OWASP Los Angeles

TOPIC: Make Attackers Cry Outsmart them with Deception Join us for great networking, dinner and drinks, and see a presentation by Rick HorwitzSr. Sales Engineer Fastly

ABSTRACT:
In this session, Rick Horwitz will explore how next-generation web application defense techniques use deception to disrupt account takeover attempts by returning responses that resemble invalid login credentials. Rather than outright blocking the request, this approach introduces uncertainty, making it harder for attackers to understand why their attempts are failing.

This method leverages core principles of security deception raising an attacker’s cognitive load, consuming their time, and prompting them to question the reliability of their tools or assumptions. Over time, this added friction can decrease the likelihood that they continue targeting the application.
Because these techniques typically require minimal configuration, they can offer immediate insight into attack patterns and behaviors. These signals help defenders analyze adversary tactics and strengthen overall protections, demonstrating how psychological and operational pressure can complement traditional security controls.

TOPIC:Fulfilling your LLM Deployment dreams
Join us for a virtual session featuring Aaron Ansari, Managing Partner at Answer Consulting Inc., with insights into deploying LLMs in real world environments, followed by live Q&A and community discussion.

ABSTRACT: As organizations rush to integrate Large Language Models (LLMs) into their core business processes, they face a critical dilemma: embrace the 66% productivity boost offered by generative AI or mitigate the serious risks of data exfiltration and "shadow AI". This session provides a dive into the technical foundations of a robust generative AI system, moving beyond basic chat interfaces to a comprehensive enterprise architecture.

We will explore the flegdling LLM Stack, identifying critical trust boundaries between organizational tenants and the public internet. Attendees will learn:

• The Risk Landscape: An analysis of top threats including prompt injection (OWASP LLM01), insecure output handling, and training data poisoning.
• Architectural Defenses: How to implement Retrieval-Augmented Generation (RAG) to maintain data accuracy and avoid the security pitfalls of fine-tuning on sensitive PII.
• Data Governance: Strategies for applying fine-grained access controls and role-based accounting to vector databases to ensure that AI only serves information to authorized users.
• Operational Security: A "layered onion" approach to security, from model hyperparameter tuning to outer-layer rate limiting and semantic caching.

Leave this session with a foundational framework for deploying AI that is not only innovative but also compliant, secure, and resilient.

TOPIC One Thousand and One AI Prevented CVEs: Vibe Coding a Whole New Supply Chain Defense.
Join us for a virtual session featuring by Brandon Wu is a senior program analysis engineer at Semgrep

ABSTRACT: Semgrep is on a mission to make it expensive to exploit software. As the team behind the most popular SAST, we built the Semgrep AppSec Platform to deliver industry-leading code, dependency, and secrets scanning so organizations can ship secure code quickly without slowing development. With fast, customizable analysis across large codebases, Semgrep helps teams catch vulnerabilities early and fix them faster. Companies like Snowflake, Plaid, Figma, Lyft, and Dropbox rely on Semgrep to secure their software. Semgrep is backed by top investors including Felicis, Lightspeed, Menlo, Redpoint, and Sequoia.