0

Days

00

Hours

00

Minutes

00

Seconds

BOSTON, MA

Trainings: April 29 - April 30, 2019 | Conference: May 1 - 3, 2019

REGISTER NOW SUBMIT TALK

Welcome to SOURCE Boston!

SOURCE is a different kind of security conference. We are one part CISO conference, one part Hacker conference, and one part Career and Personal Development event. In addition to great tech talks and business case studies, we are one of the few conferences to address people-related issues in security head-on.

We are assembling an outstanding selection of speakers across a variety of disciplines, and are looking forward to bringing everyone together. Come for the talks, stay for the conversations.

Event Highlights:
- NEW 3-Day format!
- World class InfoSec Talks
- Three tracks
- Multi-speaker event
- Business, technical and people-related talks
- Excellent networking opportunities
- Public speaking workshop

This year we will be expanding to a 3-day conference format, so we will have more content, more people, more activities, more fun!

We have some great things in store for you!

Conference Schedule

Click To Select Day

Pre-Conference Training Day 1

April 29, 2019

Pre-Conference Training Day 2

April 30, 2019

Conference Day One

May 1, 2019

Conference Day Two

May 2, 2019

Conference Day Three

May 3, 2019

InfoSec Train the Trainer (Day 1)

9:00 - 5:00 Rob Cheyne

More Info

InfoSec Train the Trainer

Do you struggle to present technical information to a group? Your team? Your boss? Communicating technical information is a learnable skill and anybody can do it. This highly interactive course can help anyone be a better trainer, facilitator or presenter.

Your instructor for this session, Rob Cheyne, has traveled the world multiple times teaching some of the most technical information security content to some of the world’s toughest audiences. He has extensive training in presentation and training skills, and he has delivered in-person training to over 25,000 students at global Fortune 500 Companies. Rob specializes in serving as the universal translator between the technical and business sides of the house.

In this class, Rob will give away some of his best secrets for keeping an audience engaged for any length of time. If you are involved in delivering any kind of technical presentation or training, this is an opportunity that you are not going to want to miss.

Target Audience:
Anyone who wants to improve their technical presentation skills

Topics covered include:
– How to turn any presentation into a training/learning opportunity
– How to communicate your thoughts clearly and effectively
– How to powerfully begin and end your presentation or training
– How to effectively address audience questions

– How to turn a room of introverts into extroverts
– How to make sure everyone in the room gets your message
– How to manage the state of the room and the state of your audience
– How to use in-classroom exercises to cement learning
– How to create an effective session agenda
– How to give a great technical demo

Instructor Bio:

Rob Cheyne is a highly regarded technologist, trainer, security expert and serial entrepreneur.

He has 25 years of experience in the information technology field and has been working in information security since 1998.  Rob has led information security training classes for over 25,000 people across many industry-leading global organizations, and consults regularly with Fortune 500 clients.

Rob is the founder and CEO of Big Brain Security and the Executive Director of the SOURCE conferences. Previously, Rob was the co-founder and CEO of Safelight, a leading provider of information security education programs that was acquired by Security Innovation in July 2014.

He was was also an early employee of @stake, a well-known pioneer in information security consulting.  Rob was the author of LC4, a version of the award-winning L0phtCrack password auditing tool, and he also worked on the code scanning technology that was eventually spun off as Veracode.

Rob regularly speaks at security and training conferences, and frequently presents to the local chapters of various security organizations.

 

InfoSec Train the Trainer (Day 2)

9:00 - 5:00 Rob Cheyne

More Info

InfoSec Train the Trainer

Do you struggle to present technical information to a group? Your team? Your boss? Communicating technical information is a learnable skill and anybody can do it. This highly interactive course can help anyone be a better trainer, facilitator or presenter.

Your instructor for this session, Rob Cheyne, has traveled the world multiple times teaching some of the most technical information security content to some of the world’s toughest audiences. He has extensive training in presentation and training skills, and he has delivered in-person training to over 25,000 students at global Fortune 500 Companies. Rob specializes in serving as the universal translator between the technical and business sides of the house.

In this class, Rob will give away some of his best secrets for keeping an audience engaged for any length of time. If you are involved in delivering any kind of technical presentation or training, this is an opportunity that you are not going to want to miss.

Target Audience:
Anyone who wants to improve their technical presentation skills

Topics covered include:
– How to turn any presentation into a training/learning opportunity
– How to communicate your thoughts clearly and effectively
– How to powerfully begin and end your presentation or training
– How to effectively address audience questions

– How to turn a room of introverts into extroverts
– How to make sure everyone in the room gets your message
– How to manage the state of the room and the state of your audience
– How to use in-classroom exercises to cement learning
– How to create an effective session agenda
– How to give a great technical demo

Instructor Bio:

Rob Cheyne is a highly regarded technologist, trainer, security expert and serial entrepreneur.

He has 25 years of experience in the information technology field and has been working in information security since 1998.  Rob has led information security training classes for over 25,000 people across many industry-leading global organizations, and consults regularly with Fortune 500 clients.

Rob is the founder and CEO of Big Brain Security and the Executive Director of the SOURCE conferences. Previously, Rob was the co-founder and CEO of Safelight, a leading provider of information security education programs that was acquired by Security Innovation in July 2014.

He was was also an early employee of @stake, a well-known pioneer in information security consulting.  Rob was the author of LC4, a version of the award-winning L0phtCrack password auditing tool, and he also worked on the code scanning technology that was eventually spun off as Veracode.

Rob regularly speaks at security and training conferences, and frequently presents to the local chapters of various security organizations.

 

Application Security Risk for Executives and Managers

9:00 - 5:00 Darren Meyer

More Info

Application Security Risk for Executives and Managers

Do you struggle to understand the things that your development teams worry about? Do you struggle to understand what your security team worries about?

There are two huge communication gaps in practically every business environment. The gap between business and technical folks, and the even bigger gap between business and security folks.

This interactive workshop covers the major areas of application risk that must be addressed in a way that anyone can understand it.

Over many years of teaching Infosec classes to developers, the #1 question was “this is great stuff, please tell my boss.” This is the class that answers that question.

Whether you are a manager of a technical team, or an executive at a company that has development teams, this class is an invaluable way to get up to speed quickly on today’s application security risks.

Target Audience:
Managers, executives, and anyone who wants to participate in frank discussion of today’s application security risks.

Topics covered include:
– Learn how real-world attacks occur
– How teams can successfully mitigate the risk of attacks
– How to support your teams’ information security goals
– The most overlooked risk that every company has
– How to understand and communicate with technical people
– How to keep up with today’s information security risks

Opening Remark

9:00am - 9:30am Washington Ballroom SOURCE Team

Keynote: Zero-trust Networking and Cloud Transformation

9:30am-10:15am Washington Ballroom Richard Stiennon, Chief Research Analyst, IT-Harvest

More Info

Abstract:

The CIO’s journey to a cloud-first strategy. The end-game is one where applications are hosted in the cloud and visible only to authorized users. Real world examples of success provided. The cloud becomes the data center. The internet becomes the corporate network. There is hope for the future but some dire consequences for traditional network security appliance vendors who lag behind the curve.

Bio:

Richard Stiennon is Chief Research Analyst for IT-Harvest, the firm he founded in 2005 to cover the 2,400+ vendors that make up the IT security industry. He has presented on the topic of cybersecurity in 29 countries on six continents. He is a lecturer at Charles Sturt University in Australia. He is the author of Secure Cloud Transformation: The CIO’s Journey and Surviving Cyberwar (Government Institutes, 2010) and Washington Post Best Seller, There Will Be Cyberwar. He writes for Forbes, CSO Magazine, and The Analyst Syndicate. He is a member of the advisory board at the Information Governance Initiative and sits on the Responsible Recycling Technical Advisory Committee, the standard for electronic waste. Stiennon was Chief Strategy Officer for Blancco Technology Group, the Chief Marketing Officer for Fortinet, Inc. and VP Threat Research at Webroot Software. Prior to that he was VP Research at Gartner, Inc. He has a B.S. in Aerospace Engineering and his MA in War in the Modern World from King’s College, London. Follow @cyberwar on Twitter.

Speed Networking

10:15am - 11:00am Washington Ballroom SOURCE Team

More Info

Speed networking has become a perennial favorite of the SOURCE Conference, and is one of our defining features! During this session, we use a fun speed networking format to get a chance to meet some of our fellow attendees. It’s a great way to meet a few people that you will cross paths with many times over the next three days of the conference. Not to be missed!

11:00 - 11:35am Networking Break

Getting into the Privacy Game: How An American Alternative Can Counter the Rise of Digital Authoritarianism

11:35am - 12:15pm Washington Ballroom Andrea Little Limbago, Chief Social Scientist, Virtru

More Info

Abstract:

Governments across the globe are implementing data storage and access restrictions to control information and data flows within their borders. Coupled with censorship and surveillance, this new model of digital authoritarianism is gaining traction globally. While the European Union’s General Data Protection Regulation provides one democratic alternative to this model, the United States’ approach to data protection and privacy remains decentralized, industry-specific, and complex. Despite expanded discussions on data privacy in Congress, a unified, federal data protection and privacy framework remains stalled due to misperceptions around trade-offs pertaining to data protection. Various groups contend there must be compromises between security and convenience, privacy and innovation, and data protection and national security. By dispelling these false dichotomies, meaningful progress can be made toward a coherent federal data protection framework. Such a framework would have far-reaching implications beyond U.S. borders and provide a democratic counter-punch to digital authoritarianism. Absent such U.S. leadership in this area, external forces – many of which hinder cross border data flows and privacy – will continue to redefine the U.S. business landscape in ways that may run counter to American interests and a robust digital economy.

Bio:

Dr. Andrea Little Limbago is a computational social scientist specializing in the intersection of technology, national security, and society. She is currently the Chief Social Scientist at Virtru, where she researches and writes on the geopolitics of cybersecurity, global data protection trends, and usable security. Her writing has been featured in numerous outlets, including Politico, the Hill, Business Insider, War on the Rocks, and Forbes. Andrea frequently presents on a range of cybersecurity topics such as norms, attacker trends, computational propaganda, data protection, and workforce development. Andrea is also a Senior Fellow and Program Director for the Emerging Technologies Law and Policy Program at the National Security Institute at George Mason, and contributes to numerous security conference program review committees. She previously was the Chief Social Scientist at Endgame. Prior to that, Andrea taught in academia and was a technical lead at the Department of Defense, where she earned a top award for technical excellence. Andrea earned a PhD in Political Science from the University of Colorado at Boulder.

7 Habits of Highly Effective Adversaries

11:35am - 12:15pm Library Joe Gray, Senior Security Architect, IBM

More Info

Abstract:

Despite having undergone a renaissance in terms of refining methods of both offense and defense from a professional sense over the years, there is still much disparity in terms of career navigation. Even from the sense of malicious adversaries, their TTPs evolve alongside the defense techniques. How does one get into this frame of mind and what should they do to improve and innovate?

As someone who spent their whole career on the blue team, I am working on moving to the red team. This presentation talks about the tools, techniques, and procedures (TTP) to be successful as an adversary, whether operating as a penetration tester or red team operator while leveraging blue team experience.

Bio:

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.

AppSec Accelerator: Making your DevSecOps Fly

11:35am - 12:15pm Shubert Darren Meyer, Manager of Applied Research, Veracode

More Info

Bio:

Darren P Meyer currently manages the Applied Research group at Veracode, a Boston area Application Security organization. His 12 years experience as an AppSec practitioner, advocate, and educator in organizations from startup to Fortune 50 has given him a well-rounded view of real-world challenges.

12:15pm - 1:20pm Lunch

Threat Model Every Story - Developers are architects too

1:20pm - 2:00pm Washington Ballroom Izar Tarandach, Lead Product Security Architect, Autodesk Inc.

More Info

Abstract:

The good old days of waterfall! You had “The One Design To Bind Them All” and once it got all agreed, the developers would happily implement it “per spec”. But alas, we are not there anymore. Agile methodologies basically guarantee that the deployed system will change, and change fast, since inception. Design emerges as it develops. How do we cope with that in Threat Modeling? This talk explores moving to a team-based collaborative and continuous Threat Modeling methodology, and how the dialog has moved the dependency away from security SMEs and into the team.

PyTM, an Open Source lightweight threat-modeling-as-code support system is also presented.
(although Agile and waterfall are mentioned, this is a methodology-agnostic talk)

Bio:

Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he’s willing to admit to in the information security arena, he is a core contributor to the SAFECode training effort and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon.

[WORKSHOP - DOUBLE SESSION] Acquiring and Retaining Cybersecurity Talent: A Proven Model

1:20pm - 3pm Library Deidre Diamond, Founder/CEO, CyberSN

More Info

Abstract

Workforce development is reliant on the combination of a subject-matter common language framework of projects and tasks. Job descriptions are then derived from this same framework of subject-matter project and tasks definition. A career development plan based on standardized projects and tasks; along with a culture that allows for psychological safety; will allow you to acquire and retain talent. When we combine daily processes of business operations derived from a subject-matter common language, in which all teammates know their role and the roles of others on the team (along with a culture that allows humans to think, feel and perceive without negative consequences) we can truly experience workforce development in any subject-matter profession. Hear how to achieve this success in cybersecurity. Between our technology and our theories, we are showing that organizations can obtain cybersecurity talent in less than 60 days and retain them.

Bio:

Deidre Diamond is the Founder/CEO of national cyber security staffing, research and technology company CyberSN (cybersn.com), the Founder of #brainbabe (brainbabe.org) and an ICMCP Strategic Board Member. Deidre was previously the CEO of Percussion Software, the first VP of Sales at Rapid7 (NYSE:RPD) and the VP of Sales at Motion Recruitment.

AWS Architecture Flaws

1:20pm - 2:00pm Shubert Apollo Clark, Consultant

More Info

Abstract:

As enterprise companies move to cloud providers en masse, it is important to understand the most common security architecture flaws they will encounter. This talk will explore the insecure defaults on AWS, what is available, and how to implement it.

Bio:

Apollo Clark is a Cloud Security Engineer, with 18 years of IT industry experience, an early adopter of AWS back in 2010.

Entrepreneur Support Group

2:20pm - 3:00pm Washington Ballroom SOURCE Team

More Info

Have you ever thought about starting a company? Have you ever actually done it?

Come join founders and future founders for a frank discussion of the challenges of being an entrepreneur in the Information Security space, and various strategies for managing them.

I’d like to use SOURCE as a hub for InfoSec entrepreneurs to network and have a support system they can fall back on when they need it. This session is a way of kicking that off.

We will taylor the discussion to the folks in the room and cover the things you’d like to know about. If starting companies is your thing, you’ll definitely want to attend this session.

Let's Blow up the SIEM and Start Over

2:20pm - 3:00pm Shubert Craig Chamberlain

More Info

Abstract:

Security and Operations teams spend a staggering amount of time and money buying and managing security products. We manage vast fleets of expensive, complex security agents and million-dollar next-gen blinkyboxes. We sit through endless budget meetings about data analytics tools that charge by the byte and actually disincent us from collecting and analyzing the quantities of data we need to accomplish our missions. All of this overhead dilutes our attention creates drag that degrades team focus, reduces output, and consequently increases risk. Security product sprawl is as much a threat to success as anything the attackers are doing.

What would an alternative world look like? Much of what the analytic, detection, monitoring oriented security products do – from generating primary data to pipelines and analytics – can be accomplished using lightweight, free and open source tools. We present Bark – a buzzword compliant framework of FOSS security tools used in concert to detect all the things and perform SIEM-like functions in the ELK stack with certain sidecar tooling. Compliance monitoring, behavioral and specification based intrusion detection, database monitoring, data loss detection, security analytics and threat hunting can be accomplished through the coordinated usage of open source tools. Another, and perhaps the most compelling, advantage of the open source approach is the freedom to engage in community driven development and sharing of searches and analytics, which is sometimes missing in the black-box security product space.

Bio:
Craig is a seasoned security leader with twenty years experience in security including service as a cloud security lead in one of the larger AWS environments. He is a patent holder; published researcher; advisor to various security product plays and VCs; credited bug hunter; and a veteran of four startups including two successful exits. A devotee of the “purple team” movement, he studies both offensive and defensive security art in order to better detect all the things. He has contributed, as an architect and / or core business logic developer, to three successful security products, and six large-scale security monitoring and threat hunting projects, in both cloud and terrestrial environments. He has been a SIEM / security analytics developer and / or threat hunter in the defense, financial, government, military and software manufacturing sectors. He has presented at the MISTI NetSec ESummit, B-Sides Boston, B-Sides Washington DC, SOURCE Boston, OpenSec Boston, Cloud Security World, and, a long time ago in a galaxy far away, ACSAC and the DHS Science & Technology Conference.

3:00pm - 3:45pm Coffee/Networking Break

Interactive Session

3:45pm - 4:25pm Washington Ballroom SOURCE Team

Explain Yourself! [Interactive Session]

4:45pm - 5:30pm Washington Ballroom Rob Cheyne, Executive Director, SOURCE Conference

More Info

In this highly interactive session, Rob Cheyne will explore the communication gap that exists between the business side of the house and the technical and security sides of the house.

Rob will challenge participants to clearly explain common business and technical terms, and will act as universal translator as necessary.

This end of day session will be a lot of fun, and also an eye opening glimpse into why communication often breaks down within organizations.

5:30pm - 7:00pm DAY ONE NETWORKING RECEPTION!

Opening Remarks

9:00am - 9:30am Washington Ballroom SOURCE Team

BountyCraft - The Panel

9:15am - 10:15am Washington Ballroom Chloé Messdaghi, JP Villanueva, Jason Haddix, Vanya Gorbachev, Bugcrowd

More Info

Abstract:

Every security tester has some sort of methodology and toolset they use. This “secret sauce” is the essence of good security research. BountyCraft the panel is about disclosing those secrets. The panel will talk through the successful tools and techniques used by the panelists, what do they focus on, and why. They will discuss topics such as advents in tooling, approaches to different types of applications, reconnaissance, vulnerability trends in bounty, and more. Viewers will leave this presentation with knowledge of practical recommendations for hacking methodologies, tools, and tips to better hack. The panelists will talk through vulnerabilities commonly seen as edge cases that have been present on heavily tested sites, and what are the upcoming challenges in the space.

This talk focuses on the current and future of bounty hunting and web hacks that bug hunters or penetration testers can be knowledgeable of what the various environment trends. We will be going over the changes to the web attack landscape and how web hackers, can better find bugs in the web applications that are currently being developed.

Bio:

Chloe Messdaghi is a Security Researcher Advocate/PMM @Bugcrowd. Since entering cybersecurity space, she sees security as a humanitarian issue. Data breaches don’t just impact companies, but governments, environments, and people. This can adversely affect lives of the most vulnerable persons as well. Hence, her previous and current humanitarian passion has led her to become passionate about cybersecurity. Humanitarian work includes advising as a UN Volunteer, serving as a board member for several humanitarian organizations. Chloe is also the head of WIST organization, mentor and advocate for inclusion in tech, and founded a nonprofit called Drop Labels.

SNAP Talk: The Bottom of the Barrel

10:15am - 10:35am Washington Ballroom Patrick Colford, Security Analyst, Cisco Umbrella

More Info

The Bottom of the Barrel

Started in 2002, pastebin.com has become the largest service of its kind in the world, serving 18 million visitors monthly and hosting 95 million pastes. Though used for lots of legitimate content, malicious actors have been using the site to distribute obfuscated malware and other malicious content for years. In this presentation, I’ll demonstrate FIERCECROISSANT, an open source tool for scraping Pastebin and decoding obfuscated malware. I’ll also talk about how to tailor FC to your needs, whether that’s to find data dumps, malicious pastes, or other potentially harmful content.

Bio:

Patrick Colford is a Security Analyst with Cisco Umbrella (formerly OpenDNS). Formerly a Customer Service Representative with nearly 10 years of experience, he joined the analyst team in 2016 to help support Umbrella’s London office. He is passionate about security education and hopes to inspire people all over the world to learn more about whatever interests them.

SNAP Talk: The Hero’s Journey – Using Your Stories to Influence

10:40am - 11:00am Washington Ballroom Mary Cheyne

More Info

Abstract:

Recognizing your own hero’s journey & being able to articulate it will enable you to influence more people.

Whether you’re speaking with others in a client meeting, presenting to stakeholders or in a job interview, there is no downside at being better at telling your stories.

In this snap talk, we discover how your hero’s journey humanizes you and being able to express it in a way that captivates people makes you compelling.

Bio:

Mary Cheyne, MBA, is a Transformational Public Speaking Trainer & Coach, and the 2009 World Champion of Public Speaking first runner-up, out of 25,000 contestants from 14 countries.

She has trained over 15,000 people in 30 cities around the world, including those in Australia, Europe, Asia, Canada & the United States. She taught communications-related classes at Northeastern University in Boston for 7 years.

She is the best-selling author of the book “Present” Yourself in Public Speaking – Tell Your Inner Critic to SHUT UP! And the Real You to SPEAK UP!

This vast experience has led Mary to one important, unvarnished conclusion: “To communicate and persuade effectively, the first person you need to convince is YOURSELF.”

Her mission is to educate and empower individuals to use public speaking as the doorway to personal liberation, and to use the gift of speech to create impact in the world.

11:00am - 11:35am NETWORKING BREAK

How Bad Incentives Led to Crypto Mining Malware, and What To Do About It

11:35am - 12:15pm Washington Ballroom Sandy Carielli, Director of Security Technologies, Entrust Datacard

More Info

Abstract:

Crypto mining came about because human beings are terrible at creating incentives. In this presentation, we’ll discuss economic and systems principles about incentives, trace the rise of crypto mining malware to early incentive design for public blockchain and consider the pros and cons of alternative incentive models that could mitigate the popularity of crypto mining malware in the future.

Bio:
Sandy Carielli has spent over a dozen years in the cyber security industry, with particular focus on identity, PKI, key management, cryptography and security management. As Director of Security Technologies for Entrust Datacard, Sandy guides the organization’s next generation security and technology strategy. Prior to Entrust Datacard, Sandy was Director of Product Management at RSA, where she was responsible for SecurID and data protection. She has also held positions at @stake and BBN. Sandy has been a speaker at RSA Conference, SOURCE Boston, the NYSE Cyber Risk Board Forum and BSides Boston. She has a Sc.B. in Mathematics from Brown University and an M.B.A. from the MIT Sloan School of Management.

Why data-driven personalized journeys are the future of security training.

11:35am - 12:15pm Library Masha Sedova, Co-Founder, Elevate Security and Aika Sengirbay, Senior Security Engagement Specialist at Autodesk.

More Info

Abstract:

When it comes to security training, one size does not fit all. Learn how Autodesk rethought security awareness training by leveraging behavioral data to create ongoing personalized security snapshots for each employee. These enabled individual recommendations and action items for each person resulting in successful changes to security behaviors company-wide.

Bio:

Masha Sedova is an industry-recognized people-security expert, speaker and trainer focused on engaging people to be key elements of secure organizations. She is the co-founder of Elevate Security delivering the first human-centric security platform that leverages behavioral-science to transform employees into security superhumans. Before Elevate, Masha Sedova was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers. In addition, Masha has been a member of the Board of Directors for the National Cyber Security Alliance and regular presenter at conferences such as Blackhat, RSA, ISSA, Enigma and SANS.

Masha will be presenting with Aika Sengirbay.

Aika Sengirbay is the Senior Security Engagement Specialist at Autodesk. She is building an awareness program that is driving a secure mindset amongst all employees by using security behavior testing and data analytics. The scope of her work runs the gamut of general security awareness such as phishing and reporting activity to secure engineering practices by developers and engineers. Aika and her team are building security simulations, company-wide campaigns, and custom lab environments to drive effective learning of key security behaviors. These efforts are enabling successful changes to security behaviors company-wide in Autodesk. Prior to Autodesk, Aika was a member of the information security team at Gap focusing on strategy and governance with rotations to the incident response and red team. She holds a BS in Journalism.

Social Forensication: A Multidisciplinary Approach to Successful Social Engineering

11:35am - 12:15pm Shubert Joe Gray, Senior Security Architect, IBM

More Info

Abstract:

This presentation outlines a new twist on an existing social engineering attack. In the past, we have worked on getting users to plug in USB devices to drop malicious documents and executables. While this attack sometimes proves our point, it is the tip of the iceberg that can be done. Enter Social Forensication.

This is a two-pronged attack, consisting first of collecting a memory image for offsite offensive forensic analysis, the second being a rogue Wi-Fi access point attack. During this presentation, we will walk through the steps to perform each attack. Since defense is just as (if not more) important as the attack itself, we will also discuss mitigations (technical and procedural) and relevant windows detections for these attacks.

Bio:

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.

Measuring Cyber Best Practices in the Age of IoT

1:20pm - 2:00pm Washington Ballroom George Wrenn, CEO and Founder, CyberSaint Security

More Info

Abstract:

The age of digitization is upon us, and measuring compliance and risk is only getting more complex. Drawing from his time at MIT, Schneider Electric, and more, George Wrenn gives an exciting talk about the importance of not only implementing cybersecurity and data privacy best practices, but also measuring them. A technical expert and long-time student of Cyber Warefare frameworks, George will explain how to combat today’s threats with risk measurement, analysis, and how to implement frameworks such as NIST’s new IoT draft and more. Bringing compliance and risk together for the discussion, and touching on elements of the GDPR regulation, Smart Grid, Secure Cloud and others, George will not simply lay a background that paints today’s world as complex as ever, but will give listeners actionable insights to take back to their own organizations, as they look to the NIST CSF, RMF, and other methods to give them an accurate representation of risk in their rapidly evolving environments.

Bio:

George Wrenn is a Research Affiliate in Management Science at the MIT Sloan School of Management, the founder & CEO of CyberSaint Security, and was formerly the Vice President of Cybersecurity (CSO) for Schneider Electric. He has more than 20 years of experience in the field of cyber security.

Prior to the present role, George was as a senior managing consultant with IBM helping cross-industry Fortune 1000 customers reach compliance to NIST, FISMA, ISO/IEC, HIPAA, PCI, NERC/CIP, and other key regulatory frameworks, developing cyber security strategy, roadmaps, and global cyber security programs.

He is an expert in cloud security and has been awarded US patents in this area. Other roles in his career have spanned from Managed Security Services (MSS) to Security Product Development and Secure Cloud Computing. In addition to this experience, George has served as Director of Security for a fully regulated financial services company, where he managed regulatory compliance efforts and the internal security office, protecting over $99 trillion in stock market transactions yearly. He later led cyber security product management and business improvement projects at RSA Security and EMC Corp. He has frequented as a keynote and panel speaker at events such as NIST’s recent Risk Management Conference and others.

George is a graduate of Harvard University and has attended executive programs at Harvard Business School and the Harvard Kennedy School. As a Graduate Fellow at MIT for over a decade, he conducts research and advanced coursework at the MIT Media Lab, the Sloan School of Management, the School of Engineering, the School of Architecture and most recently the MIT Security Studies program working on Cyber Warfare frameworks. He is also an Affiliate and Researcher at MIT’s Executive Development program specializing in the NIST Cybersecurity Framework.

George has had a NSA sponsored ISSEP credential, a Certified Ethical Hacker (CEH) and CISSP for more than 12 years. He is a Lean Six Sigma Black Belt, Certified Lean Practitioner, and has Kaizen Facilitator certifications. George has experience working with the complex Cloud, Government, IT, ICS, audit and national regulatory frameworks. He was also a mission oriented Operations Officer and SAR/DR Pilot (Officer 1st Lt. USAF/Aux) where he served as 1st lieutenant, and has received a National Commander’s Commendation Award for outstanding duty performance with the Hanscom Composite Squadron (HCS-MA-043) based at Hanscom Air Force Base.

[WORKSHOP - DOUBLE SESSION] How to Tell Engaging Stories to Get What You Want

1:20pm - 3:00pm Library Mary Cheyne

More Info

Abstract: 
Your ability to tell compelling stories is what separates you from the crowd.

Whether it’s shining at a job interview, contributing an idea during a client meeting or presenting to important stakeholders to get their buy-in, you will benefit greatly from knowing how to tell engaging stories.

Most people are overly informational in the way they tell stories. As a result, the people listening are bored and tune out.

This program will show you how to say goodbye to being boring & hello to LIFE. Discover how to tell stories that leave your listeners wanting more.

In this workshop, you will:

  • Receive tools & frameworks to tell compelling stories.
  • Learn how to engage your listener and keep them at the edge of their seat.
  • Add excitement to the delivery of your own stories.
  • Receive coaching feedback on your stories.

Bio:

Mary Cheyne, MBA, is a Transformational Public Speaking Trainer & Coach, and the 2009 World Champion of Public Speaking first runner-up, out of 25,000 contestants from 14 countries.

She has trained over 15,000 people in 30 cities around the world, including those in Australia, Europe, Asia, Canada & the United States. She taught communications-related classes at Northeastern University in Boston for 7 years.

She is the best-selling author of the book “Present” Yourself in Public Speaking – Tell Your Inner Critic to SHUT UP! And the Real You to SPEAK UP!

This vast experience has led Mary to one important, unvarnished conclusion: “To communicate and persuade effectively, the first person you need to convince is YOURSELF.”

Her mission is to educate and empower individuals to use public speaking as the doorway to personal liberation, and to use the gift of speech to create impact in the world.

Injecting Proactive Security Controls in Software Development

1:20 - 2:00pm Shubert Katy Anton, Principal Application Security Consultant, Veracode

More Info

Abstract:

The SQL Injection was first mentioned in a 1998 article in Phrack Magazine. Twenty years later, injection is still a common occurrence in software applications (No.1 in latest OWASP Top 10 2017). For the last 20 years, we have been focusing on vulnerabilities from attacker’s point of view and SQL injection is still King. Something else must be done.

How can developers write more secure applications ? Which security controls are an absolutely must-have, and which additional security measures do you need to take into account?

These are hard questions as evidenced by the numerous insecure applications we still have today. Starting from real-world examples, we will discuss the security controls that developers are familiar with, offer actionable advice when to use them in the software development life cycle and how to verify for them.

Recommended to security professionals looking to integrate security in their software applications.

Bio:

Katy Anton is a security professional with a background in software development. An international public speaker, she enjoys speaking about software security and how to secure software applications.

In her previous roles she led software development teams and implemented security best practices in software development life cycle. As part of her work she got involved in OWASP Top Ten Proactive Controls project where she joined as project leader.

In her current role as Application Security Consultant, Katy works with security teams and software developers around the world and helps them secure their software.

The wild wild west of IoT Security in the Enterprise

2:20pm - 3:00pm Washington Ballroom Anand Srinivas, CTO & Co-founder, Nyansa, Inc.

More Info

Abstract:

As organizations deploy non-traditional networked devices to address business critical initiatives, they face new challenges of how to codify and control the behavior, performance and security of these devices. For instance, connected infusion pumps, EKG machines, and smart temperature sensors in healthcare; smart robots, connected tools and barcode scanners in manufacturing and distribution, and even esoteric connected devices such as smart lights, speakers, digital frames, 3D-printers, etc. in any industry. These modern IoT devices create unique threats that differ from other connected devices, rendering traditional security tools ineffective.

This talk will describe the challenges and techniques required to secure these IoT devices, starting with (1) Automatically Identifying them, (2) Using artificial intelligence (AI) and machine learning (ML) to understand their “normal” behavior and detecting deviations, (3) Taking action to secure abnormally behaving devices, and (4) Using proper network segmentation to prevent future issues. Examples from live environments will be used to show the kind of wild wild west IoT environment enterprise Security and IT teams have to deal with and the methods for doing so.

Bio:

Anand Srinivas is the Chief Technology Officer and Co-founder of Nyansa, performance analytics and IoT security company in Palo Alto, Calif.

Prior to starting Nyansa in 2013, Anand was an SDN/NFV Consultant for Overture Networks, and prior to that, he was the Lead Algorithms Architect at Plexxi Inc, responsible for core contributions to SDN system architecture, algorithmic architecture and protocol/API design.

Earlier in his career, Anand worked as a Senior Systems Engineer and Principal Engineer for Airvana, where he was responsible for detailed algorithm specifications for LTE product differentiators.

Anand holds a B.A.Sc in Computer Engineering from University of Toronto. He also holds an S.M., Dual in EECS and Aero-Astro and a PhD in Wireless Networking and Algorithms from MIT.

Hacking Social: The State of Social Media Security

2:20pm - 3:00pm Shubert Sam Small

More Info

Abstract:

The biggest blind spot in your enterprise security architecture is social media. Attackers hijack company accounts, launch spearphishing campaigns at employees around the globe, build fraudulent accounts to socially engineering executives and attack customers at scale. Worst of all? These threats never trip an alarm in the SOC and InfoSec teams have zero visibility, zero control and zero ability to remediate. Your business is on social media. Are you protecting it?

Join ZeroFOX, the social media & digital security experts, to explore truths about the modern social and digital landscape, take a deep dive on major social media TTPs, and investigate trends & predictions from a half-decade of studying social threats.

Bio:

Dr. Sam Small serves as the Chief Security Officer of ZeroFOX, helping its customers implement world class social-media protection programs and supporting ZeroFOX to continuously advance its role as the innovation leader of social-media and collaborative-technology security solutions. After earning his doctorate in computer science from Johns Hopkins University, Sam was a lecturer, led an academic security research lab, and launched two security-industry startups, including Fast Orientation where he most recently served as CEO and continues to maintain a non-operational role as Chairman. In addition to his technical and entrepreneurial pursuits, Dr. Small has provided expert technology and security assessments of dozens of organizations and vendor products and conducted due diligence assessments for more than a dozen software-industry investments, mergers, and acquisitions. He has also served as an expert witness in several high-profile security, software, and network-related lawsuits. His work and research have been covered in publications including Wired, The New York Times, The Washington Post, New Scientist, CNET, ZDNet, and slashdot.

3:00pm - 3:45pm COFFEE/NETWORKING BREAK

Hallway Con: Learn & Share [Interactive Session]

3:45pm - 4:25pm Washington Ballroom Rob Cheyne, Executive Director, SOURCE Conference

More Info

This is a new session that we’re trying out at SOURCE Boston 2019 for the first time.

This will be fun and interactive, and will accomplish a number of things at once:

  • 1) Network with your peers
  • 2) Reflect on what you’ve seen at the conference in a unique way
  • 3) Share what you’ve learned with your fellow conference goers

In this facilitated session, you’ll get a chance to meet some new people and share what you’ve gotten from the conference so far.

Security HOT SEATS [Interactive Session]

4:45pm - 5:30pm Washington Ballroom Rob Cheyne, Executive Director, SOURCE Conference

More Info

Security Hot Seats is something we started doing last year, and we’ve had a lot of fun with it. In this session, Rob Cheyne will facilitate live conversations on a variety of hot InfoSec topics.

5:30pm - 7:00pm DAY TWO NETWORKING RECEPTION

Opening Remarks

9:00am - 9:30am Washington Ballroom SOURCE Team

Keynote

9:30am - 10:15am Washington Ballroom Pete Lindstrom, Vice-President of security research with IDC's IT Executive Program (IEP)

More Info

Abstract:

 We live in a world of scarcity, tradeoffs, cognitive biases, and unintended consequences and the cybersecurity field has its share of these. Meanwhile, we often characterize the security state of technologies, platforms, and environments using the false dichotomy of “secure” or “insecure” and make judgments based on perceived notions of dread without recognizing the pervasive complexities and nuances that affect decisions. This talk will identify the traditional economic concepts evident in cybersecurity, address the myriad of ways we are impacted by them, and provide a decision framework that allows organizations to develop and manage an efficient and effective security program.

Bio:

Pete Lindstrom is Vice-President of security research with IDC’s IT Executive Program (IEP). He has extensive and broad expertise with a variety of information security products, but is best known as an authority on cybersecurity economics issues such as strategic security metrics, estimating risk and return, and measuring security programs. He has also focused on applying core risk management principles to new technologies, architectures, and systems, focusing on the use of virtualization, cloud security, and big data. He has developed the “Four Disciplines of Security Management” (a security operations model), and the “5 Immutable Laws of Virtualization Security,” which was integrated into guidance from the PCI Council.

Prior to joining IDC in 2014, Pete accumulated 25 years of industry experience as an IT auditor, IT security practitioner, and industry analyst. He is a frequent contributor to business and trade publications and is often quoted in USA Today, WSJ Online, Information Security Magazine, VAR Business, Searchsecurity.com, and CSO Magazine. His columns and articles have appeared in Information Security Magazine, Searchsecurity.com, ISSA Journal, and CSO Online. Additionally, Mr. Lindstrom is a popular speaker at the RSA Security Conference, InfoSec World, ISSA International Conference, and many regional conferences.

Pete served as an officer in the U.S. Marine Corps and received a bachelor’s degree in Business Administration (Finance) from the University of Notre Dame.

Interactive Q&A: Pete Lindstrom

10:15am - 11:00am Washington Ballroom Pete Lindstrom, Rob Cheyne

More Info

Rob will interview Pete on a variety of InfoSec topics immediately after his keynote, and will facilitate conversations with the audience.

11:00am - 11:20am NETWORKING BREAK

Why is Artificial Intelligence Hard? What You Need to Know.

11:20am - 12:00pm Washington Ballroom Sandy Carielli, Director of Security Technologies at Entrust Datacard

More Info

Abstract:

Artificial Intelligence is a growing trend, but there are a lot of misconceptions about what it is, what it can do and what is necessary for AI-powered solutions to be successful. If you want to incorporate AI into your environment or product, what do you need to know? We will cover basic terminology, provide many examples and help dispel some common AI “myths.”

Bio:
Sandy Carielli has spent over a dozen years in the cyber security industry, with particular focus on identity, PKI, key management, cryptography and security management. As Director of Security Technologies for Entrust Datacard, Sandy guides the organization’s next generation security and technology strategy. Prior to Entrust Datacard, Sandy was Director of Product Management at RSA, where she was responsible for SecurID and data protection. She has also held positions at @stake and BBN. Sandy has been a speaker at RSA Conference, SOURCE Boston, the NYSE Cyber Risk Board Forum and BSides Boston. She has a Sc.B. in Mathematics from Brown University and an M.B.A. from the MIT Sloan School of Management.

Job Searching is Broken, It's Not You!

11:20am - 12:00pm Library Adrianna Iadarola, Managing Director, CyberSN

More Info

Abstract:
Cybersecurity professionals know that most recruiters do not speak cybersecurity and this causes passive cyber job seekers to pass over job postings. Existing job postings do not accurately reflect the responsibilities and job functions of the 35 job categories in cybersecurity, and our community posts the same handful of descriptions for all their job postings. Hiring managers and staffing professionals must better understand how to market themselves in an industry with half a million open jobs in the US.

Adrianna will share key information, tactics, and advice in this talk. She will empower job seekers to self-market, evaluate recruiters, ace the interview, and successfully negotiate salary and will share tips for hiring managers and staffing professionals to target and attract their ideal candidates.

Bio:
Adrianna Iadarola is a Managing Director at CyberSN, the nations’ largest cybersecurity staffing firm. She oversees the business development and client servicing for the entire New England region. Before joining CyberSN, she worked in the tech staffing field for 10 years. Iadarola has been instrumental in growing and developing the CyberSN footprint through building strategic partnerships, stellar leadership attributes, and her willingness to work side by side with cybersecurity hiring managers and candidates to help them find the perfect fit. She is a champion for increasing the amount of women in tech and cybersecurity positions and was an early ambassador of the not-for-profit org Brainbabe. She resides in Northern MA with her son. She has worked with the Girl Scouts of America on their cybersecurity patches and enjoys boxing.

4 Ways to Identify Microservices Leaking Critical Data

11:20am - 12:00pm Shubert Alok Shukla

More Info

Abstract:

The fastest growing problem in application security is data leakage. The adoption of microservices, combined with increasingly shorter development cycles, means that understanding how critical data flows into, within, and out of an application is more complex than ever. While microservice architectures have increased efficiency in innumerable ways, they can also silo developer knowledge such that understanding how every other service handles data, and what each service defines as sensitive, is incredibly difficult.
Hence, numerous examples of critical data leakages have lead to recent breaches:
• Uber – November 2017: 57 million records breached because developer credentials were accidentally leaked into GitHub
• Wag Labs – January 2018: On-demand dog walking service publicly leaked both customer’s addresses and lockbox key codes to their corporate website
• Mixpanel – February 2018: Exposed 25% of their customer’s credentials to potentially every system they’ve authenticated into while cookied

Yet, despite the name, traditional Data Loss Prevention (DLP) approaches provide little help to developers. DLP solutions are focused on solving IT-centric problems generally initiated by users’ behavior. How can developers identify data leakages in the applications they build? And how can it be accomplished for every version of every microservice in every release? This session will cover:

• Why data leakage is increasing in its complexity
• How-to address underlying factors driving the challenge
• Traditional DLP approaches
• Web application firewalls
• Source code analysis
• Semantic graphing

12:00pm - 1:00pm LUNCH BREAK

ATT&CKing from Every Angle: How you can use MITRE ATT&CK™

1:00pm - 1:40pm Washington Ballroom Jen Burns, Senior Cybersecurity Engineer, The MITRE Corporation

More Info

The open-source MITRE ATT&CK knowledge base continues to increase in popularity in the cybersecurity community, as confirmed by ATT&CK’s 16,000+ Twitter followers and the increasing number of security vendors embracing ATT&CK as a tool to categorize techniques, tactics, and procedures. Although ATT&CK started as a project at MITRE almost five years ago as a way to categorize common adversary behavior to allow red and blue teams to better communicate, there are now many ways ATT&CK is being used by the community, including to create detections, to categorize threat intelligence, to evaluate security software, and even to provide a common language for SOC analysts and engineers to communicate with C-suite executives. Everyone will walk away from this talk with a better understanding of ATT&CK and practical use cases for the knowledge base, but more specifically engineers will learn how to apply ATT&CK to make better resource decisions, analysts will learn how to organize intelligence using ATT&CK, and defenders will understand how to improve defenses with behavioral detections based on ATT&CK.

Bio:

Jen Burns is a Senior Cybersecurity Engineer who joined MITRE shortly after earning her Master’s in Information Security from Carnegie Mellon University. She’s the infrastructure lead for ATT&CK and an ATT&CK content developer, focusing on macOS. She also works in MITRE’s cyber analytics capability area, researching the application of generative adversarial machine learning on the detection of phishing domains.

Multidimensional Attack Path Analysis: Eliminating Network Blind Spots

1:00 - 1:40pm Library Peter Smith, CEO & Founder, Edgewise

More Info

Abstract:

Cyber attackers invariably exploit the easiest vulnerability to enter your network undetected. But rarely is the initial entry point the intended target. Attackers almost always use a multi-step process for exploiting exposed network pathways to move laterally towards your most valuable data and applications. Within any given network there may be hundreds or even thousands of these network pathways, yet most security and networking teams don’t know what those pathways are much less which ones offer the shortest viable paths that allow attackers to efficiently reach their ultimate target. If you don’t know how your attacker can get there, how do you prioritize protection? What you need is network visibility from the right perspective.

Offensive maps are an extremely valuable tool for analyzing which low-friction network pathways exist between attackers and targets, and anticipating attackers’ next move, given a view of all viable options. That said, when scanning the network for open pathways and trying to understand attackers’ potential actions, most organizations take a one-dimensional view of how to travel from point A to point B. Doing so leaves gaps in visibility.

In this session the speaker will demonstrate how to use DNMap to scan a network to collect data and create files of the results; process those files using Python for graph analysis; then use the open source vulnerability database (OSVDB) to expose viable paths attackers can exploit. All tools demonstrated will be free or open source.

When dealing with immense complexity, as is the case for most network data, being able to localize focus allows for a more thorough analysis of all the viable pathways an attacker may attempt to exploit. This talk will help attendees learn how to unveil points of concern in their networks and answer the questions, “Which network targets do I care about? How do I concentrate massive amounts of data so I can be more prepared?”

This talk will include a demonstration of how to find all possible pathways in a simulated network environment, and how to cull that information to show only viable paths (using scripts and tools already installed on most security practitioners’ machines). The speaker will then share the motivations and practical implications of conducting a multipath attack analysis, giving attendees the information they need to conduct this type of analysis on their own networks when they return to their offices.

Bio:

Peter Smith, Edgewise Founder and CEO, is a serial entrepreneur who built and deployed Harvard University’s first NAC system before it became a security category. Peter brings a security practitioner’s perspective to Edgewise with more than ten years of expertise as an infrastructure and security architect of data centers and customer-hosting environments for Harvard University, Endeca Technologies (Oracle), American Express, Fidelity UK, Bank of America, and Nike. Most recently, Peter was on the founding team at Infinio Systems where he led product and technology strategy.

Cloud Intrusion Detection and Threat Hunting With Open Source Tools

1:00pm - 1:40pm Shubert Craig Chamberlain, Founder, SpaceCake

More Info

Abstract:

By popular request, this is a sequel to a 2017 talk entitled “Engineering Challenges Doing Intrusion Detection in the Cloud.” Security teams often ask for “network intrusion detection” but conventional, specification-based intrusion detection paradigms, particularly around network intrusion detection, are not easily applied to the software defined network abstractions that power multi-tenant public clouds. The 2017 talk was about the experience of doing intrusion detection at scale at one of the ten largest AWS environments at the time. One of the major lessons learned during this time is that in the public cloud, where direct network instrumentation is unavailable, doing behavioral detection with endpoint data is often more effective and more efficient. Mandating the installation of terrestrial network security products onto software defined networks of the sort utilized in public clouds is not always the most productive approach.

This talk presents a practical demonstration of doing behavioral intrusion detection, threat hunting and security analytics using free and open source tools. Most security analytics use cases including compliance monitoring, behavioral and specification based intrusion detection, database monitoring, data loss detection, machine learning, security analytics and threat hunting can be accomplished through the coordinated usage of open source tools. This approach avoids numerous pitfalls facing security teams today such as managing fleets of complex and expensive security agents and operating metered data analytics platforms whose bills force difficult decisions about which data to ingest. Another, and perhaps the most compelling, advantage of the open source approach is the freedom to engage in community driven development and sharing of searches and analytics, which is sometimes missing in the black-box security product space. Demo included.

Bio:

Craig is a seasoned security leader with twenty years experience in security including service as a cloud security lead in one of the larger AWS environments. He is a patent holder; published researcher; advisor to various security product plays and VCs; credited bug hunter; and a veteran of four startups including two successful exits. A devotee of the “purple team” movement, he studies both offensive and defensive security art in order to better detect all the things. He has contributed, as an architect and / or core business logic developer, to three successful security products, and six large-scale security monitoring and threat hunting projects, in both cloud and terrestrial environments. He has been a SIEM / security analytics developer and / or threat hunter in the defense, financial, government, military and software manufacturing sectors. He has presented at the MISTI NetSec ESummit, B-Sides Boston, SOURCE Boston, OpenSec Boston, Cloud Security World, and, a long time ago in a galaxy far away, ACSAC and the DHS Science & Technology Conference.

Managing Burn-out and Self Care [Interactive Session]

1:50pm - 2:30pm Washington Ballroom Rob Cheyne, Executive Director, SOURCE Conference

More Info

Burnout is a real problem in our industry, and it’s something we all probably deal with on occasion. In this interactive session, Rob will facilitate conversations with the audience regarding self care and various ways of managing burn out before you get there.

2:30pm - 3:15pm COFFEE/NETWORKING BREAK

ATTENDEE LIGHTNING TALKS [Interactive Session]

3:15pm - 4:00pm Washington Ballroom SOURCE Team

More Info

A while back we started finishing off every conference with audience participation lightning talks. These talks can be about literally anything, the entire point is to share something you know about with the audience, and to get an opportunity to practice public speaking. Whether you speak or not, these are always a whole lot of fun, and something you won’t see at other security conferences.

You’ll definitely want to stick around for this session!

SNAP Talk: The Path of Possibilities

4:00pm - 4:20pm Washington Ballroom Rob Cheyne, Executive Director, SOURCE Conference

More Info

Last year we added a new type of talk to the SOURCE line up, the SNAP Talk. These are 18 minute sessions, and can be on a wide variety of topics.

In the final session of SOURCE Boston 2019, Rob Cheyne will present a talk called “Considering Possibilities”. Rob quit his full time job in 2007 to become a full-time entrepreneur, and has had to manage a roller coaster ride of challenges, successes, failures, wins, losses, up and downs. It’s been a hell of a ride so far. This talk is an inspiring look into the mindset of possibilities that has allowed him to manage that roller coaster, with some tips for how you can manage the roller coaster of your own life.

Closing Remarks & Raffle

4:20pm - 4:45pm Washington Ballroom SOURCE Team

More Info

We always raffle off some cool stuff at the end of the event. Stick around to win prizes! You must be present to win!

$495

General Admission

NEW 3-DAY FORMAT! Admission to all conference sessions and evening events Coffee breaks, receptions Exhibit Hall access

Buy Now

$499

One-Day Training

Application Security Risk for Managers Level sets managers on critical security issues Learn how security professionals manage risk Send the entire team!

Buy Now

$995

Two-Day Training

InfoSec Train the Trainer Brand new 2-day format! Hands-on, practical presentation skills Improve your speaking and training

Buy Now

Pre-Conference Training

InfoSec Train the Trainer

InfoSec Train the Trainer

May 1-2, 2019 (NEW, 2 DAYS!) Communication

This course is designed for anyone who wants to improve their ability to present and train on technical topics to both technical and non-technical audiences.

Application Security Risk for Executives and Managers

Application Security Risk for Executives and Managers

May 2, 2019 InfoSec 101

This course is designed for executives and managers who want to better understand the real-world risks that their company deals with on a day-to-day basis.

Gold Sponsors

Cobalt’s Pen Testing as a Service (PTaaS) Platform transforms traditional pentesting into a data-driven vulnerability management engine. Fueled by a global talent pool of certified freelancers, our modern pentesting platform delivers actionable results that empowers agile teams to pinpoint, track, and remediate vulnerabilities. https://cobalt.io

Elevate Security is working to create a world where employees want to do security and aren't forced to. Using behavioral and data science, we leverage employees actual security behaviors to guide how and when they need training - while incorporating a FitBit type gamification flare to encourage positive behavior change. https://elevatesecurity.com/

Since 2002, organizations have relied on Security Innovation for our unique software and application security expertise to help secure and protect sensitive data in the most challenging environments - automobiles, desktops, web applications, mobile devices and in the cloud. A best in class security training, assessment and consulting provider, Security Innovation has been recognized as a Leader in the Gartner Magic Quadrant for Security Awareness Training for three years in a row. https://www.securityinnovation.com

Media Partner

Affiliate Sponsors

Venue (For reservation code e-mail info@sourceconference.com)

Downtown Marriott Boston

275 Tremont St, Boston, MA 02116

(617) 426-1400

Register:

$495

General Admission

NEW 3-DAY FORMAT! Admission to all conference sessions and evening events Coffee breaks, receptions Exhibit Hall access

Buy Now

$499

One-Day Training

Application Security Risk for Managers Level sets managers on critical security issues Learn how security professionals manage risk Send the entire team!

Buy Now

$995

Two-Day Training

InfoSec Train the Trainer Brand new 2-day format! Hands-on, practical presentation skills Improve your speaking and training

Buy Now

Become a Source Insider

Get promotions and special offers directly to your inbox.