Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

Schedule: Tools and processes sessions

9:00am - 5:00pm Sunday, October 29 & Monday, October 30
Location: Gibson
Steven Wierckx (Toreon)
Drawing on real-world use cases—including hotel booking web and mobile applications that share the same REST backend, an internet of things deployment with an on-premises gateway and secure update service, and an HR services OAuth scenario for mobile and web applications—Steven Wierckx walks you through performing practical threat modeling and discusses privacy threats and privacy by design. Read more.
9:00am–12:30pm Monday, October 30, 2017
Location: Sutton South
Ben Hall (Katacoda | Ocelot Uproar)
Average rating: ****.
(4.00, 3 ratings)
Drawing on his experience building Katacoda, a platform that provides users with a sandboxed learning playground—with the side effect that they can execute malicious code and hack the system from inside the container—Ben Hall walks you through implementing Docker and container security. You'll learn about the Linux and Docker security model and how to maximize your container’s security. Read more.
1:30pm–5:00pm Monday, October 30, 2017
Location: Sutton North
John Studarus (JHL Consulting), Cynthia Thomas (Midokura)
John Studarus and Cynthia Thomas demonstrate how to service-chain traffic through multiple security functions using virtualization and software-defined networking (SDN). John and Cynthia walk you through configuring and modifying layer 2 service chains with open source cloud security tools to monitor and block malicious traffic originating from a network of virtual machines. Read more.
2:10pm–2:50pm Tuesday, October 31, 2017
Location: Beekman
Danielle Leong (GitHub)
Average rating: ****.
(4.50, 2 ratings)
Online safety has become a huge problem in the world of oversharing. Real-name policies, automatic geolocation tracking, and photo tagging increase user adoption rates, but these features can be quickly abused by bad actors. Danielle Leong explains how to apply a "consent filter" to product decisions to create a safer user experience and help protect your most vulnerable users from harm. Read more.
11:20am–12:00pm Wednesday, November 1, 2017
Location: Sutton North
Harry Sverdlove (Edgewise Networks)
In today's world of dynamic computing environments and advanced threats, the axiom "trust but verify" is not an effective strategy. The zero-trust model forces you to rethink the way you secure your networks. Harry Sverdlove breaks down zero-trust networking into simple principles that can be applied to any organization to both improve your security posture and simplify its management. Read more.
11:20am–12:00pm Wednesday, November 1, 2017
Location: Sutton South
Alexandra Ulsh (Mapbox)
Average rating: *****
(5.00, 1 rating)
Launching a bug bounty program is hard. Running and maintaining a successful bug bounty program is even harder. Using real-world stories of both failure and success, Alexandra Ulsh details how Mapbox's security team used tools, processes, automation, and empathy to decrease response time by 90%, reduce noise, and improve average report quality for its bug bounty program. Read more.
2:10pm–2:50pm Wednesday, November 1, 2017
Location: Sutton South
Jack Naglieri (Airbnb), Austin Byers (Airbnb)
The advent of serverless technologies and infrastructure as code has changed how we build and deploy security services, empowering teams to create low-cost, scalable, and secure services to protect organizations. Drawing on their real-world experiences, Jack Naglieri and Austin Byers explore tools and techniques for successfully building, deploying, and debugging serverless security applications. Read more.
2:10pm–2:50pm Wednesday, November 1, 2017
Location: Regent
Ryan Lackey (ResetSecurity)
Average rating: ***..
(3.00, 1 rating)
As laptop bans, border searches, and filtering become more common, travel computing security—keeping your data and systems safe while traveling and keeping your home systems safe when you return—is a timely topic. Ryan Lackey explores the unique challenges for the traveling user and shares policy and technical solutions, as well as how security threats and technologies have evolved over time. Read more.
3:50pm–4:30pm Wednesday, November 1, 2017
Location: Beekman
Mark Mossberg (Trail of Bits)
Mark Mossberg offers a practical introduction to symbolic execution, exploring cutting-edge research in automated software testing, along with its strengths, weaknesses, and applications. Mark uses Manticore, a simple, usable, symbolic execution tool, to bridge theory and practice with concrete examples. You’ll walk away better prepared to make informed decisions about how to test your software. Read more.
3:50pm–4:30pm Wednesday, November 1, 2017
Location: Sutton North
Taylor Lobb (Adobe), Julia Knecht (Adobe)
Average rating: ****.
(4.50, 2 ratings)
Taylor Lobb and Julia Knecht explain how a team of just two security analysts created a successful secure product lifecycle (SPLC) program by leveraging automation and establishing security ambassadors (champions) within the product engineering teams. This program has successfully scaled to support thousands of engineers due to the solid framework built on automation at its core. Read more.
4:45pm–5:25pm Wednesday, November 1, 2017
Location: Sutton South
Jan Schaumann (The Internet)
Average rating: *****
(5.00, 1 rating)
Jan Schaumann shares insights into TLS cipher specs and protocols and threat analysis of dozens of vulnerabilities and attacks and explains how to effect change across a diverse legacy stack, how to collaborate with a significant number of teams on goals that may not be directly in line with their roadmaps, and how to get buy-in from your executives. Read more.