ISSA-LA InfoSec Summit XI

Everything You Need To Know About Web, API and Mobile Secure Coding

Instructor: Jim Manico

Bio: 
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is an a investor/advisor for Signal Sciences and BitDiscovery. Jim is also a frequent speaker on secure software practices, is a member of the JavaOne Rock Stars and Java Champion community and is the author of "Iron-Clad Java: Building Secure Web Applications" from McGraw-Hill and Oracle Press. Jim also volunteers for the OWASP foundation where he helps build application security standards and other documentation.

Description:
The major cause of web service, mobile and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application, mobile and web service developers and architects.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web and mobile solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, Swift, Objective C, PHP, Python, Javascript and .NET programmers, but any software developer building web applications and web services will benefit.

Student Requirements:
Familiarity with the technical details of building web applications, mobile and web services from a software engineering point of view.

Laptop Requirements:
Any laptop that can run an updated web browser and "Burp Community Edition".

Day 1 of the course will focus on web application basics.

- Introduction to Application Security
- HTTP Security Basics
- CORS and HTML5 Considerations
- XSS Defense
- Content Security Policy
- Intro to Angular.JS Security
- Intro to React.JS Security
- SQL and other Injection
- Cross Site Request Forgery
- File Upload and File IO Security
- Deserialization Security
- Input Validation Basics
- OWASP Top Ten 2017
- OWASP ASVS

Day 2 of the course will focus on API secure coding, Identity and Mobile Security

- Web service, Microservice and REST Security
- Authentication and Session Management
- Access Control Design
- OAuth 2 Security
- OpenID Connect Security
- iOS Secure Coding
- Android Secure Coding
- 3rd Party Library Security Management
- Application Layer Intrusion Detection

Everything You Need To Know About Web, API and Mobile Secure Coding

Instructor: Jim Manico

Bio: 
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is an a investor/advisor for Signal Sciences and BitDiscovery. Jim is also a frequent speaker on secure software practices, is a member of the JavaOne Rock Stars and Java Champion community and is the author of "Iron-Clad Java: Building Secure Web Applications" from McGraw-Hill and Oracle Press. Jim also volunteers for the OWASP foundation where he helps build application security standards and other documentation.

Description:
The major cause of web service, mobile and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application, mobile and web service developers and architects.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web and mobile solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, Swift, Objective C, PHP, Python, Javascript and .NET programmers, but any software developer building web applications and web services will benefit.

Student Requirements:
Familiarity with the technical details of building web applications, mobile and web services from a software engineering point of view.

Laptop Requirements:
Any laptop that can run an updated web browser and "Burp Community Edition".

Day 1 of the course will focus on web application basics.

- Introduction to Application Security
- HTTP Security Basics
- CORS and HTML5 Considerations
- XSS Defense
- Content Security Policy
- Intro to Angular.JS Security
- Intro to React.JS Security
- SQL and other Injection
- Cross Site Request Forgery
- File Upload and File IO Security
- Deserialization Security
- Input Validation Basics
- OWASP Top Ten 2017
- OWASP ASVS

Day 2 of the course will focus on API secure coding, Identity and Mobile Security

- Web service, Microservice and REST Security
- Authentication and Session Management
- Access Control Design
- OAuth 2 Security
- OpenID Connect Security
- iOS Secure Coding
- Android Secure Coding
- 3rd Party Library Security Management
- Application Layer Intrusion Detection

The law enforcement panel consists of investigators and prosecutors whose day-to-day work involves apprehending cyber criminals who conduct various crimes including unlawful network intrusion, business email compromise, dark net sales of contraband, insider fraud, organized identity theft and the use of malware for criminal purposes.  The panelists will discuss case studies, best practices to prevent incidents, recommendations on working with Federal and State law enforcement, the emerging use of block chain and crypto currencies in crime and prosecuting overseas cyber criminals. The presentation is open to all conference attendees from the private and public sector.

The law enforcement panel consists of investigators and prosecutors whose day-to-day work involves apprehending cyber criminals who conduct various crimes including unlawful network intrusion, business email compromise, dark net sales of contraband, insider fraud, organized identity theft and the use of malware for criminal purposes.

The panelists will discuss case studies, best practices to prevent incidents, recommendations on working with Federal and State law enforcement, the emerging use of block chain and crypto currencies in crime and prosecuting overseas cyber criminals. The presentation is open to all conference attendees from the private and public sector.

This talk will explore how, in the event of conflict escalation between the US and a nation state adversary, attacks on OT networks can be used as a powerful weapon of economic warfare. OT networks run the world's infrastructure - from oil refineries and nuclear power plants to industrial processes across chemical plants, pharmaceuticals. Compared to traditional IT networks, those OT networks are largely invisible to security teams and lag significantly when it comes to the security controls deployed. Given the relative lack of telemetry from those OT networks, we simply don't know how many critical networks have been breached. There are only a handful of publicly disclosed OT attacks, but we should not take this absence of evidence for evidence of the absence of the adversaries in those networks. Russian government threat actors have been targeting multiple critical infrastructure sectors including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors for few years and it's likely that what we’re witnessing are the early stages recon / infiltration where the adversaries are getting into position.  

The US Criminal Justice system has lost the Public Trust over the last few decades as lost evidence and misreporting by the press have led to the conclusion that the "system" is corrupt. This presentation will present a novel use of hybrid permissioned Blockchain technology to enable an immutable chain of evidence from collection at the scene to presentation in court, visible and verifiable to anyone with an interest throughout the process. Use of a system like this should remove most court backlog currently dedicated to evidence validity challenges, and put the ability to trust back into the system. Enabling new technology enriches all of our lives when used to give our public systems the chance to excel at what they do. Imagine, Defense and Prosecution trusting the evidence together throughout the case!! And public transparency from collection to court!

We've all seen the ads for work-from-home schemes often accompanied by a picture of a cheque for thousands of dollars and a testimonial from a happy employee who only worked a few hours a week to earn the money. These legitimate looking ads are often fronts for money laundering services. Symantec working with the FBI recently gained insight into such an operation. This talk examines the scheme, from recruitment, to conversations with the ‘employees’, and ultimately, to the criminals behind the scheme. Vast technical and social skills are needed to operate such a scheme successfully while evading law enforcement. This talk shows how cooperation between security researchers and information sharing with law enforcement can bring down such an operation.

With the increasing spend in security budgets and the apparent increasing frequency of data breaches, managing vulnerabilities in an organisation can seem like a never-ending game of blind whack-a-mole. How organisations approach vulnerability management in the past simply does not cut it with today's technology stack and development methodologies. We will discuss some of the common themes that seem to persist and look at some actions we could take to dramatically improve our overall security.

It isn’t a surprise to many of us just how much data is being generated as our lives and our world embrace digital technologies. This data explosion is creating one of the greatest shifts in history and it is creating more chaos and threats than we could have imagined. But it is also unlocking a massive opportunity. Join Haiyan Song, SVP and GM of Security Markets at Splunk, as she takes you through the future of IT security operations and how automation will enable teams to operate better, stronger and faster.

The security industry initially reacted to the “DevOps” movement with dismay: developers deploying code themselves? Hundreds of deploys per day? How could security teams possibly keep up with that rate of change? As the DevOps approach has become a mainstream development method, security teams have begun to embrace DevOps and discover the security benefits enabled by the DevOps methodology. Adapting to a DevOps world requires not just the security team to change how they operate, but a realignment of how security permeates the entire organization.
In this talk I will share my experiences integrating security with fast-moving development teams, the successes and failures I have seen, as well as guidance on turning DevOps into DevSecOps.

Research suggests that cyber crime will cost businesses over $2 trillion in 2019 and the average cost of a breach in 2020 will exceed $150 million per incident. Kroll Cyber Risk Associate Managing Director and National Cyber Incident Response Team Leader Pierson Clair will discuss modern threats including Emotet,Trickbot, and ransomware, attacker tools, tactics, and methodologies, along with how a back to basics approach can help better protect your network and more rapidly identify attackers on your network. 
 Goals (if relevant):
After attending this presentation, attendees will learn to:

1. Understand modern threats and risks to network environments of all sizes.
   
2. Understand how modern malware is able to penetrate and replicate through networks.
   
3. Apply a back to basics approach to lock down and secure networks and endpoints.
   
4. Learn from the oversights of other organizations to better protect their own infrastructure.
   

The California Consumer Privacy Act (CCPA) is the broadest and most comprehensive privacy and data security measure in the nation.  Its far-reaching obligations impact businesses across industries, dramatically shift the paradigm of what has traditionally been considered private or protected information, and threaten severe penalties for violations that will change the privacy and security landscape in California and nationwide.  This session will make sense of it all by covering:
·        The political landscape in which the CCPA and the cleanup legislation passed
·        The CCPA’s compliance requirements and who will be required to comply
·        The impact on cybersecurity and information governance programs
·        Direct and hidden litigation and enforcement risks
· The proposed recent amendments to the CCPA and the prospects for further legislation in other jurisdictions

It is important for young professionals to know they can have successful and impactful careers in the tech sector. However, to get more young minds interested in choosing careers in technology, the narrative needs to change to show that women and minorities have a future in the industry. Join Marci McCarthy as she discusses the importance of nurturing and growing the next generation of professionals in technology through mentorship opportunities, STEAM programs and other education opportunities.