

16:30-17:30

Threat Modeling: Finding the Worst Vulnerabilities You’ll Never Write

Threat Modeling is fundamental to understanding risk. We do it every day: driving a car, crossing a street, walking alone at night in a strange city. Darkness, isolation, insecurity, vulnerability all trigger our threat modeling instincts. And that’s exactly where our systems operate. In this talk, we’ll see how to use threat modeling to find the worst vulnerabilities hidden in the complexity of our systems by uncovering architectural flaws early, exposing attack surfaces, identifying attack vectors. You can’t code your way out of a bad architecture but you can threat model your way out.

17:30-18:00

AppSec is Dead. Long Live DevSecOps!

Matias Madou, Secure Code Warrior

In the ancient times of software creation, we had AppSec, and we had developers. Generally, AppSec was aware of security problems and potential fixes. Developers cranked out features in a fast, functional way, but released their code for security review as late as possible. Why? To shorten the AppSec feedback window, ensuring their out-of-context recommendations would hit after the release window and not halt proceedings. Today, the DevSecOps movement creates an optimum environment of shared responsibility for security, and with the right training and tools, security-aware developers can take advantage.

17:30-18:00

AppSec is Dead. Long Live DevSecOps!

In the ancient times of software creation, we had AppSec, and we had developers. Generally, AppSec was aware of security problems and potential fixes. Developers cranked out features in a fast, functional way, but released their code for security review as late as possible. Why? To shorten the AppSec feedback window, ensuring their out-of-context recommendations would hit after the release window and not halt proceedings. Today, the DevSecOps movement creates an optimum environment of shared responsibility for security, and with the right training and tools, security-aware developers can take advantage.

Vandana Verma Sehgal

Global Board of Directors, OWASP

Simone Curzi

CyberSecurity Principal Consultant, Microsoft

Keith Casey

API Problem Solver, Okta

Justin Hutchings

Director of Product Management, GitHub

Sarah Young

Security Architect, Microsoft

Shiri Ivtsan

Director of Product, WhiteSource

Matthew Coles

Senior Principal Product Security Engineer, Dell

Izar Tarandach

Principal Security Engineer, Squarespace

Chris Romeo

CEO and co-founder, Security Journey

Jeroen Willemsen

Principal Security Architect, Xebia

Matt Tesauro

Senior Partner, 10 Security

Dr. Phillipe de Ryck

Web Security Expert, Founder, Pragmatic Web Security

Richard Greenberg

Founder and CEO, Security Advisors LLC

Matthew Butler

Principal Engineer, Laurel Lye

Matias Madou

CTO and Co-founder, Secure Code Warrior

Alan Shimel

Moderator, MediaOps

Want to speak at Secure Coding Virtual Summit?

Submit your suggested speaking session here!

Premium Sponsor
Sponsors

Sign up now!

Sign up now!