OWASP Meetup - SF September 2019

This is a past event

384 people went

Location image of event venue


Security time, courtesy of our host Lyft! We will have three exciting talks, lots of people to meet, and great food.

• 5:30 - Doors open
• 6:00-6:15 - Intro/welcome
• 6:15-6:45 - Application Layer Cryptography (Jon McLachlan)
• 6:50-7:20 - DNS man-on-the-side (MOTS) for fun and profit (Mark Adams)
• 7:25-7:55 - Mobile AppSec 101 (Tony Ramirez)

Talk 1: Application Layer Cryptography

What’s the point of application layer cryptography? What does encrypting sensitive data actually buy us, in terms of threat modeling? Why bother with encrypting data, if we need to decrypt it to realize the data’s value? If we don’t trust the software that’s handling the data, why trust the software to handle the keys? Is there a business case to actually encrypt more (or less) data? If we have to encrypt data, how are we actually supposed to do that, in practice? What algorithms should we use to encrypt? Where do these keys come from? Oh no, I have to expire the keys old keys and start using new encryption keys to provide forward secrecy, over time? !@#$ How do I do that without losing backward compatibility with software I’ve already shipped to customers that uses the old encryption scheme? Should I lock into Google KMS or AWS KMS or buy an $50k HSM from Thales integrating with PKCS11, or just build my own system? Wait. What's peacemakr.io?

If you’ve every wondered about these questions, you’re not alone. We’ll explore where business requirements come from, how product security engineering teams typically respond to these requirements, and discuss the future of application layer cryptography.

Jon has 10+ years industry experience, and 4+ in academia experience, in Product Security that spanned everything from 2 person bootstrapped startup to large companies. He's secured both consumer and enterprise products, across large (Apple), medium (Pure Storage), and small sized companies. Today, he is a Product Security Engineer at Pure Storage by day, and, a Founder and CEO of Peacemakr.io nights and weekends.

Talk 2: DNS man-on-the-side (MOTS) for fun and profit

The Domain Name System binds everything on the internet together connecting web-site names to the actual hosted site. This presentation looks at DNS security from a red-teamer’s viewpoint, a discussion of Man-on-the-Side (MOTS) vulnerabilities and a demo of a MOTS attack using the open-source Cyberprobe software, with some lessons for managing your DNS security.

Mark Adams is a principal engineer on Lyft's Security team. He has a 25 year of security with a focus on detection: deep packet inspection, cloud-scale and big data analytics for real-time incident detection.

Talk 3: Mobile AppSec 101

A storm of mobile app security and privacy issues continues to intensify, while the skills gap worsens. Security professionals have discovered that web app security practices don’t cut it for mobile. Because the tools and methodologies differ, it’s time for practitioners to learn some new skills leveraging the OWASP Mobile Project resources and patterns found testing thousands of mobile apps. In this talk, you’ll learn how to crawl, walk, then run in mobile app security testing, with an end goal of having all the tools and knowledge necessary to become a mobile appsec expert. Ultimately, all mobile appsec experts have to start somewhere. If you start off on the right foot, there’s no telling what vulnerabilities you may uncover and how your career can grow.

As mobile security analyst at NowSecure, Tony Ramirez leads trainings with customers and performs mobile app penetration testing of iOS and Android apps as part of the NowSecure Services team. Tony holds a master’s degree in cyber forensics and security from Illinois Institute of Technology. Tony regularly attends the Chicago OWASP chapter meetups and speaks at OWASP and other security events across the country. While terrible at writing bios for himself, Tony is an avid food experimenter and office prankster.