• OWASP LA Monthly Dinner Meeting - June 26, 2019

    Signal Sciences

    Topic: The Snake Oil Cycle Speaker: Dave Cole Biography: As a longtime product leader, Dave has had his hand at a dizzying variety of challenges that range from building an enterprise product from scratch to acquisition (Foundstone) to transforming a consumer product line (Norton). Dave was the driving force that took CrowdStrike’s nascent product line with a handful of small customers and established it as a disruptive force in the industry which has fueled the company’s explosive growth. He was also Chief Product Officer of Tenable where he steered the team through an aggressive growth phase, culminating in a successful initial public offering in the Summer of 2018. Currently, Dave is focused on starting a new company, Open Raven, with co-founder Mark Curphey and running the Security Voices podcast alongside B-Sides conference icon Jack Daniel. Dave is a security industry of 20+ years, starting long before anyone started calling it “cyber”. He began as a consultant for Deloitte & Touche and then Internet Security Systems, conducting security assessments, deploying products and responding to incidents. Dave is a frequent spokesperson, making appearances on NBC, CNN and elsewhere while speaking at industry events such as RSA, Black Hat and most recently B-Sides Las Vegas. He has been a contributing author to a number of information security publications and books, including Crimeware: Understanding New Attacks and Defenses. Dave is an investor focused on helping to grow businesses in his hometown of Los Angeles where he lives with his wife and son. This Summer he continues his relentless pursuit of growing the finest tomatoes on the westside. Dave holds a Bachelors of Business Administration from the University of Michigan Ann Arbor. Contact Info Email: [masked] LinkedIn: https://www.linkedin.com/in/davecolela/ Twitter: https://twitter.com/mediafishy Abstract: The security industry can feel like it's a trip through a night market full of dubious characters offering even more questionable products. The easy answer is to blame the shadowy characters confronting you along the way. The better answer is more elusive, exploring dynamics of all parties involved from customers to investors and the people making and marketing the products themselves. Using stories to illustrate the many characters involved, we'll paint a full picture of the security market and propose ways in which we can make it less of walk down dark alley and more like a cruise through the Sunday Farmer's Market. Thanks to our Sponsors: ** Data Impressions ** www.dataimpressions.com ** AsterionDB ** www.asteriondb.com

  • OWASP LA Monthly Dinner Meeting - July 24, 2019

    Signal Sciences

    Topic 1: Want to make $3000 a month working from home? Disrupting a money mule network. Speaker: Liam O’Murchu Biography: Liam O’Murchu is a director with the Security Technology and Response group with Symantec. Over the past 15 years O’Murchu has investigated and responded to the most sophisticated cyber attacks to ever emerge, from professional cyber-criminals targeting financial institutions, to government backed threats targeting critical infrastructure. His analysis of Stuxnet uncovered its true objective, to disrupt uranium enrichment in Iran. The analysis detailed how sophisticated attacks on critical infrastructure are carried out in the modern era. The analysis is featured in the book, "Countdown to Zeroday" by Kim Zetter and the "Zerodays" feature film documentary by Academy award winner Alex Gibney, which was shortlisted for best documentary at the Academy Awards in 2017. A frequent speaker on T.V., radio and in printed press, O'Murchu has continued to analyze threats from election hacking to financial heists to espionage and to represent that research to the public. Most recently O’Murchu testified at the trial of a group of malware authors he tracked for 12 years, where the authors were found guilty of 21 counts of computer abuse and financial fraud charges. He continues to work closely with law enforcement to identify and apprehend malware authors. In 2012 O'Murchu was awarded the ISSA’s President’s Award honoring exceptional contributions to the security community. Abstract: We've all seen the ads for work-from-home schemes often accompanied by a picture of a cheque for thousands of dollars and a testimonial from a happy employee who only worked a few hours a week to earn the money. These legitimate looking ads are often fronts for money laundering services. Working with the FBI, Symantec recently disrupted a botnet that made extensive use of such work-from-home schemes. This talk looks in detail at one specific instance of such a scheme where we gained visibility into every detail of the scheme, from recruitment, to conversations with the ‘employees’, and ultimately, to the criminals behind the scheme. Vast technical and social skills are needed to operate such a scheme successfully while evading law enforcement. This talk shows the dangers of such scheme and how security researcher cooperation and information sharing brought down such an operation. =========================================================== Topic 2: Common API security pitfalls Speaker: Philippe De Ryck Biography: Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications. Abstract: The shift towards an API landscape indicates a significant evolution in the way we build applications. The rise of JavaScript and mobile applications have sparked an explosion of easily-accessible REST APIs. But how do you protect access to your API? Which security aspects are no longer relevant? Which security features are an absolutely must-have, and which additional security measures do you need to take into account? These are hard questions, as evidenced by the deployment of numerous insecure APIs. Attend this session to find out about common API security pitfalls, that often result in compromised user accounts and unauthorized access to your data. We expose the problem that lies at the root of each of these pitfalls, and offer actionable advice to address these security problems. After this session, you will know how to assess the security of your APIs, and the best practices to improve them towards the future.