OWASP Meetup - SF July 2018

Bay Area OWASP
Bay Area OWASP
Public group
Location image of event venue


Please join us for an awesome night of security, courtesy of our host: Segment. There will be three amazing talks, food/drinks, and security!

• 6:30 - Doors open

• 7:00-7:30 - Analyzing Pwned Passwords with Apache Spark (Kelley Robinson)

• 7:35-8:05 - Efforts in Scaling Application Security Programs (Eric Fay)

• 8:10-8:40 - Usable Security Tooling - Creating Accessible Security Testing with ZAP (David Scrobonia)

• 8:40-9:00 - Networking

Talk 1: Analyzing Pwned Passwords with Apache Spark (Kelley Robinson)

Apache Spark aims to solve the problem of working with large scale distributed data—and with access to over 500 million leaked passwords we have a lot of data to dig through.

Advancements in the API make running Spark with Scala, Python, or even SQL smoother and faster than ever. This talk will introduce you to Spark and the new way to run queries on structured, distributed data by looking at breached credentials. We'll walk through how to get started with Spark and discuss the tradeoffs for using different abstractions provided by the framework. With the help of live code, we'll find patterns in the password data and look at how you can encourage your users to be more secure. You will see how easy and fast it is to both explore and process data using Spark SQL and leave with the tools to get started with your own distributed data...and a password manager.


Kelley works on the Account Security team at Twilio, helping developers manage customer identity for communications applications. Previously she worked in a variety of API platform and data engineering roles at startups in San Francisco. She believes in making technical concepts, especially security, accessible and approachable for new audiences.

Talk 2: Efforts in Scaling Application Security Programs (Eric Fay)

With organizational success comes the exciting period of ever-increasing scale and scope. This talk will cover some of the past and current efforts that Eric personally took on while creating and scaling the application security program at Hulu. A retrospective look will be taken at the focus points, tradeoffs and decisions made by the application security team while keeping up with the growth and continued success of Hulu.


Eric is an information security leader currently specializing in application security. He leads the application security program at Hulu as the manager of application security in Santa Monica. Throughout his career his responsibilities have covered protecting the applications, infrastructure and web presences of the major brands Dow Jones, Wall Street Journal, MarketWatch and, presently, Hulu. Outside the security world you can find Eric traveling with his wife, jogging around Santa Monica, or trying to improve his gaming skills.

Talk 3: Usable Security Tooling - Creating Accessible Security Testing with ZAP (David Scrobonia)

Intoducing security testing tools to a QA or developers workflow can be difficult when the tools aren't easy or intuitive to use. Even for security professionals, the friction of cumbersome security tooling can prevent them from getting the most from a tool or being effective with their time.

This talks focuses on a new development for the OWASP ZAP project and how it can enable developers and security professionals alike to get the most out of the attack proxy. By coupling ZAP closer to the browser and presenting a new UI we can enable new ways to interact with and extend ZAP that will make using it more intuitive to use. The talk will cover the motivation behind the project, the browser technologies that power it, and how you can start using it.

David Scrobonia is a part of the AppSec team at Segment working to secure modern web apps and AWS infrastructure. He has contributed to the OWASP AppSensor project and has more recently contributing to the OWASP ZAP project as a member of the ZAP Core Team.