Training: 8–9 November 2016
Tutorials & Conference: 9–11 November 2016
Amsterdam, NL
 
G106/107
11:20 The case for HTTPS everywhere Emily Schechter (Google)
13:15 Moving beyond Threatbutt; or, Threat landscape 2039 Trey Darley (Kingfisher Operations, sprl)
14:10 Continuous security Stein Inge Morisbak (Bekk Consulting AS), Erlend Oftedal (Blank Oslo)
15:50 Scalable threat modeling with risk patterns Stephen de Vries (ContinuumSecurity)
G102
11:20 Who owns open source security? Guy Podjarny (Snyk)
14:10 Gamify security training with developer CTFs Kyle Rankin (Final, Inc.)
15:50 Security by consent Brendan O'Connor (Malice Afterthought, Inc.)
16:45 Abusing Google and Facebook login: On the risks in trusting third-party logins Ido Safruti (PerimeterX), Tomer Cohen (Wix.com)
G103
11:20 PAL is your pal: Bootstrapping secrets in Docker Nick Sullivan (CloudFlare)
14:10 Integrating security into DevOps Ernest Kim (MITRE Corp.)
16:45 A technical dive into defensive trickery Dan Kaminsky (White Ops)
G104/105
13:15 Beyond Corp: Lessons learned from five years of endpoint attestation Hunter King (Google), August Huber (Google)
14:10 Mapping adversary infrastructure using DNS Merike Kaeo (Farsight Security)
15:50 Architectural design for legal analytics Steven Touw (Immuta)
10:40 Coffee Break | Room: Elicium Sponsor Pavilion
12:00 Thursday lunch and Birds of a Feather sessions | Room: Elicium Sponsor Pavilion
14:50 Afternoon Break | Room: Elicium Sponsor Pavilion
17:30 Sponsor Pavilion Reception | Room: Elicium Sponsor Pavilion
Auditorium
9:00 Thursday keynotes Courtney Nash (O'Reilly), Allison Miller (Google)
9:05 Lessons learned from running big bug bounty programs Katie Moussouris (Luta Security)
10:00 From possible to practical: The path for defense Dan Kaminsky (White Ops)
10:30 Closing remarks Courtney Nash (O'Reilly), Allison Miller (Google)
8:00 Coffee break | Room: Auditorium Foyer
11:20-12:00 (40m) Bridging business and security
The case for HTTPS everywhere
Emily Schechter (Google)
HTTPS is no longer only for sensitive sites; it’s a critical piece of the web user experience and necessary for the long-term health of the Web. Google is methodically hunting and tackling major hurdles for TLS adoption to guide the Web toward HTTPS everywhere. Emily Schechter shares lessons learned on the road to ubiquitous HTTPS, focusing on the benefits of HTTPS.
13:15-13:55 (40m) Security in context (security datasci)
Moving beyond Threatbutt; or, Threat landscape 2039
Trey Darley (Kingfisher Operations, sprl)
Trey Darley cuts through the hype surrounding threat intelligence and reframes the concept within a broader historical context, showing how information sharing can be a effective tool for both organizations with sophisticated security programs and organizations falling below the security poverty line.
14:10-14:50 (40m) Bridging business and security
Continuous security
Stein Inge Morisbak (Bekk Consulting AS), Erlend Oftedal (Blank Oslo)
In a world of continuous everything, each discipline has to find ways to provide value fast and reliably—whether it's business people adapting to an ever-changing world, developers delivering software many times per day, or operations providing high-availability infrastructure in an instant. Stein Inge Morisbak and Erlend Oftedal explore how to integrate security into this work stream.
15:50-16:30 (40m) Bridging business and security
Scalable threat modeling with risk patterns
Stephen de Vries (ContinuumSecurity)
Current approaches to threat modeling emphasize manual analysis by trained teams, which can result in a bottleneck in the development process, reducing the appeal of performing this activity. Stephen de Vries presents a technique that uses reusable risk patterns to open the door to automated and scalable threat modeling.
16:45-17:25 (40m) Bridging business and security
Speak security and enter: Making security make sense for nontechnical users
Jessy Irwin (Jessysaurusrex)
It happens to every security team: after explaining operational security to management, it feels like nothing stuck. Why do eyes glaze over when we talk about encryption? How can we make sense of defense in depth for others? Jessy Irwin shows you how to find common ground and truly share security with nontechnical users, helping better communicate the mindset behind security.
11:20-12:00 (40m) The human element
Who owns open source security?
Guy Podjarny (Snyk)
From Heartbleed to ImageTragick, vulnerabilities in open source are repeatedly shaking the Web. But who is responsible for fixing these issues? OSS is a community feat, and so must securing it be. Guy Podjarny discusses the roles for authors, consumers, and tools in keeping open source secure.
13:15-13:55 (40m) The human element
Security through design: Making security better by designing for people
Jelle Niemantsverdriet (Deloitte)
Why do certain devices, programs, or companies lead to utter frustration while others consistently delight us? What can we learn from these insights when dealing with human behavior related to security? Jelle Niemantsverdriet explores user-centered design methods in other disciplines like economy, psychology and marketing that can help us build security in a truly usable way.
14:10-14:50 (40m) The human element
Gamify security training with developer CTFs
Kyle Rankin (Final, Inc.)
Capture the Flag tournaments have long been used to test hacker skills, but they can also serve as effective security training for developers. Kyle Rankin shares a case study where he turned teams of developers with no prior security training against each other in a CTF arena featuring their own applications and watched them rack up points as they popped shells in each other's applications.
15:50-16:30 (40m) The human element
Security by consent
Brendan O'Connor (Malice Afterthought, Inc.)
Security people are "only members of the public who are paid to give full-time attention to duties which are incumbent on every citizen in the intent of the community welfare," but often the relationship between security and everyone else is fraught. Brendan O'Connor explores how another group charged with protecting everyone handled this problem with humor, kindness, and a commitment to service.
16:45-17:25 (40m) Tech, tools, and processes
Abusing Google and Facebook login: On the risks in trusting third-party logins
Ido Safruti (PerimeterX), Tomer Cohen (Wix.com)
Using social logins is a good way to boost security. However, this often makes site owners complacent, skipping security measures they still need to maintain. Ido Safruti and Tomer Cohen explain how attackers have found ways to exploit this and bypass the auth providers’ defenses, attacking some of the world’s largest services, and demonstrate how to protect yourself from such attacks.
11:20-12:00 (40m) Tech, tools, and processes
PAL is your pal: Bootstrapping secrets in Docker
Nick Sullivan (CloudFlare)
Bootstrapping the identity of services deployed with Docker containers is hard. Nick Sullivan offers an overview of an open source tool called PAL CloudFlare built to help solve this problem and explains how PAL can be used to bolster the security of your Docker container deployments.
13:15-13:55 (40m) Tech, tools, and processes
Common vulnerabilities and exposures in containers: What to know
Quentin Machu (CoreOS)
Clair is an open source container image security analyzer that enables developers to build services that scan containers for security threats and vulnerabilities. Quentin Machu offers an overview of Clair and explores a real-life example to demonstrate how Clair is able to automatically detect known vulnerabilities in Docker and rkt containers before they get exploited.
14:10-14:50 (40m) Tech, tools, and processes
Integrating security into DevOps
Ernest Kim (MITRE Corp.)
Ernest Kim shares how the MITRE Corporation, a US federally funded research and development center, integrated security tools into its DevOps chain to get continuous insight into the security posture of the various Linux distributions it uses and rapidly deploy fixes when needed.
15:50-16:30 (40m) Tech, tools, and processes
Continuous auditing for effective compliance with Rudder
Jonathan Clarke (Normation)
Rudder is an open source IT compliance automation tool that focuses on continuously checking configurations to provide a real-time high-level compliance status or break down noncompliance issues to a deep technical level. Jonathan Clarke offers an overview of Rudder and demonstrates how to use it to drill down to any issues that need remediating.
16:45-17:25 (40m) The human element
A technical dive into defensive trickery
Dan Kaminsky (White Ops)
Hacking is a game, and defense both makes the rules and is under no particular obligation to play fair. So cheat. Dan Kaminsky explores better ways to deploy cryptography, protect data, leverage clouds, and more.
11:20-12:00 (40m) Security in context (security datasci)
Beyond matching: Applying data science techniques to IOC-based detection
Alex Pinto (Niddel)
Alex Pinto demonstrates how to apply descriptive statistics, graph theory, and nonlinear scoring techniques on the relationships of known network IOCs to log data and how to use those techniques to empower IR teams to encode analyst intuition into repeatable data techniques that can be used to simplify the triage stage and get actionable information with minimal human interaction.
13:15-13:55 (40m) Security in context (security datasci)
Beyond Corp: Lessons learned from five years of endpoint attestation
Hunter King (Google), August Huber (Google)
Hunter King and August Huber explain how to implement machine identity at scale in a heterogeneous environment. Discover the pitfalls of endpoint attestation. Hunter and August made the mistakes so you won't have to.
14:10-14:50 (40m) Security in context (security datasci)
Mapping adversary infrastructure using DNS
Merike Kaeo (Farsight Security)
Nothing good or bad can happen on the Internet without involving the Domain Name System (DNS), which provides visibility of the global Internet and unparalleled intelligence on cybercriminals and attack methods. Merike Käo discusses the value of DNS to cyber investigations and explores how real-time DNS observations can improve accuracy and response time to cyberattacks.
15:50-16:30 (40m) Security in context (security datasci)
Architectural design for legal analytics
Steven Touw (Immuta)
The global populace is asking for the IT industry to be held responsible for the safe-guarding of individual data. If the cat is out of the bag and collection will not stop, then the next logical question is how do we protect the privacy of individuals? Steven Touw examines how to design your data and analytics architecture to keep your data science teams delivering results legally.
16:45-17:25 (40m)
Expanding the blue team by building a security culture program
Masha Sedova (Salesforce)
Masha Sedova shares the steps she’s taken to increase the reporting of suspicious activity by her employees and explores the measurable impact it has had in helping keep Salesforce’s employees and customers secure.
10:40-11:20 (40m)
Break: Coffee Break
12:00-13:15 (1h 15m) Event
Thursday lunch and Birds of a Feather sessions
During lunch, you'll have the chance to participate in a Birds of a Feather session with like-minded people.
14:50-15:50 (1h)
Break: Afternoon Break
17:30-18:30 (1h) Event
Sponsor Pavilion Reception
Be sure to join us in the Sponsor Pavilion for drinks and food for the Attendee Reception. This will be your first opportunity to network with other Security attendees, so don’t miss out.
9:00-9:05 (5m)
Thursday keynotes
Courtney Nash (O'Reilly), Allison Miller (Google)
Program chairs Courtney Nash and Allison Miller welcome you to the first day of keynotes.
9:05-9:35 (30m) Bridging business and security
Lessons learned from running big bug bounty programs
Katie Moussouris (Luta Security)
Katie Moussouris, Founder & CEO, Luta Security
9:35-9:55 (20m)
The world will see (and just saw) an Internet zombie apocalypse
Stanhope Philip (Dyn )
Dyn was recently the subject of a major DDoS attack, its first significant disruption in over 15 years of operation. Phil Stanhope shares Dyn's experience before exploring the rapid evolution of multilayer attacks happening on the Internet and outlining the steps to take to deal with them from an ops perspective.
9:55-10:00 (5m) Sponsored
Innovation versus invasion: Inserting privacy controls and due process into semi-autonomous algorithms
Matthew Carroll (Immuta Inc)
Algorithms influence our everyday decision making, but at what point does innovation turn into invasion? Matthew Carroll discusses how regulators and consumers can take back control by inserting legal checks and balances into the data science process.
10:00-10:30 (30m)
From possible to practical: The path for defense
Dan Kaminsky (White Ops)
Defensive technology that is not practical will not be deployed and will defend nothing at all. Dan Kaminsky discusses how a strong focus on ease of use—for developers, operators, and users—is our only hope for migrating to a more secure Internet.
10:30-10:35 (5m)
Closing remarks
Courtney Nash (O'Reilly), Allison Miller (Google)
Program chairs Courtney Nash and Allison Miller provide closing remarks for the first day of keynotes.
8:00-9:00 (1h)
Break: Coffee break