Keynotes
Adam is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an advisor and mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the 'Elevation of Privilege' game. Adam is the author of Threat Modeling - Designing for Security, and the co-author of The New School of Information Security.
Talk: 25 Years in AppSec - Looking Back, Looking Forward
Abstract:25 years ago, Adam was working at a bank doing source code security reviews, and got permission to release their internal security guidelines. 15 years ago he joined the Microsoft SDL team ... hear some highlights and some lowlights from the journey, and more importantly, what can we expect over the next 25 years? Where is appsec going? What new frontiers will we get to secure? What problems will still be with us?
Chloé Messdaghi is an award-winning changemaker who is innovating tech and information security sectors to meet today and future demands by providing solutions that empower organizations, products, and people to stand out from the crowd. She is an international keynote speaker at major information security and tech conferences and events, and serves as a trusted source to reporters and editors, such as Forbes and Business Insider. Additionally, she is one of the Business Insider’s 50 Power Players. Outside of her work, she is the co-founder of Hacking is NOT a Crime and We Open Tech.
Talk: We Deserve Rights
Abstract:Hackers have been mislabeled and treated as criminals due to socially constructed beliefs that have been pushed out by the public. In return, we face prosecution when doing our job and trying to keep the world safe from attackers. Current legislation has destroyed many lives of hackers who did not exploit and stayed within scope. In return, 1 out of 4 hackers don't submit vulnerabilities due to the ongoing fear of prosecution. This talk dives into the socially constructed beliefs that the world has towards hackers and how increasing public awareness is needed to change their mindset to update out-of-date legislation.
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for Nucleus Security, BitDiscovery, Secure Circle, KSOC and Inspectiv. Jim is a frequent speaker on secure software practices, is a member of the Java Champion community, and is the author of 'Iron-Clad Java: Building Secure Web Applications' from Oracle Press. Jim also volunteers for the OWASP foundation as the project lead for the OWASP Application Security Verification Standard and the OWASP Cheatsheet Series. For more information, see https://www.linkedin.com/in/jmanico.
Talk: Request Forgery on the Web - SSRF, CSRF and Clickjacking
Abstract:This technical talk on various forms of request forgery is for the software developer who needs to build secure web applications. Cross-Site Request Forgery, or CSRF, will allow an attacker to trick a user into submitting a transaction they never intended to. This attack type requires very specialized defense. We will discuss various historical CSRF attacks and investigate a wide range of defensive strategies such as nonce tokens, SameSite cookies, and the double-cookie submit pattern. SSFF is a direct attacker category meant to trick your servers into making additional requests than never intended to. Clickjacking is a way to trick users into taking action and entering data into one site while another is collecting those events. We will be helping developers stop forgery on the web in this talk!
Head of customer solutions, security software engineer at Cossack Labs. Anastasiia builds security tools for protecting data during the whole lifecycle (encrypt everything!). She shares a lot about "boring cryptography", end-to-end encryption, data security, zero knowledge / zero trust systems, software security architecture. Anastasiia maintains open-source cryptographic library Themis, conducts secure software development training, often speaks at international conferences, co-organizes cyber-security events and leads security chapter at WomenWhoCode Kyiv.
Talk: Data is a new security boundary
Abstract:We will discuss how companies use cryptography as an ultimate security control for data. When data is properly encrypted, it can’t be suddenly, unnoticeably decrypted. End-to-end encryption flow for the NoCode platform? Sure. DRM-like protection with application-level encryption using HPKE-like approach for protecting ML models? Yes. End-to-end encrypted message exchange for CRDT-based real-time syncing app? Yep. But cryptography requires a set of supporting security controls: API protection, anti-fraud scoring system, mobile device attestation, root/jailbreak detection, authN-authZ, audit logging, and so on. Let’s talk about how 'strong cryptography' becomes 'real-world security boundary around sensitive data' and what it takes in different contexts.