Security Superstream: Application Security

Chloé Messdaghi: Introduction (5 minutes) - 8:00am PT | 11:00am ET | 3:00pm UTC/GMT

• Chloé Messdaghi welcomes you to the Security Superstream.

Casey Ellis: The Unlikely Romance (45 minutes) - 8:05am PT | 11:05am ET | 3:05pm UTC/GMT

• Casey Ellis offers a primer on how hackers and organizations are working together today and what it will look like moving forward. As the relationship between hackers and companies becomes more normal, you start to see real change in our cybersecurity landscape. Join in to understand why it takes an army to outsmart an army and explore the tremendous leverage that’s available to those who think differently.
• Casey Ellis is the chairman, founder, and chief technology officer at Bugcrowd as well as the cofounder of the disclose.io project. A 20-year information security veteran, he spent his childhood inventing things and generally getting technology to do things it isn't supposed to do. Casey pioneered the crowdsourced-security-as-a-service model, launching the first bug bounty programs on the Bugcrowd platform in 2012, and cofounded the disclose.io vulnerability disclosure standardization project in 2014. Since then, he’s personally advised the US Department of Defense and Department of Homeland Security/CISA, the Australian and UK intelligence communities, and various US House and Senate legislative cybersecurity initiatives, including preemptive cyberspace protection ahead of the 2020 presidential elections. A native of Sydney, Australia, Casey lives in the San Francisco Bay Area with his wife and two children.

Brian McHenry: Preventing the API Explosion from Detonating Your Infrastructure (Sponsored by F5) (30 minutes) - 8:50am PT | 11:50am ET | 3:50pm UTC/GMT

• APIs have become pervasive and ubiquitous. They’re employed for a variety of purposes, from configuring and orchestrating infrastructure and applications to publishing applications and sharing data, and they range from well-documented, known APIs to undocumented “shadow” APIs. Brian McHenry takes you through the key capabilities and methodologies you need to know to keep pace with the rapidly expanding footprint—and attack surface—of APIs in every enterprise, large and small.
• Brian McHenry leads product management for web application and API security on all F5 data planes: BIG-IP, NGINX, and Distributed Cloud. In this role, he sets strategy for the BIG-IP Advanced WAF, Distributed Cloud WAAP, and NGINX App Protect product lines. Brian takes pride in enabling F5’s customers to be successful while improving their security posture, making the internet a safer place. He’s a published writer and a regular speaker at infosec conferences and events. As a cofounder of Security BSides NYC, he’s committed to giving back to the Infosec community.
• This session will be followed by a 30-minute primer and demo session in a breakout room. Byron McNaught, senior solutions marketing manager at F5, and Cameron Delano, security solutions architect, will discuss and show how to put intrinsic application security into practice: protecting apps and APIs wherever they need to be. Join Byron and Cameron to learn how you can leverage F5’s OneWAF Engine, Distributed Cloud, and NGINX solutions to protect web apps and APIs from the data center to private and public clouds or at the edge.
• Break (10 minutes)

Aaron Parecki: Best Practices for Deploying OAuth for Your Applications (45 minutes) - 9:30am PT | 12:30pm ET | 4:30pm UTC/GMT

• Even if you've never heard about OAuth, you've certainly used it in your daily life. But what purpose does OAuth actually serve? Join Aaron Parecki to explore the original problems OAuth set out to solve and find out how it evolved into the foundation of nearly every modern system on the web. You’ll learn the most secure way to sign users in, taking advantage of multifactor authentication and leveraging biometrics available on users' devices.
• Aaron Parecki is a senior security architect at Okta with over 20 years of experience in the industry. He’s the author of OAuth 2.0 Simplified, maintains oauth.net, and has taught the fundamentals of OAuth and online security to thousands of developers worldwide. He’s been invited to speak at events around the world about OAuth, online security, privacy, and data ownership. Aaron is a regular contributor to several globally recognized specifications at the IETF and is the editor of OAuth 2.1.
• Break (5 minutes)

Tanya Janca: Building Security Champions (45 minutes) - 10:20am PT | 1:20pm ET | 5:20pm UTC/GMT

• Security teams are vastly outnumbered. Organizations have responded to this challenge with a number of different program scaling methods, including building security champions programs. But how does a security champions program actually work? How do you select your champions? And once you have them, what do you DO with them? Join Tanya Janca to learn how to attract the right people to your program, what and how to train them, how to engage them and turn them into security advocates, and much more in order to build an amazing security champion program.
• Tanya Janca, also known as SheHacksPurple, is the best-selling author of Alice and Bob Learn Application Security and the founder of We Hack Purple, an online learning community that revolves around teaching everyone to create secure software. Tanya is also an AppSec and secure coding trainer.

Chloé Messdaghi: Closing Remarks (5 minutes) - 11:05am PT | 2:05pm ET | 6:05pm UTC/GMT

• Chloé Messdaghi closes out today’s event.

Upcoming Security Superstream events:

• October 18, 2023 - DevSecOps