Security Superstream: Application Security
Published by O'Reilly Media, Inc.
Learn best practices and the latest developments
Modern applications contain thousands of times more code than those of a decade ago. And they’re highly connected and constantly updated, leaving them especially vulnerable to attack. So it’s no surprise that an estimated 84% of security breaches happen at the application layer.
Join experts in the field to learn the latest developments in application security. You’ll get up to speed on techniques and best practices related to API security, the OWASP Top 10, bug bounty programs, and much more.
About the Security Superstream Series: This two-part series of events will cover some of the most challenging topics facing those who are concerned with security, with expert guidance and insight into best practices, new developments, and future trends.
What you’ll learn and how you can apply it
- Understand the fundamentals of securing your organization’s applications.
- Gain a deeper understanding of bug hunting, API security, OAuth, and security champion programs.
- Learn how to implement the best practices effectively.
This live event is for you because...
- You're a security practitioner interested in application security.
- You’re a developer who wants to improve the security posture of your work.
- You’re an IT professional new to or looking to enter a security role.
- You want to get started with bug hunting.
- You want to become well-versed in the foundations and best practices of application security.
Prerequisites
- Come with your questions.
- Have a pen and paper handy to capture notes, insights, and inspiration.
Recommended follow-up:
- Read Web Application Security (book)
- Take Web Application Security Fundamentals (live course with Ming Chow)
- Take Hands-On Introduction to OAuth 2.0 (live course with Aaron Parecki)
Schedule
The time frames are only estimates and may vary according to how the class is progressing.
Chloé Messdaghi: Introduction (5 minutes) - 8:00am PT | 11:00am ET | 3:00pm UTC/GMT
- Chloé Messdaghi welcomes you to the Security Superstream.
Casey Ellis: The Unlikely Romance (45 minutes) - 8:05am PT | 11:05am ET | 3:05pm UTC/GMT
- Casey Ellis offers a primer on how hackers and organizations are working together today and what it will look like moving forward. As the relationship between hackers and companies becomes more normal, you start to see real change in our cybersecurity landscape. Join in to understand why it takes an army to outsmart an army and explore the tremendous leverage that’s available to those who think differently.
- Casey Ellis is the chairman, founder, and chief technology officer at Bugcrowd as well as the cofounder of the disclose.io project. A 20-year information security veteran, he spent his childhood inventing things and generally getting technology to do things it isn't supposed to do. Casey pioneered the crowdsourced-security-as-a-service model, launching the first bug bounty programs on the Bugcrowd platform in 2012, and cofounded the disclose.io vulnerability disclosure standardization project in 2014. Since then, he’s personally advised the US Department of Defense and Department of Homeland Security/CISA, the Australian and UK intelligence communities, and various US House and Senate legislative cybersecurity initiatives, including preemptive cyberspace protection ahead of the 2020 presidential elections. A native of Sydney, Australia, Casey lives in the San Francisco Bay Area with his wife and two children.
Brian McHenry: Preventing the API Explosion from Detonating Your Infrastructure (Sponsored by F5) (30 minutes) - 8:50am PT | 11:50am ET | 3:50pm UTC/GMT
- APIs have become pervasive and ubiquitous. They’re employed for a variety of purposes, from configuring and orchestrating infrastructure and applications to publishing applications and sharing data, and they range from well-documented, known APIs to undocumented “shadow” APIs. Brian McHenry takes you through the key capabilities and methodologies you need to know to keep pace with the rapidly expanding footprint—and attack surface—of APIs in every enterprise, large and small.
- Brian McHenry leads product management for web application and API security on all F5 data planes: BIG-IP, NGINX, and Distributed Cloud. In this role, he sets strategy for the BIG-IP Advanced WAF, Distributed Cloud WAAP, and NGINX App Protect product lines. Brian takes pride in enabling F5’s customers to be successful while improving their security posture, making the internet a safer place. He’s a published writer and a regular speaker at infosec conferences and events. As a cofounder of Security BSides NYC, he’s committed to giving back to the Infosec community.
- This session will be followed by a 30-minute primer and demo session in a breakout room. Byron McNaught, senior solutions marketing manager at F5, and Cameron Delano, security solutions architect, will discuss and show how to put intrinsic application security into practice: protecting apps and APIs wherever they need to be. Join Byron and Cameron to learn how you can leverage F5’s OneWAF Engine, Distributed Cloud, and NGINX solutions to protect web apps and APIs from the data center to private and public clouds or at the edge.
- Break (10 minutes)
Aaron Parecki: Best Practices for Deploying OAuth for Your Applications (45 minutes) - 9:30am PT | 12:30pm ET | 4:30pm UTC/GMT
- Even if you've never heard about OAuth, you've certainly used it in your daily life. But what purpose does OAuth actually serve? Join Aaron Parecki to explore the original problems OAuth set out to solve and find out how it evolved into the foundation of nearly every modern system on the web. You’ll learn the most secure way to sign users in, taking advantage of multifactor authentication and leveraging biometrics available on users' devices.
- Aaron Parecki is a senior security architect at Okta with over 20 years of experience in the industry. He’s the author of OAuth 2.0 Simplified, maintains oauth.net, and has taught the fundamentals of OAuth and online security to thousands of developers worldwide. He’s been invited to speak at events around the world about OAuth, online security, privacy, and data ownership. Aaron is a regular contributor to several globally recognized specifications at the IETF and is the editor of OAuth 2.1.
- Break (5 minutes)
Tanya Janca: Building Security Champions (45 minutes) - 10:20am PT | 1:20pm ET | 5:20pm UTC/GMT
- Security teams are vastly outnumbered. Organizations have responded to this challenge with a number of different program scaling methods, including building security champions programs. But how does a security champions program actually work? How do you select your champions? And once you have them, what do you DO with them? Join Tanya Janca to learn how to attract the right people to your program, what and how to train them, how to engage them and turn them into security advocates, and much more in order to build an amazing security champion program.
- Tanya Janca, also known as SheHacksPurple, is the best-selling author of Alice and Bob Learn Application Security and the founder of We Hack Purple, an online learning community that revolves around teaching everyone to create secure software. Tanya is also an AppSec and secure coding trainer.
Chloé Messdaghi: Closing Remarks (5 minutes) - 11:05am PT | 2:05pm ET | 6:05pm UTC/GMT
- Chloé Messdaghi closes out today’s event.
Upcoming Security Superstream events:
- October 18, 2023 - DevSecOps
Your Host
Chloé Messdaghi
Chloé Messdaghi serves as the Head of Threat Intelligence at HiddenLayer, where she spearheads efforts to fortify security for AI measures and fosters collaborative initiatives to enhance industry-wide security practices for AI. A highly sought-after public speaker and trusted authority for national and sector-specific journalists, Chloé's expertise has been prominently featured across various media platforms. Her impactful contributions to cybersecurity have earned her recognition as a Power Player by esteemed publications such as Business Insider and SC Media.