OWASP meetup at Twitter

On the evening of June 13th, OWASP is being hosted at Twitter's offices in downtown Seattle.

---

The Secret Service - Bill Dimmick (https://www.linkedin.com/in/dimmick/)

Cryptography is fundamental to good security practices and handling cryptographic keys well is fundamental to securing cryptographic systems; in this talk, we're going to cover how Twitter manages cryptographic keys to scale with both the infrastructure and the business.

Bill Dimmick is a Staff Software Engineer and part of Twitter's Platform Security team, focusing on his passions of cryptography, key management, and PKI. He also previously designed the Odin key management system at Amazon and has worked in the security field for the past dozen years, where he delights in building solutions which work at scale and are understandable and usable for engineers of all skillsets.

---

The Threat of Underdeveloped APIs - Michael Eddington (https://www.linkedin.com/in/michaeleddington/)

https://secure.meetupstatic.com/photos/event/5/c/f/9/600_461483801.jpeg

OWASP Top-10 2017 will include Underprotected APIs (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) as one of the top 10 threats faced by developers and organizations. As the interconnected web continues to flourish, more and more microservices will have their associated web APIs exposed to the perils of exploitation at the hands of competent threat agents. And even as these threats increase, the pressure on DevOps teams to hold the security line grows too.

Current security solutions like Web Application Vulnerability Scanners were never developed to address API risks. This talk will dive into the security implications of APIs, examine what the challenges in protecting them, and discuss techniques to do so.

Michael is a founder of Deja vu Security and its former CTO. Currently, he is the Chief Architect for Peach Fuzzer. He is an authority in embedded system security, cloud security and application security. Michael's research is currently heavily focused on security fuzzing. He is a pioneer in the field, having developed the industry leading open source fuzzing platform Peach. Peach is used by several industry-leading technology companies as a fuzzing platform. Michael has worked for some of the leading security companies and was instrumental in establishing the Security Services Center for Hewlett-Packard's services division. Michael has also participated in a number of open-source security development projects ranging from threat modeling (such as the Trike threat modeling conceptual framework) to fuzzing (e.g. The Peach Fuzzer Framework). Michael is currently a member of Deja vu Security's board and its non-executive chairman.

---

Exploitation and Security of SaaS Applications - Waqas Nazir (https://www.linkedin.com/in/waqasnazir/)

Today SaaS applications have found their way into the heart of most modern enterprises. Companies that rely on SaaS applications typically don’t focus on their security due to the assumptions that the platform provider has already deployed proper security controls. In this talk, I will present some attack vectors and exploitation techniques which are especially applicable to SaaS platforms which allow customizations such as Salesforce's Force.com (http://force.com/). Moreover, I will discuss the need to utilize smart assessment methodologies when assessing the security posture of SaaS applications, as conventional methods sometimes don’t apply to SaaS providers.

Waqas Nazir is the Founder of DigitSec (https://www.digitsec.com/). Waqas has worked as an Information Security Consultant for many Fortune 100 companies where he has delivered services in various arenas of information security. These include code reviews, black box assessments, product reviews, custom tools development for complex security problems, policy and process development. He has also worked with Microsoft Research (MSR) to develop a static code analysis tool used for identifying areas of vulnerabilities in code. He has also been featured in Microsoft’s Information Security Newsletter. He is also credited with the discovery and disclosure of vulnerabilities in many products.

---

Instructions for Arrival: Guests arrive and 1501 4th Ave Seattle WA, 98101 and head through the 4th Ave entrance. A guard will be available there to direct guests up the escalators to a 3rd floor checking booth. After checking in, a guard will badge guests up to the 19th floor where the event will be held.