OWASP Meetup - Nov 2016 (2 of 2) - Sunnyvale

Important Notes:

1. There is an OWASP Chapter event in SF on Nov 15 (https://www.meetup.com/Bay-Area-OWASP/events/235021061/) and also an event in Sunnyvale on Nov 16. Please select the event most convenient to you.
2. Important - For building security you must supply your first and last name as it appears on your ID or you won't be granted access to enter.

• 6:30 Doors Open

• 6:45 - 7:30 Talk 1

Rohit Pitke, Mukul Khullar - A walkthrough on AWS Security Pitfalls

• 7:45 - 8:30 Talk 2

Scott Behrens - Cleaning Your Applications' Dirty Laundry With Scumblr

• 8:30+ Networking

• 9 Doors Close

Name

Rohit Pitke, Mukul Khullar

Bio: Rohit Pitke is a security researcher with over 9 years of experience in the application and network security fields. At LinkedIn, he works as a Senior Information Security Engineer responsible for application security and penetration testing. Prior to that, Rohit has worked at multiple technology companies such as Adobe, Salesforce and Symantec. He also presented on

Securing Cloud Deployments

at AppSec USA-2015 and lightning training talk on

Getting started with AWS Security

at AppSec EU-2016.

Bio:Mukul Khullar is a security researcher with over 8 years of experience in the application and network security fields. At LinkedIn, he works as a Staff Information Security Engineer responsible for identifying threats, vulnerabilities and design flaws that may impact Linkedin’s applications and infrastructure. Prior to that, Mukul worked as a Senior Security Analyst at Ernst & young’s Advanced Security Center, helping Fortune 500 companies with penetration testing and network security assessment efforts. Mukul holds a Master's Degree in Security Informatics from the Johns Hopkins University. He previously gave a lightning training talk on

Getting started with ModSecurity

at AppSec USA 2015 and lightning training talk on

Getting started with AWS Security

at AppSec EU-2016.

Topic:A walkthrough on AWS Security Pitfalls

Abstract: Due to increasing adoption of Amazon web services (AWS) as a cloud service provider, security is of paramount importance. In this presentation, we will step through the impact of misconfigured AWS infrastructure that typically leads to multiple security impacting scenarios. We want attendees to be acquainted with demonstrable impact around AWS misconfigurations and attack surface. We will also cover best practices towards securing AWS infrastructure focusing on a blue-team ideology.

This presentation will be particularly useful to both security professionals with a beginning to intermediate level of experience, and dev-ops looking to understand how to best secure AWS deployments hosting critical applications. If you are responsible for deploying, maintaining or securing AWS infrastructure, this session is for you.

Name

Scott Behrens

Bio: Scott Behrens is currently employed as a senior application security engineer for Netflix. Prior to Netflix Scott worked as a senior security consultant at Neohapsis and an adjunct professor at DePaul University. Scott's expertise lies in both building and breaking for application security at scale. An avid coder and researcher, he has contributed to and released a number of open source tools for both attack and defense. Scott has presented security research at DEF CON, DerbyCon, Shmoocon, Shakacon, Security Forum Hagenberg, Security B-sides Chicago, and others.

Topic:Cleaning Your Applications' Dirty Laundry With Scumblr

Brief Abstract:Like many cutting-edge companies, the environment at Netflix is constantly changing. New applications are deployed everyday, code is pushed every hour, and systems are spun-up and down at will to support changing demand patterns of online video streaming. This, combined with Netflix's 100% cloud model, provides significant challenges in understanding our assets, the risk they pose, and the vulnerabilities they expose.

In order to help address these issues we developed and released an open-source tool call Scumblr in 2014. Scumblr was initially focused on the outside--find interesting intelligence from the Internet and bring it to our attention. Internally at Netflix, however, we've set our sights on new challenges and have found new and innovative ways to use the Scumblr platform to make an AppSec engineer's life a little bit easier. Through a series of small tweaks as well as larger architectural changes, Scumblr has become a versatile tool that allows us to track a wide range of information including changes to endpoints on

netflix.com (http://netflix.com/)

, risk profiles for each application in our environment, and the status of vulnerabilities across a thousands of applications. We've made changes to Scumblr to make it faster, more flexible, and more powerful and we're ready to share these changes with the open source community.

Attendees of this talk will get an understanding for how we designed a tool that has been successful in tackling a broad range of security challenges. We'll share our latest uses for the tools include details on how we're using Scumblr for vulnerability management, application risk tracking and other uses. Finally, we'll discuss how you can replicate what we've done by sharing new plugins that integrate with Arachni, AppSpider, Github, while also showing just how easy it is to create new integrations that open up new opportunities for automation, data collection and analysis.