• OWASP LA Monthly Dinner Meeting - June 26, 2019

    Signal Sciences

    Topic: The Snake Oil Cycle Speaker: Dave Cole Biography: As a longtime product leader, Dave has had his hand at a dizzying variety of challenges that range from building an enterprise product from scratch to acquisition (Foundstone) to transforming a consumer product line (Norton). Dave was the driving force that took CrowdStrike’s nascent product line with a handful of small customers and established it as a disruptive force in the industry which has fueled the company’s explosive growth. He was also Chief Product Officer of Tenable where he steered the team through an aggressive growth phase, culminating in a successful initial public offering in the Summer of 2018. Currently, Dave is focused on starting a new company, Open Raven, with co-founder Mark Curphey and running the Security Voices podcast alongside B-Sides conference icon Jack Daniel. He is a security industry of 20+ years, starting long before anyone started calling it “cyber”. He began as a consultant for Deloitte & Touche and then Internet Security Systems, conducting security assessments, deploying products and responding to incidents. Dave is a frequent spokesperson, making appearances on NBC, CNN and elsewhere while speaking at industry events such as RSA, Black Hat and most recently B-Sides Las Vegas. He has been a contributing author to a number of information security publications and books, including Crimeware: Understanding New Attacks and Defenses. Dave is an investor focused on helping to grow businesses in his hometown of Los Angeles where he lives with his wife and son. This Summer he continues his relentless pursuit of growing the finest tomatoes on the westside. Dave holds a Bachelors of Business Administration from the University of Michigan Ann Arbor. Email: [masked] LinkedIn: https://www.linkedin.com/in/davecolela/ Twitter: https://twitter.com/mediafishy Abstract: The security industry can feel like it's a trip through a night market full of dubious characters offering even more questionable products. The easy answer is to blame the shadowy characters confronting you along the way. The better answer is more elusive, exploring dynamics of all parties involved from customers to investors and the people making and marketing the products themselves. Using stories to illustrate the many characters involved, we'll paint a full picture of the security market and propose ways in which we can make it less of walk down dark alley and more like a cruise through the Sunday Farmer's Market. Thanks to our Sponsors: ** Data Impressions ** www.dataimpressions.com Providing technology solutions to government, education and corporations Since 1979. ** AsterionDB ** www.asteriondb.com The AsterionDB SecureObject Vault is a unique and powerful platform that brings full unstructured data integration to the Oracle Database. Now there's no reason to use anything else to store unstructured data other than the Oracle Database! After all, you've got all of your structured meta-data in the database that describes what you're doing with that unstructured data, why not store the two data types together?

  • OWASP LA Monthly Dinner Meeting - May 22, 2019

    Signal Sciences

    Topic: SQRL Speaker: Steve Gibson, Gibson Research Corporation (www.grc.com) Biography: Steve Gibson is an American software engineer, security researcher, and IT security proponent. In the early 1980s, Gibson worked on light pen technology for use with Apple and Atari systems. In 1985, he founded Gibson Research Corporation, best known for its SpinRite software. SQRL: SQRL (pronounced "squirrel") or Secure, Quick, Reliable Login (formerly Secure QR Login) is a draft open standard for secure website login and authentication. The software solution typically uses a link of the scheme sqrl:// or optionally a QR code, where a user identifies via a pseudonymous zero-knowledge proof rather than providing a user ID and password. This method is thought to be impervious to a brute force password attack or data breach. It shifts the burden of security away from the party requesting the authentication and closer to the operating system implementation of what is possible on the hardware, as well as to the user. SQRL was proposed by Steve Gibson of Gibson Research Corporation in October 2013 as a way to simplify the process of authentication without the risk of revelation of information about the transaction to a third party.

    4
  • OWASP LA Monthly Dinner Meeting - April 24, 2019

    Signal Sciences

    Topic: Why I Don't Trust NIST P-256 Speaker: Oleg Gryb Chief Architect, Security Engineering, Finance Industry Bio: Oleg Gryb is currently Chief Architect at a major financial institution working in Cybersecurity and Data Protection domains.He has worked before as a Sr. Manager and de-facto CISO for Samsung's Artik Cloud platform (www.artik.cloud) handling all aspects of security and HIPAA compliance program. He was previously Security Architect at Intuit, where he was creating architecture for mission critical financial and business applications. Gryb participates actively in creating open source software in a security, identity management and other domains. He has a lot of passion around embedding security to all SDLC stages, threat modeling, enforcing security in web service fabric, security tools, cloud, IoT and mobile security. He’s also interested in building data protection solutions based on security appliances, such as Secure Elements for devices, nCipher, DataPower, Ingrian, Safenet, etc. Presentations plan: 1. ECC (fields, groups, parameters, etc) and its importance especially in IoT world 2. DUAL_EC screwup: went all the way to NIST and stayed there until 2013 (until Snowden revelation) in spite of the warning coming from Shumov, Ferguson, Schneier published in[masked]. More screwups: RSA adopted DUAL_EC as a default in their licensed and pricy BSafe product 4. NIST ECC curves, where P-256 is probably the most popular and is a default in OpenSSL 5. Nothing up my sleeves (NUMS) and "verifiably random" criteria. The latter is not met in NIST P-256 6. Brainpool curves used by Germans in their e-passport project 7. New DJB curves and their level of standardization

    11
  • OWASP LA Monthly Dinner Meeting - March 27, 2019

    Signal Sciences

    Topic: Metasploit 101 Class Speaker: Jose Hernandez, Evolve Security (evolvesecurity.io) Biography: Jose Hernandez is a Threat Intelligence Analyst at NTT Security, where he analyzes global information security trends to help clients understand and defend their environments. With over 10 years of experience in the information security field Jose is passionate about information security. He organizes the monthly EvolveSec LA Meetup and speaks in security conferences. Jose helps the industry by sharing knowledge and helping professionals grow their skillsets. Jose also enjoys stand up comedy and is a comedian in Los Angeles. Back to Basics: Metasploit The Metasploit Framework is an essential tool for all professionals in the information security field. Metasploit is a tool that helps in the exploitation of security vulnerabilities during penetration testing assessments. Metasploit is an open source project with a very active community of developers that actively expand the capabilities of the framework. The presentation will describe a history of the Metasploit Framework and how it is used today by security professionals. I will teach you how to navigate Metasploit and together we can explore some of the more interesting capabilities of this tool.

    7
  • OWASP LA Monthly Dinner Meeting - February 27, 2019

    Signal Sciences

    Topic: Just Another Day on the Internet Simon Conant, Principal Researcher in the Unit 42 Threat Intelligence team, will discuss the current threat landscape. Simon will highlight several campaigns and review advances in malware, tactics, and cyber threats, that adversaries are using to breach modern enterprise networks. Simon is a Principal Researcher in Palo Alto Network’s Unit 42 threat research group. He draws upon a quarter-century of international experience in the fields of malware & infrastructure analysis, networking, and information security, including several years in the Microsoft Security Response Center. He was involved in founding Microsoft's CSS Security & Internet Crime Investigation teams, and the International Botnet Task Force. A native of New Zealand, Simon is based out of Seattle. [Sponsor]: Thanks to our Sponsor Palo Alto https://www.paloaltonetworks.com/

    2
  • AppSec California 2019: Hackers, Developers, InfoSec, Talks, Training, Beach!

    Annenberg Community Beach House

    AppSec Cali 2019 is back, January 22-25, on the beach in Santa Monica, California at the Annenberg Beach House! The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, Inland Empire, and San Francisco Bay Area chapters to bring you the WORLD RENOWNED Annual AppSec California. Now in its SIXTH year, the event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies. One and Two-day full training classes on various subjects by expert trainers kick off the conference on the 22nd. World renowned speakers follow on days three and four. A great opening party spills onto the beautiful deck of the landmark Annenberg pool, the evening of day two, as conference goers network, drink, and eat as they listen to the waves and gaze at the stars. New friendships will be born, new techniques for securing your environments and applications will be shared, as you become inspired by your peers. You MUST register here to gain admittance: https://2019.appseccalifornia.org/#register The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. At OWASP you'll find free and open: •Application security tools and standards •Complete books on application security testing, secure code development, and secure code review •Presentations and videos •Cheat sheets on many common topics •Standard security controls and libraries •Local chapters worldwide •Cutting edge research •Extensive conferences worldwide •Mailing lists Learn more at: https://www.owasp.org

    1
  • Huge Joint Holiday Gala with ISSALA, ISACA, ACFE, ARMA, HTCIA, IIA, & ISA

    The Los Angeles Chapters of OWASP, ISSALA, ISACA, ACFE, ARMA, HTCIA, IIA, and ISA will celebrate the culmination of an event-filled 2018 together. The gathering brings together hundreds of managers and practitioners in the private sector, public sector, and academia to discuss challenges and innovative strategies in risk management, security, privacy, and trust in our rapidly changing society. Taking place at the Sheraton Grand Los Angeles in Downtown Los Angeles, the agenda features a keynote from an old friend: Keynote: Trust and the Economics of Insecurity Speaker: Malcolm Harkins, Chief Security and Trust Officer, Cylance Please sign up here: http://www.cvent.com/d/fbq7ps Looking to sponsor? There are a few sponsorships left, but hurry! https://www.eventbrite.com/e/owasp-joint-holiday-gala-dec-14-2018-with-7-other-socal-organizations-tickets-52054502418 Abstract: Trust is the cornerstone of the digital economy. In this talk Malcolm will cover what is needed to generate trust. He will also cover where we are at broadly in providing that trust. He will cover todays reality with data from the World Economic Forum and the Edelman trust report as well as other data sources. Malcolm will also explain the economic principle of efficiency and how our current approach to information security is not only economically inefficient but is not adding to the trust we so badly need. He will also explore the traditional mindset of trading of risk vs shareholder value. He will also explore the mindset of controls impact business velocity. He will share real world non security related stories on the approach to controls has shown we can do both and do them well. He will also share non security examples of where organizations have made trade-offs with substantial societal impacts both positive and negative. He will provide insights from these stories and bring perspectives from others in the world to draw lessons that that will be valuable to CISOs and their teams. Speaker Bio: Malcolm Harkins is the Chief Security and Trust Officer at Cylance Inc. In this role he reports to the CEO and is responsible for enabling business growth through trusted infrastructure, systems and business processes. He has direct organizational responsibility for information technology, information risk and security, as well as security and privacy policy. Harkins is also responsible for peer outreach activities to drive improvement across the world in the understanding of cyber-risks as well as best practices to manage and mitigate those risks. Previously Harkins was Vice President and Chief Security and Privacy Officer (CSPO) at Intel Corporation.

    1
  • CMD+CTRL

    Signal Sciences

    Topic: Security Innovation is collaborating with OWASP LA to create an interactive meetup where individuals will have a chance to learn about and apply real application security concepts using Security Innovation's CMD+CTRL capture the flag platform. Want to test your skills in identifying web app vulnerabilities? Join the CMD+CTRL cyber range, a unique, immersive environment where players exploit their way through hundreds of vulnerabilities that lurk in business applications today. Success means learning quickly that attack and defense is all about thinking on your feet. For each vulnerability you uncover, you are awarded points. Climb the interactive leaderboard for a chance to win fantastic prizes! CMD+CTRL is ideal for development teams to train and develop skills, but anyone involved in keeping your organization’s data secure can play - from developers and managers and even CISOs. Participants Will Need • A laptop to connect to our CMD+CTRL website…and your evil streak! 😉 • Download and install Burp Suite (Community is okay) or OWASP ZAP. Agenda: - Networking - Welcome and Kickoff/Intro to CMD+CTRL – How to Think Like an Attacker - Hack Away! - Learning Lab #1 – SQL Injection - More Hacking! - Learning Lab #2 -- Cross-Site Scripting - Final Hacking Time! - Wrap-up, Q&A, and Announce Winners, Prizes

    11
  • OWASP-ISSA LA Joint Monthly Dinner Meeting - October 24, 2018

    Verizon Digital Media Services

    Topic: Verizon Data Breach Investigations Report (DBIR) 2018: A Perspective from the Exterior Perimeter Speaker: Tin Zaw is a former president of OWASP Los Angeles chapter and currently co-leads an OWASP project on Malicious Web Automation. At his day job, he leads a team that protects Verizon's and its customers' web properties from exterior threats such as DDoS, web application exploits and automated, malicious web traffic. Thanks to our host: Verizon Digital Media Services Map Details: secure.meetupstatic.com/photos/event/b/1/2/highres_[masked].jpeg Thanks to our Sponsor - Tala Security https://www.talasecurity.io Tala Security protects next-generation web applications that execute Javascript code on client devices and third-party servers, such as those hit in recent breaches at British Airways, TicketMaster, Delta, and Sears, as well as several crypto-jacking attacks. Based in Fremont, California, Tala is led by security industry veterans, successful entrepreneurs and academics. Tala is funded by silicon-valley venture capitalists, several current and former security industry CEOs and CTOs, and the National Science Foundation.

    2
  • OWASP LA Monthly Dinner Meeting -September 26, 2018

    Expert DOJO, top level of Santa Monica Place

    Opening Talk: Rafal Los, Armor Topic: The Meek [Developers] Have Inherited the Earth Main Talk: Hunting for the next IoT - Your Vulns are not a Paradigm Shift Speaker: Brian Knopf, Managed Security Services Head, IoT at BlueVoyant Abstract (Rafal Los' talk): Developers have been the target of security professionals’ ire for at least 15 years. Developers have been viewed as the problem when it comes to security. Even otherwise rational analysts have recommended essentially giving up on working with developers. Between DevOps and cloud computing security is running out of options to bolt security mechanisms on. So now it’s time to figure out how to enable rapid development, at an increasingly rapid pace, while not forgetting the need for security. Step 1 – realization of the core issues. Abstract (Brian Knopf's talk): We are often told in security that a product is groundbreaking, totally different than previous products, and a complete paradigm shift. These types of statements have been used to describe IoT devices, crypto currencies, and other new technologies. While they are new, the threats facing them are not. How do you move beyond the hype to identify real threats facing your product or environment? How can you maximize the limited resources your InfoSec or AppSec team has to make the best use of time and resources available? Have you assessed your threat model? Let me show you how to identify risk areas that everyone can agree on when laid out. Thanks to our host: Expert DOJO is the largest fast growth startup accelerator in Southern California and has had over 400 companies go through our program in 2016 culminating with the largest Investor Demo Day in the United States (over 840 startups pitching to over 85 active investors). We not only train and connect companies but we also invest in them through our accelerator fund. The reason we have such a high success rate for startups is, not only because of our focus on business growth but also because of our large selection of amazing specialists and coaches who are dedicated to helping startups succeed. Thanks to our Sponsors: IMPERVA www.imperva.com ARMOR | CLOUD SECURITY, UNCOMPROMISED.™ www.armor.com

    1