OWASP Monthly Meeting - February 24, 2016

We Have two Great talks This Month:

Talk 1 - Security for Startups Panel

This session will explore the challenges of information security for startups with representation from Riot Games (Christopher Hymes), eHarmony (Cliff Maraschino) and The Honest Company (Mikhael Felker), moderated by Curt Jeppson (United Online). If you have questions you would like to ask the panel lost it in comments of the meetup page.

Jared Ablon
Chief Information Security Officer at AirMap

As Chief Information Security Officer, Jared Ablon is responsible for securing what has become the leading network for real-time information exchange related to unmanned aircraft systems (UAS). As CISO, his purview also includes the development of future-thinking protocols for authenticating UAS and their operators, filing of secure flight plan trajectories, and detecting and defending against intrusions from bad actors. Prior to joining AirMap, Ablon worked at MITRE Corporation, where he led efforts to ensure security of next generation GPS navigation systems and other communications technologies for multiple U.S. Air Force programs. He began his career at the U.S. Department of Defense where he led large teams of security experts and tackled seemingly intractable problems by developing cutting-edge cryptanalysis, network exploitation, and vulnerability analysis security technologies. Ablon holds a B.A. in Applied Mathematics from the University of California at Berkeley, an M.S. in Applied and Computational Mathematics from Johns Hopkins University, and an M.B.A. from the University of Maryland.

Christopher Hymes
Director of Information Security, Riot Games

Chris is currently Director of Security at Riot Games, developer of League of Legends with over 67 million monthly players across the globe. At Riot, Chris is responsible for helping drive security throughout the company and helping make Riot the most player-focused game company in the world. Prior to Riot, Chris was Director and Head of Information Security at Hulu, where he was responsible for implementing and scaling the Hulu Information Security program. He began his career in the consulting and financial services world, doing everything from penetration testing to security architecture to attack detection.

Information Security Manager, eHarmony, Inc.

Cliff Maraschino is the Manager of Security and Compliance for eHarmony, Inc., an extremely popular online dating site with over 44 million registered users. He is also an advisor to an insurance company focused on the unique needs of a connected generation. Prior to starting at eHarmony, he worked for a CDN that was acquired by Verizon. Under his leadership, his security operations teams have grown from the ground floor up, and he has created repeatable processes to ensure secure and predictable results. He received an MS/MBA from Cal Poly Pomona, emphasizing information security audit, has published guidelines for government agencies, and regularly provides consulting and advice for other security professionals seeking to enhance their careers. He is a member of ISACA and (ISC)².

Mikhael Felker

Director, Information Security, The Honest Company

Mikhael’s sector experience includes Defense, Healthcare, Non-Profit/Education and Technology/Internet, seeing first hand the variance in information security culture and program maturity. Mikhael received his MS in Information Security Policy and Management from Carnegie Mellon University and BS in Computer Science from UCLA. His written work of 50+ publications has been featured in Forbes, ACM, IEEE Security & Privacy, ISACA Journal, ISSA Journal, case studies, and a number of online magazines.

Curt Jeppson

Vice President of Information Security, United Online

Curt Jeppson has been working in Information Security for 12 years in increasing roles of responsibility within the financial, marketing, e-commerce, education and technology industries. His technical certifications include the CISSP, PMP and PCI ISA. Mr. Jeppson has a Bachelors degree in Information Technology and a Masters degree in Information Security and Management. He currently works as the Vice President of Information Security at United Online and sometimes freelances as a penetration tester when he gets the itch to hack something. Prior to his IT careers he was an Infantry Sergeant in the United States Marine Corps.

Talk 2 - Why traditional perimeter security approaches leave your APIs exposed to threats?

More and more enterprises today are doing business by opening up their data and applications through APIs. Though forward-thinking and strategic, exposing APIs also increases the surface area for potential attack by hackers. To benefit from APIs while staying secure, enterprises and security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security or mobile application security.

In this session, we will walk you through the various aspects of how an API could be potentially exploited. We will discuss the necessary best practices to secure your data and enterprise applications while continue continuing to support your business’s digital initiatives.

You will learn:

• Vulnerabilities that can expose APIs to be exploited.

• Best practices to mitigate threats against APIs.

• How to separate security definition from functional implementations of the APIs.

• How to instill a culture of collaboration across your API Lifecycle that includes design, development and production

Speaker: Sachin Agarwal, VP Product Marketing, Okana