13 Hot AppSec Sessions in Belfast, Northern IrelandOWASP Application Security Conference Tackles Crypto, GDPR, Ransomware and More
In a world that increasingly runs on - and remains served and entertained by - applications, someone needs to keep those apps, and the data they handle, secure. No wonder that the field of application security, aka "AppSec," is so hot.
See Also: Passwords Alone Aren't Enough
That's why I'll be covering the AppSec Europe 2017 conference this week in Belfast, Northern Ireland. The conference is organized by the Open Web Application Security Project - OWASP. The not-for-profit organization, which is devoted to improving the state of app security, may be best known in security circles for maintaining the OWASP Top 10 list of the most critical web application security risks.
Mitigating those types of risks is the focus of this week's conference, held at Belfast Waterfront, which has already featured multiple days of training for application security professionals. But I'm covering the general sessions on May 11 and 12 on such diverse topics as secure coding, SecDevOps, SSL/TLS security, complying with Europe's new General Data Protection Regulation, the rise of ransomware as well as the risks posed by quantum computing.
Here's my preview of must-see AppSec EU 2017 sessions:
Thursday, May 11
- Improving AppSec via better feedback (9:15): Shannon Lietz, the DevSecOps lead for financial software maker Intuit, describes techniques organizations can use to increase awareness of the OWASP Top 10 and push for higher levels of DevSecOps adoption. Lietz's bio includes stints at cloud pioneer ServiceNow, as well as helping Sony build a secure new data center and lead "crisis management for a large-scale security breach."
- Embedding GDPR into the SDLC (10:20): Sebastien Deleersnyder and Siebe de Roovere talk about how to map GDPR requirements to the typical security-related activities involved in the software development lifecycle.
- Android password manager flaws (12:25): Researchers Steve Arzt and Stephan Huber present the results of their security study of 15 of the most-used Android password managers.
- Printer security - or lack thereof (15:00): Jens Muller and Vladislav Mladenov will provide what they're billing as "the first comprehensive study of printer security," comprising 20 types of printers, all of which have at least one of the following flaws: denial of service, protection bypass, print job manipulation and information disclosure.
- SSL/TLS certificate efficacy (16:15): Security researcher Enrico Branca presents the results of his 48-month study into whether SSL/TLS certificates are effectively keeping encrypted data secure.
- Looking back to look ahead (17:05): Brian Honan, a cybersecurity adviser to the EU law enforcement intelligence agency Europol, founder of Ireland's first computer emergency response team - IRISSCERT - and head of Dublin-based consultancy BH Consulting looks at the history of computing to articulate tomorrow's application security lessons.
Friday, May 12
- Ransomware economies (9:15): Jeremiah Grossman, chief of security strategy for next-generation endpoint security firm SentinelOne, traces the ways in which ransomware parallels human kidnapping and real-world extortion rackets.
- Pen-testing voice biometrics (10:20): How secure - or poorly secured - are today's top voice biometrics solutions? Jakub Kaluzny of Australian firm The Missing Link talks about how to test voice biometrics, fuzzing interactive voice response systems and abusing related mobile apps.
- Mobile wallet pwnage (11:35): Wojciech Dworakowski, a managing partner at IT security firm SecuRing, describes attacks against mobile contactless payment apps as well as essential defenses.
- From DevOps to DevSecOps (12:40): Former Gartner Group analyst Joseph Feiman, now chief innovation officer at application security development software vendor Veracode, tells how he sees the market for application security technologies evolving, for example, to help transform agile development teams with DevSecOps.
- Quantum-safe crypto (14:10): Software engineer Gavin McWilliams of Queen's University Belfast details the search for crypto systems that will be safe from quantum computing. He's the consortium manager for the SAFEcrypto.eu European research project, which is pursuing post-quantum cryptographic solutions for protecting IT systems.
- Cloud-based DNS hijacking (15:00): Bug bounty maven Frans Rosén, an adviser for Detectify - a security service for developers - talks tools that can be used to hijack domains, nameservers and DNS providers.
- Everything is going quantum (17:05): Jaya Baloo, CISO of KPN Telecom in the Netherlands - and a veteran of the telecommunications sphere, having previously worked at such firms as France Telecom and Verizon - decribes the rise of quantum computing and its potential impact on data security, privacy and surveillance.