6

Days

15

Hours

31

Minutes

20

Seconds

Mesa-Phoenix, AZ

Feb 28 - March 1, 2018

REGISTER NOW

Welcome to SOURCE Mesa/Phoenix!

We have assembled an outstanding selection of speakers across a variety of disciplines, and are looking forward to bringing everyone together.

Event Highlights:
- World class InfoSec Talks
- Three tracks
- 25+ speakers
- Business, technical and people-related talks
- Excellent networking opportunities
- Public speaking workshop
- Malware analysis workshop
- SPECIAL GUEST: Arizona Cyber Warfare Range!

Check out the podcast videos below (on this page) for a sample of the excellent content that we are bringing to Mesa! More soon, check back frequently!

Come for the talks, stay for the networking and people/communications-related activities.

We have some great things in store for you!

kest
kest
Workshop: Packet Hunting Using Wireshark Using wireshark for network forensics, troubleshooting, and efficiency. Dive into the network forensics mindset by analyzing compromised and suspect data. Learn to identify network issues by understanding how to read network packets. Create efficient packet filters to become more productive. Bio:
David Hernandez, Community & Education Outreach Coordinator at Arizona Cyber Warfare Range
David Hernandez is the Outreach and Education Coordinator for the Arizona Cyber Warfare Range. He works with industry to build real-world workshops to bring to classrooms and the AZCWR. He was previously the Project Coordinator for the NICE RAMPS Grant. As the projector coordinator, he coordinated 4 workstreams to promote a stronger cybersecurity workforce in Arizona.

Conference Schedule

Pre-Conference Training Day 1

26 Feb 2018

Pre-Conference Training Day 2

27 Feb 2018

Main Conference (Talks and Workshops) Day 1

8:00 - 6:30

Main Conference (Talks and Workshops) Day 2

8:00 - 6:30

 

 

 

 

InfoSec Train the Trainer

8:00 - 5:00 Rob Cheyne

More Info

“InfoSec Train the Trainer”

Do you struggle to present technical information effectively? Does the thought of teaching a group make you sick to your stomach? Communicating technical information to any level of audience is a learnable skill and anybody can do it. This highly interactive course will help anyone be a better trainer, facilitator or presenter. Your instructor, Rob Cheyne, has trained over 25,000 people around the world on Information Security topics, and has been extensively trained on modern adult training techniques. He will publicly share some of his best secrets and lessons learned for the first time ever in this course.

Who should take this course:

This course is designed for anyone who wants to improve their ability to present and train on technical topics to both technical and non-technical audiences.

Sign up now before seats run out!

When: Monday, Feb 26, 2018, 9am-5pm

Full Ticket Price: $499

Early-Bird: $399 (avail through 02/15/18)

Who should take this course:

This course is designed for anyone who wants to improve their ability to present and train on technical topics to both technical and non-technical audiences.

Sign up now before seats run out!

More info here.

Application Security Risk for Executives and Managers

8:00 - 5:00 Rob Cheyne

More Info

“Application Security Risk for Executives and Managers”

Finally an application security course for the rest of us! If you find it difficult to understand today’s application security risks, you are not alone. There are significant communication gaps between the business and security sides of the house. Using clear, simple explanations, your instructor will facilitate a discussion of today’s most important information security risks, and what you can do to help your teams mitigate them.

Who should take this course:

Executives and managers who want to better understand the real-world risks that their company deals with on a day-to-day basis.

Instructor: Rob Cheyne, Big Brain Security

When: Tuesday, Feb 27, 2018, 9am-5pm

Full Ticket Price:    $499 

Early-Bird:                $299 (avail through 02/15/18)

More info here.

Opening Remarks - Conference Day 1

8:30 - 9:00 SOURCE Conference Team

Keynote

9:00 - 9:45 Empire Ballroom Rafal Los, Managing Director, Solution & Program Insight, Optiv

More Info

Title:  How to lose friends and alienate people (in enterprise security)

Abstract: Security professionals have it rough. When you’re not fighting 31 flavors of bad guys, you’re fighting the users or each other. Security isn’t a day job, it’s a lifestyle that can chew you up and leave you with a bitter, jaded, and hopeless view of the world. I think it’s time for a stark self-reflection on who we are, what we do, and why any of this matters – before we can think about how to carry our profession forward into the next decade and beyond. Yeah, us security people have it rough … or do we?

Bio:

Rafal Los brings a blend of pragmatism and thought leadership in his approach to enterprise information security. As managing director, solutions research and development at Optiv, Los helps organizations build mature, defensible and operationally efficient security programs. Leveraging over 15 years of technical, consulting and management skills his team researches, develops and delivers program strategy frameworks, maturity models, and provides operational guidance from across industry verticals and varying maturity levels.
Los previously worked at Acccuvant. Prior to that, he served as principal, strategic security services at HP Enterprise Security Services. Los developed a methodology for refocusing enterprise security programs through an assessment and threat-centric approach, directly aligning security to business value. While there, he developed new services-based offerings from concept through prototype and launch stages, and spearheaded a cross-business task team to develop new use cases for products and service offerings within the existing portfolio. Previously at HP, Los served several diverse roles including security strategist in enterprise security products where he advised customers on implementing practical solutions. He also wrote and maintained the top blog in HP Software, “Following the White Rabbit.” Prior to HP, Los held various positions at GE Energy, EnterEdge Technology and Envestnet PMC. Los is an advocate for focus on sound security fundamentals and for the principles of “proportional, common sense security.” He has been contributor to open standards and various organizations such as the Open Web Application Security Project (OWASP) and the Cloud Security Alliance. He has served as a speaker at conferences such as Black Hat, ISSA International, InfoSec World and many others. In addition, he maintains a regular column in SecurityWeek and contributes to other community forums. Los received his bachelor’s degree in computer information systems from Concordia University.

Career Development Track: Speed Networking (Ballroom)

9:45 - 10:30 Empire Ballroom Conference Team

More Info

SOURCE is designed to be a networking event. We start the day with speed networking to give you a fun, easy way to meet a few people. We provide the topics, you provide the conversation. For many people, this is one of their favorite parts of the conference.

We’ve found that it helps get people out of their comfort zone, gets them in the mindset of talking to one another, and then they’ll have a direct connection with at least a few people that they’ll see throughout the remaining two days of the conference.

It helps break down barriers, starts to engage the group as a cohesive community, and makes the event feel a little more personal.

10:30-10:45 Short break

DevOps Mini-Track: The only reason security really matters for DevOps

10:45-11:25 Caroline Wong

More Info

DevOps. A buzzword for the C-suite and technology teams, it can inspire anxiety in the most mature security professional. In order to truly understand how to effectively integrate security into a DevOps environment, we must be honest with ourselves about why security matters in the first place. This session reveals the secret to ensuring success of your security team in a DevOps world.

A few of the most influential years of my security career were those spent managing the security program and writing the first ever security policy for Zynga – “the FarmVille company.” Zynga was one of the first companies to leverage DevOps practices and the cloud to allow for unpredictable growth. Automated tools for provisioning and detecting changes, real-time monitoring and feedback based on player behavior, and lots of data analytics contributed hugely to the company’s early success. FarmVille, which launched in 2009, went from zero to 10 million daily users in just a few weeks.

Several years later, DevOps is a “thing.” This talk begins by exploring the answer to the question, why does DevOps matter? Businesses do what they need to do to survive and succeed. If their customers need agility, then they will evolve to accommodate that. Next, I discuss the key differences between a pre-DevOps world and the post-DevOps world. Before, it was about on-premise and protecting the perimeter and enforcing gates in the software development lifecycle. Now, supply chain security is king. Applications and APIs matter more and more. And everything is mobile.

A detailed look at 10 companies “killing it at DevOps” reveals that for agile companies, security is a strategic business driver. It prevents unplanned work and re-work, and security requirements are explicitly specified during the sales process as part of vendor security assessments. Additional drivers for security also include avoiding bad press and compliance reasons – both of which, if you look under the covers, are ultimately about getting more sales. I look at the actual language in Bill Gates’ Trustworthy Computing memo and see that in fact even Microsoft’s “noble” initiative was all about the money.

That being said, what’s a security professional to do? BSIMM has 113 controls, ISO27017 has 121, and CCM has 133. It’s enough to make a person’s brain explode. This session concludes with my expert recommendations on how to think about security for DevOps in a way that aligns with a modified version of the NISF Cybersecurity Framework. I simplify the 5 points (Identify, Prevent, Detect, Respond, and Recover) to just 3 (Identify, Prevent, and React) and conclude the session with detailed recommendations for how to incorporate practical security concepts into a DevOps environment using this simple framework.

Bio:
Caroline Wong is the Vice President of Security Strategy at Cobalt (www.cobalt.io).

Caroline’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager, and day-to-day leadership roles at eBay and Zynga. She is a well known thought leader on the topic of security metrics and has been featured at industry conferences including RSA (USA and Europe), OWASP AppSec, and BSides.

Caroline was featured as an Influencer in the 2017 Women in IT Security issue of SC Magazine. She received a 2010 Women of Influence Award in the One to Watch category and authored the popular textbook Security Metrics: A Beginner’s Guide, published by McGraw-Hill in 2011. Caroline graduated from U.C. Berkeley with a B.S. in Electrical Engineering and Computer Sciences and holds a certificate in Finance and Accounting from Stanford University Graduate School of Business
.

Cybersecurity Program? We Don't Need No Stinkin' Cybersecurity Program!

10:45-11:25 Lester Godsey

More Info

Does your organization have a cybersecurity program? If not, where do you start? If your organization does, when was the last time your cybersecurity program was reviewed to ensure it’s meeting enterprise needs? How do you measure success? How do you manage risk?
If you are a CISO, IT Security Manager or an IT security professional looking to create or validate your cybersecurity program this session is for you. While no one security program ‘fits all’ there are several elements that all good cybersecurity programs should consider.
Join us for an interactive discussion about the challenges of creating and maintaining a cybersecurity program and real-world, practical recommendations on how you can improve your organization’s security stance today and in the future.

Bio:

Lester Godsey has been in the IT field for 25 years in a variety of different roles and capacities ranging from graphic design to system administration to project management to cybersecurity and management. Additionally, he has taught for over 10 years at the collegiate level, most recently for Ottawa University. He has a B.A. in Music and M.S. in Technology, both degrees from Arizona State University. He holds the PMP and CISM certifications as well. He has had a number of articles published online and in trade magazines and has spoken at local, state and national conferences on a number of topics.

DevOps Mini-Track: AppSec Behaviors for DevOps Breed Security Culture Change

11:35 - 12:15 Chris Romeo

More Info

DevOps and application security are all the rage, but how do you transform a DevOps team into an army of security people? People are the true drivers of application security, and in the world of DevOps, people move fast.

Enter the idea of application security behaviors. A behavior is “the way a person acts”. Behavior beats process, because behavior is how we respond to a situation versus how we should respond. An application security behavior focuses on the lightest touch points while still having security impact, and are the foundation of true security culture change for a DevOps environment.

The five core application security behaviors are threat modeling, security tool automation, code review, red teaming, and response. In this talk, we dive deep into each behavior, and explain how these behaviors generate more secure products and how to embed the behaviors into the DevOps team.

Bio:

Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring security culture change to all organizations. Chris is first and foremost a security culture hacker, designing security training programs and building internal security community. He was the Chief Security Advocate at Cisco for five years, where he guided Security Advocates, empowering engineers to “build security in” to all products at Cisco. He led the creation of Cisco’s internal, end-to-end security belt program launched in 2012. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response

.

Chief Information Security Officer

11:35 - 12:15 Daniel Hilburn

More Info

Attendees will learn how cybersecurity works for small and medium size businesses. They will be provided a unique perspective looking at cybersecurity from a C-Level executive all the way down to a one man IT team. Attendees will have an opportunity for one on one sessions after the program.

Bio:

Mr. Hilburn is Executive Director with vast experience in information technology, engineering sciences, and program management. His background includes sitting on the advisory boards for several startup companies. He is the go to leader when it comes to building a consensus and strengthening team members to go that extra mile when it’s crunch time. He has worked for international businesses looking to break into new markets with cutting edge technologies. He was also a US Chamber of Commerce Hiring our Hero’s Fellow in 2016.

Human(e) Security

11:35 - 12:15pm Haydn Johnson

More Info

Businesses are in business to make money, understanding this as security is paramount to success. I call it Humane security because as the head of Security I have found that relationship building is my strongest asset; compassion, kindness, empathy all go together. My situation forces me to maximize everything, from time, skill, delegation and budget. The aim here is to share my learnings with others so that they may maximize their efforts in improving security for their organization.

Relationship building from the CTO to the help desk specialist is the best way to gain impactful improvements within my organization. This talk will cover people, evaluating vendors, purple teaming, goal setting suitable to the business and using other team members as pseudo security team members.

Bio:
Haydn advocates Purple Teaming principles as a powerful methodology for improving intra-organizational security and relationships. Having recently moved to internal security, he uses the offsec mindset to create impactful change within his organization. Committed to learning and sharing his skills, he has spoken at multiple conferences in America and Canada, and has published multiple online articles on offensive security.

Haydn has a Masters in Information Technology, the OSCP and GXPN certifications.

Originally hailing from Australia, Canada is now called home.

12:15-1:15 Lunch

What's in YOUR packet? (Workshop)

1:15 - 2:45 Marita Fowler, Senior Analyst at Capital One

More Info

This workshop will provide an opportunity for attendees to perform malware analysis of different malware families from PCAP. They will learn about different C2 methods, file carving, and data obfuscation tricks. Attendees will become familiar with one of the most useful malware analysis tools while gaining an understanding of different cybercrime and APT attacker techniques.

Bio:

Marita Fowler is a senior analyst on the Capital One Cybersecurity Operations Center (CSOC) team. She has over two decades of intelligence and cyber experience spanning military, government service, contractor, and financial sector employment. In her spare time, she enjoys traveling, reading, and gaming.

Threat Modeling: Now What?

1:15-1:55 Bob Fruth

More Info

Over the years, Threat Modeling has progressed from its original focus on client-server software systems into a very well understood process that is widely applicable. Threat models have been created for complex hardware and software systems ranging from operating systems to ATMs to automobiles to devices to the Internet of Things. So where do we go from here? How do you manage the details and focus on the highest risk interfaces and attack surface? What steps should you take to ensure that threat modeling yields the best possible result without becoming yet another mind numbing process exercise? In this talk, a software industry veteran will seek to provide answers to these and other threat modeling questions, including discussing best practices and approaches for fully assessing and understanding of the attack surface and risks of complex systems and devices.

Bio:

Bob Fruth has been involved with more successful product and service releases than he cares to remember. After many successful years in Silicon Valley, Microsoft brought him to Seattle. While at Microsoft, Bob provided security guidance for most of the company’s major product teams, served on and ran the Microsoft Crypto Board and was the focal point for Bing.com security and privacy. He was recently recruited to focus on security and privacy at GE Healthcare, where he finds himself teaching security essentials and authoring needed policies, all the while worrying about protecting patient medical and financial data. In his spare time, Bob watches soccer and hockey, plays music and enjoys traveling.

Target-based Security Model: Mapping Network Attacks to Security Controls

2:05 - 2:45 Garrett Montgomery, Security Researcher at Ixia BreakingPoint

More Info

This talk will present a categorization of network-based attacks for the purpose of mapping to appropriate security controls. Using a layered security-zone model allows easy visualization of how/where various security controls can be applied to protect against network-based attacks at different layers. Categorizing network-based attacks according to the targeted zone then allows for direct mapping of security controls to the types of attacks they can be used to prevent.
The goal is a simple, publicly available reference model, allowing vendors, customers, and 3rd-party testers to all speak the same language.

Bio:

I’ve been working in InfoSec for the past 10+ years, first as a blue-teamer (Security Analyst) followed by IPS-Signature developer, and now as a red-teamer developing attacks for BreakingPoint. I’ve spent the last couple of years raising awareness around problems with IPS devices, but now I’m actively trying to help improve the situation.

Public Speaking Workshop

1:15-2:45 Rob Cheyne

More Info

“Communications Matters! Improve your Presentations and Public Speaking and improve your effectiveness” 

Rob Cheyne, CEO Big Brain Security

Many people, when polled, say that they would prefer death over public speaking. Others enthusiastically get in front of every audience they can find, but their message falls short. Rob has conducted training sessions and presentations for well over 25,000 people around the world, and will share some of his best tips & tricks to help you be a better speaker, trainer, and communicator.

In this session, you will:

– Learn how to get your message across to any audience

– How to cut through the mess and get to the message

– Why dense, detailed powerpoint slides are often completely ineffective, and how to do it better

– How to answer hard questions on the fly

– Learn about one of the #1 challenges with public speaking that most people overlook

– Learn about a fail-safe strategy to make even the most introverted audiences interactive

The session will be tailored to the students in the room, so bring your best public speaking, training, and presentation questions!

2:45-3:30 Coffee / Turbo Talks

Strengthen Your SecOps Team by Leveraging Neurodiversity

3:30-4:10 Megan Roddie

More Info

High productivity, extreme attention to detail, logical/calculated, passionate, and hyper-focused. These are all characteristics considered valuable in the information security industry. However, a certain group of people who exceed expectations in these skill sets are constantly overlooked for job positions. That group of people is the High Functioning Autistic (HFA) community.

Individuals in the high functioning autistic community are often overlooked for job positions due to their social disabilities which makes them perform poorly in an interview and in their interactions with other people. However, if you look past their awkward behavior and social struggles, you will find these individuals are perfectly suited for roles in the information security industry.

This talk aims to show the listeners that, as many tech companies have found, the HFA community is ripe with individuals who could be the best of the best in the security industry if given the chance. The audience will realize that a small investment in time, understanding, and acceptance can result in the addition of an invaluable member to a Security Operations team.

Bio:
Megan Roddie is a graduate student pursuing her Master’s in Digital Forensics at Sam Houston State University while also working as a Cyber Security Analyst at the Texas Department of Public Safety. As a 20-year old with Asperger’s Syndrome (High Functioning Autism), Megan offers a unique perspective in any topic she discusses. Megan can articulate her struggles and how small modifications in daily life have made her successful.
2:45-3:35 Coffee Break/Turbo Talks

Building an AppSec Program with a Budget of $0: Beyond the OWASP Top 10

3:30-4:10 Chris Romeo, CEO at Security Journey

More Info

“Building an AppSec Program with a Budget of $0: Beyond the OWASP Top 10”

The premise of this session is how to build an application security program with a budget of $0. The session explores the OWASP universe, and how different open-source projects are connected together as foundational pieces of an application security program.

OWASP is famous for the top 10, but many do not understand the depth and breadth of the different projects. The projects are explained with a focus on how to implement each within a successful program. This talk is more than just a catalog of the OWASP projects. It is also a practitioner’s guide on how to implement the OWASP projects within an AppSec program. The projects are explained and broken into different phases to delineate between the improvements for a new program versus an established program that is adding new capabilities.

The first group of projects is training / awareness and program definition. These projects focus on high-level knowledge, methodology, and training for the application security program. This group includes OWASP Top 10, OWASP Proactive Controls, Software Assurance Maturity Model, and training apps (Juice Shop, DevSlop, and WebGoat). The process for raising awareness with knowledge / training and building out a program are discussed.

The second group is builder or developer. These focus on requirements, code review, best practices, development libraries, and building software without known vulnerabilities. This group includes Security RAT, ASVS, cheat sheets, threat modeling, Java encoder, and Dependency Checker. The end-to-end world of the developer is explored, from requirements through writing code.

The third group is breaker or tester. This group focuses on testing guidance / process and tools, including the testing guide, Offensive Web Testing Framework (OWTF), and ZAP. The testing approach and touch points are discussed, as well as a high-level survey of the tools.

The final group is defender. These include tools that can be used to protect the application from attackers on the Internet, both at the edge and within the application. This group includes ModSecurity and AppSensor.

All of these tools work together to form the basis of an application security program with a budget of $0 except for the people resources to implement, and I’ll discuss what is required from the human resources to make a program such as this successful.

 

Bio:

Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring security culture change to all organizations. Chris is first and foremost a security culture hacker, designing security training programs and building internal security community. He was the Chief Security Advocate at Cisco for five years, where he guided Security Advocates, empowering engineers to “build security in” to all products at Cisco. He led the creation of Cisco’s internal, end-to-end security belt program launched in 2012. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response.

Pack your Android: Everything you need to know about Android Boxing

3:30-4:10 Swapnil Deshmukh

More Info

Android malware authors may enforce one or a combination of protection techniques like obfuscators, packers and protectors. This additional step just before publishing the app adds complexity for Android Bouncers and various static, and dynamic code analysis tools. Along with these protection techniques a combination of features such as emulation detection, anti debugging, root detection, tampering detection, anti runtime injection enables malicious application practically makes malicious app go undetected. As a result we have seen a steady increase in the malicious apps published in various Android app stores. ZDNet reported around 1000 spyware mobile apps are published in the official Google Play Store this year alone. These apps may have the capability to monitor almost every action on an infected device. Actions such as taking photos, recording calls, monitoring information about Wi-Fi access point and inspecting user’s web traffic.

Talk would focus on all three commonly used Apk protection techniques and how they operate under the hood. For obfuscation, we will demo a tool designed to remove switch case injection, dead code injection, and string encryption and get a readable code. In case of packer talk will showcase avenues to unpack the packer by first finding the algorithm, hooking into libc before packer opens DEX file, dumping DEX from memory. Protectors such as DexProtector mangles code by modifying entry point to loader stub and perform anti-emulation, anti-debug and anti-tampering checks. Protector are easy to patch, one can by attaching cloned process or dump odex and get readable code. By adding these techniques an ethical hacker or Android bouncer can identify many a malicious application published in app store.

Bio:

Swapnil Deshmukh has over a decade of information technology and information security experience, including technical expertise, leadership, strategy, operational and risk management. Charged with incubating and evangelizing security-driven, context-driven risk management strategies, policies and practices for emerging technologies. Role also provides opportunity to actively engaged in the industry to maintain peer group dialog, develop partnerships, share subject matter expertise and develop industry best practices. Coauthor of Hacking exposed series. Frequent speaker at conferences and roundtables, and contributor to many Health and FinTech publications.

Offsite Attendee Reception (The Oak Room) - TRIVIA NIGHT!!

5:00-9:30 https://www.mesaoakroom.com Ian Freeman, We Protect PHX

Opening Remarks - Conference Day 2 (EMPIRE BALLROOM)

8:30-9:00 SOURCE Conference Team

Opening Keynote - Brett Scott, Cyber Warfare Range

9:00 - 9:45AM Main Ballroom Brett Scott

More Info

 

Bio:

Brett Scott is a co-founder and Chief Advocate at Cyber Warfare Range, an InfoSec training facility developing workforces for cyber defense and security. He also currently serves as the CTO of Primary IP Contributor, and previously worked as a consultant and developer at Phoenix Capital. Mr. Scott is also one of the core architects of the Cyber Center of Excellence.

The highest-risk Vulnerabilities: Pen Test Metrics From The Field

9:50-10:35 Joel Scambray, NCC Group

More Info

New research into the most prevalent technical vulnerabilities identified in the prior year by will be presented. Findings data is derived from penetration testing by advanced-skillset consultants on funded, fixed-objective engagements, simulating worst-case adversaries/scenarios. Research methodology, key findings, and implications for managing risk will be discussed. Data will be presented on most prevalent categories, risk levels, most-exploited technologies, the ‘top n’ specific vulnerabilities, and other trends. Comparisons with external datasets including the OWASP Top 10 will be analyzed. Finally, lessons learned will be reported, covering data analysis strategies, value of ‘top n’ lists, and future research directions. You’ll come away with strategies to prioritize the most important technical risks to your organization based on empirical data, demonstrate how vulnerability statistical analysis can improve overall security program performance, and how to build a data analytics program to leverage your own vulnerability data.

Bio:
Joel Scambray is a Technical Director at NCC Group, a global expert in cyber security and risk mitigation formed in 1999. He has helped Fortune 500-class organizations address information security challenges for over twenty years as a consultant, author and speaker, executive, and entrepreneur. He is widely recognized as co-author of the Hacking Exposed book series, and has worked/consulted for companies including Microsoft, Foundstone, Cigital, Amazon, Costco, Softcard, and Ernst & Young.

SOURCE Group activity

10:35-11:1

11:00 - 11:20

Common Crypto Pitfalls

11:20 - Noon Amirali Sanatinia, Research Assistant at Northeastern University

More Info

Today we use cryptography in almost everywhere. From surfing the web over https, to working remotely over ssh. In modern crypto we have all the building block to develop secure application. However, we see instances of insecure code everywhere. Most of these vulnerabilities are not because of theoretic shortcomings, but due to bad implementation or a flawed protocol design. Cryptography is a delicate art where nuances matter, and failure to comprehend the subtleties of these building blocks leads to critical vulnerabilities. To add insult to injury most of the resources available are either outdated or wrong, and inarguably, using bad crypto more dangerous than not using it. In this talk we look at examples from real world applications and the most common cryptographic pitfalls.

Bio:

Amirali Sanatinia is a Computer Science PhD candidate at Northeastern and holds a Bachelors degree in CS from St Andrews University. His research focuses on security and privacy, and was covered by venues such as MIT Technology Review, Ars Technica, Threatpost, etc. He is a recipient of RSAC Security Scholar and CCIS Outstanding Research Award. He has presented at different security conferences such as DEF CON, Crypto Village, Virus Bulletin, BSides Boston, and PyCon.

Noon-1:10 Lunch

Unlocking the Value of CVEs

11:20 - Noon Roxy Dee, Vulnerability Management Services Architect at Hurricane Labs

More Info

CVEs are the standard source for vulnerability details and descriptions. Infosec professionals use CVEs to understand vulnerabilities and what can be done to prevent them. However, if you are not familiar with them, CVEs can also look like a giant mess.

This talk will serve as a guide to CVEs, different types of vulnerabilities, and the terminology you may encounter. Additionally, you will learn the vectors involved that influence the scoring of vulnerabilities and ways you can utilize CVEs to assist in vulnerability management.

Bio:
Roxy works as a Vulnerability Management Services Architect for the Cleveland-based, Splunk-focused MSSP Hurricane Labs. Her position at Hurricane allows her to further explore, expand, and share perspectives about one of her favorite topics — vulnerability management.

Her background also includes experiences as a network security analyst, a security infrastructure engineer, and detecting online banking fraud. Some of her favorite things are Linux, penguins, RFCs, and discussing anything infosec
.

Exploits in Wetware

11:20-Noon Robert Sell, Senior IT Manager at Aerospace Industry

More Info

Robert discusses his third place experience at the Defcon 2017 SE CTF and how his efforts clearly show how easy it is to get sensitive information from any organization. The 2017 Verizon report clearly shows the dramatic growth rate of social engineering attacks and Robert demonstrates how he collected hundreds of data points from the target organization using OSINT techniques. He then goes into the vishing strategy he implemented to maximize the points he collected in the 20 minute live contest. Without much effort Robert was able to know their VPN, OS, patch level, executive personal cell phone numbers and place of residence.

Robert lifts the curtain of the social engineering world by showing tricks of the trade such as the “incorrect confirmation” which is one of many methods to loosen the tongues of his marks. Robert then shows the pretexts he designed to attack companies and the emotional response each pretext is designed to trigger. By knowing these patters we can better educate our staff.
With that much information at his fingertips, how long would it take him to convince your executive to make a bank transfer? If your organization lost a few million dollars due to social engineering, who would be to blame? Are you insured for that? Who is getting fired?
Robert wraps up his talk with a series of strategies companies can take to reduce exposure and risk. He goes over current exposure, building defenses, getting on the offense and finally… a culture shift.

Bio:

Robert is a Senior IT Manager in the aerospace industry where he spends most of his time managing InfoSec teams. While his teams focus on the traditional blue/red team exercises, lately he has spent an increasing amount of time building defenses against social engineering. Robert has spoken about the rising SE risk at numerous events and on different security podcasts.
Robert is also a nine year veteran with Search & Rescue in British Columbia, Canada. In his SAR capacity, Robert is a Team Leader, Trainer, Marine Rescue Technician, Swift Water Technician and Tracker. While one may think that SAR has little do to with InfoSec, tracking lost subjects in the back country has many of the same qualities as tracking individuals or organizations online with OSINT.
Robert grew up on a small fishing resort where he would have new friends every two weeks (he claims this had no psychological impact but we are not sure). When he has time, he enjoys super long (all day) runs in the mountains. He does at least one ultra run (50km) trail run per year
.

Workshop: Packet Hunting Using Wireshark (Cyber Warfare Range Talk)

1:10-2:40 David Hernandez, Community & Education Outreach Coordinator at Arizona Cyber Warfare Range

More Info

Using wireshark for network forensics, troubleshooting, and efficiency. Dive into the network forensics mindset by analyzing compromised and suspect data. Learn to identify network issues by understanding how to read network packets. Create efficient packet filters to become more productive.

 

Bio:

David Hernandez is the Outreach and Education Coordinator for the Arizona Cyber Warfare Range. He works with industry to build real-world workshops to bring to classrooms and the AZCWR. He was previously the Project Coordinator for the NICE RAMPS Grant. As the projector coordinator, he coordinated 4 workstreams to promote a stronger cybersecurity workforce in Arizona.

DLC, SOC2, and other four letter words

1:10-1:50 Nathan Cooprider, Software Team Lead at Threat Stack

More Info

Except for any authors of trojans that may have stumbled in accidentally, we all want to write secure applications. In spite of our sincere desires, vulnerable code gets shipped. Why? What do we do to fix it? What can we do to prevent it from happening? The answers exist in the realm of the software development life cycle, or SDLC. Various compliance vehicles (such as SOC2) exist to help us formulate an effective SDLC, but any security expert knows that checking a box does not typically yield the desired results. This talk describes the SDLC used by the agent team at Threat Stack, while also bringing in outside experiences to supplement. It also goes over pitfalls observed and lessons learned. You might not use the same tools or produce the same product, but the talk focuses on principles to make the resulting product more secure.

Bio:

Nathan Cooprider is the software team lead for the Threat Stack instance agent. Nathan comes to Threat Stack from the endpoint engineering team of Carbon Black. Prior to Carbon Black, Nathan led the signal processing software team for the MQ9 Predator drone at BAE. He received his BS in CS from Brigham Young University and his PhD in CS from the University of Utah. Nathan has over a decade of experience working with computer systems. This includes eight refereed publications on the static analysis of microcontroller applications written in C. He also wrote a paper on multivariate data visualization, co-authored a paper on multiple hypothesis tracking, and has supported language modeling research. Nathan’s accumulated experience with various software engineering languages and tools includes C, C++, python, doxygen, Jenkins, OCaml, CIL, cmake, and many others.

Career Development Mini-Track: Starting a career in Cybersecurity

1:10-1:50 Kevin Babcock

More Info

Cybersecurity is an appealing area with 0% unemployment and abundent career growth opportunities. I fell into the field by happenstance nearly 20 years ago and stayed because security is interesting, challenging, and allows me to work closely with both people and technology. Besides fortunate circumstances, how does one start a career in the field?
If you are interested in a cybersecurity career and are unsure how to start; or if you are a hiring manager struggling to build a talented team, this presentation will give you information and resources to succeed at your goals.
In this presentation, I will draw upon my research interviewing hiring managers in cybersecurity and present the key skills you need to enter the cybersecurity workforce. I will explain NIST’s NICE Cybersecurity Workforce Framework and teach you how you can use it to map your career path. Finally, I will present career transition pathways from adjacent jobs into cybersecurity jobs.
========
Kevin Babcock is Principal Security Engineer at PagerDuty, the enterprise incident resolution service. He has nearly 20 years of experience in the information security field, including application security, authentication, encryption, Web security, anti-spam, and network security. He has worked with organizations such as Symantec, SafeWeb, and Box. Babcock holds a B.S. in Engineering and Applied Science from the California Institute of Technology, and is a Certified Information Systems Security Professional (CISSP).

Can We Focus On Security Data?

2:00-2:40 Rocio Baeza

More Info

• Rocio will share her observations in the quest of building security compliance programs with startups, emerging tech companies, and established enterprises
• As a preview, it includes the include the following:
o Security policies are long, filled with jargon, and difficult to follow
o Security training programs are oftentimes a waste of valuable resources
o Security audits feel like a setup to pay someone to tell you what you already know
• Why is this a problem? The average consumer, like you and me are the one’s that have the most to lose here. This will be obvious in a decade or so, let’s not wait to be smacked with that reality.
• What is the solution? A different model that empowers tech leaders, starting with making your Security Policy 1/10 of it’s current size.

Rocio Baeza is Chief Information Security Officer at Jemurai. She studied Mathematics at The University of Chicago, embracing her nerdiness in problem-solving. She enjoys helping high-growth digital companies get started with security. Rocio has a passion for securing personal data, so much so, she founded CyberSecurityBase.com with a simple mission to simplify things. We have all realized that we need to rely on data to make informed decisions. Organizations have made significant investments in collecting and aggregating data to service their customers. In that journey, Rocio believes that the security industry has failed to keep up. The result is a spike in organizations left struggling to secure data. This leaves consumers like you and me in a vulnerable position. This is unacceptable and Rocio is on a mission to help change that.

Bio:

Career Development Mini-Track: Application Security Fundamentals

2:00-2:40 Paul Hinkle

More Info

Understanding and knowing how to test for each of the issues in the OWASP Top Ten is not enough for a Pen Tester – but it is a starting point. Paul Hinkle will walk you through each of the issues in the OWASP Top Ten 2017 with occasional deep dives into particular areas of interest and will give pointers on how to familiarize yourself with these issues, tools to explore, and areas for you to research in your professional development quest.

Bio:

Paul Hinkle is a Director of Application Security at a global financial services firm. He has passion for sharing his knowledge and experience in information security and application development. Paul started his professional life developing systems in the fields of bioinformatics and, later, B2B systems integration. Prior to joining his current employer, Paul was a co-founder and CTO at Safelight Security Advisors, a company focused on information security training and, before that, worked at @stake building and delivering instructor-led information security training.

Get Rid of Passwords With This One Weird Trick

3:10-3:50 Nick Steele, James Barclay

More Info

Since mid 2016, a group of security professionals and researchers have been working on a new way to handle authentication and proving one’s identity on the internet without the help of passwords. The new standard known as Web Authentication, or WebAuthn for short, is a credential management API that will be built directly into popular web browsers. It allows users to register and authenticate with web applications using an authenticator such as a phone, hardware security keys, or TPM devices.This means with devices like a phone or a TPM, where a user can provide us with biometric verification, we can use WebAuthn to replace traditional passwords. Aside from user verification, WebAuthn can also confirm ‘user presence.’ So if users have a U2F token like a Yubikey, it can handle that second factor of authentication through the API as well.

Unlike Fido UAF, a predecessor to WebAuthn with similar goals, the WebAuthn spec has more momentum and backing, with authors of the W3C specification coming from Google, Mozilla, Paypal, and Microsoft. It is also currently being implemented in Chrome and Firefox, with U2F functionality already available in Firefox’s Nightly Build.

Nick and James will show you what WebAuthn is (and isn’t) and how credential creation and retrieval works. They will also present two open source projects that will demo how WebAuthn runs in a production environment.


Bio:

James Barclay (Senior R&D Engineer at Duo Security)Nick Steele has been making and breaking things on wide area networks for 10 years. Since finishing his degree in cognitive science, he has worked on a range of projects, all mostly related to computers. He is interested in user authentication and behavior, web development, and anchovy pizza.

James Barclay is a Senior R&D Engineer at Duo Labs, the security research and analysis team at Duo Security. Prior to joining Duo, James was a Tools Engineer at Pinterest, and an IT consultant before that. He’s contributed to a handful of open-source projects, and has been called an Apple nerd once or twice.

Security Needs a Style Guide and Here's V1

3:10-3:50 Brianne Hughes, Technical Editor at Bishop Fox

More Info

Security is complicated to understand and so is its vocabulary. To help sort through the confusion, v1 of the Cybersecurity Style Guide is now a public resource on bishopfox.com.

No governing body regulates which terms are best or how to write them formally, so it has historically fallen on individual researchers to give it their best shot. This guide started as a short list for consistency between Bishop Fox editors, but it has grown to encompass 1,700 tricky terms to help you sound smart and look professional.

By drawing from historical resources, consultant intuitions, and common outsider pitfalls, we’ve compiled a mighty list that you can now download and adapt to your needs.

Come learn why technical editing is good for business, what kind of feedback we’ve received through our style@bishopfox.com email, and how this new tool can start helping you today.

Bio:

Brianne Hughes spends her days as a technical editor at Bishop Fox ensuring the quality of all client deliverables. Between deadlines, she and her fellow editors develop internal reference materials and provide ongoing training to consultants.

Brianne holds a Master of Linguistics from the University of York. She continues to pursue her research on compound morphology and has shared her linguistic findings with Ignite Portland, SHEL/DSNA, and Odd Salon. She is a member of the American Copy Editors Society (ACES), is Associate Executive Secretary for the Dictionary Society of North America (DSNA), and is on the board of directors at Wordnik Society, Inc.

Career Development Mini-Track: Risk Management Fundamentals

3:10-3:50 Paul Hinkle

More Info

Finding vulnerabilities is only one component of a successful information security practice or career. Taking the next step after you have mastered vulnerability discovery requires understanding how to balance security risk versus business risk. In this session, Paul Hinkle will introduce you to the importance of balancing these risks, tools for understanding and managing each, and an understanding of which paths you can take as you work to level up – professionally or organizationally.

Bio:

Paul Hinkle is a Director of Application Security at a global financial services firm. He has passion for sharing his knowledge and experience in information security and application development. Paul started his professional life developing systems in the fields of bioinformatics and, later, B2B systems integration. Prior to joining his current employer, Paul was a co-founder and CTO at Safelight Security Advisors, a company focused on information security training and, before that, worked at @stake building and delivering instructor-led information security training.

4:00-4:45 Short Break

Career Development Track: Attendee Lightning Talks

4:00-4:45 SOURCE Team

Global Information Security, the Scotts Miracle-Gro Company

4:45-5:30 Grant Sewell

More Info

Grant Sewell manages the Global Information Security program at The Scotts Miracle-Gro Company, the world’s largest marketer of branded consumer products for lawn and garden care. He serves on the board of directors for the Retail Cyber Intelligence Sharing Center (R-CISC), and has held information security leadership roles with several Fortune 500 companies and U.S. Government agencies. Grant has more than a decade of experience in security, holds numerous industry certifications, and is a frequent speaker at regional and national conferences.

Closing & Raffle

5:30 - 6:00 SOURCE Team

$249

Expires: Feb 16

Early-Registration

Admission to all conference sessions and evening events Coffee breaks, receptions Exhibit Hall access

Buy Now

$399

Expires: Feb 16

One-Day Training Ticket

InfoSec Train the Trainer Application Security Risk for Managers

Buy Now

$20

Career Mini-Track (March 1, 2018)

1:00pm - 5:30pm at Mesa Convention Center Start Your Career In CyberSecurity 3 Sessions, Q&A, Closing Keynote

Buy Now

Rocio Baeza | SOURCE Mesa Speaker Interview

Chris Romeo | SOURCE Mesa-Phoenix Conference Speaker

Rafal Los | SOURCE Mesa Speaker Interview

Swapnil Deshmukh | SOURCE Mesa 2018 Interviews

Joel Scambray NCC Group SOURCE Mesa Interview

Roxy Dee | SOURCE Mesa 2018 Interview

Lester Godsey SOURCE Mesa Interview

Robert Sell SOURCE Mesa Interview

Nathan Cooprider SOURCE Mesa Interview

Amirali Sanatinia SOURCE Mesa Interview

Megan Roddie SOURCE Mesa Interview

Haydn Johnson SOURCE Mesa Interview

Pre-Conference Training

InfoSec Train the Trainer

InfoSec Train the Trainer

May 7, 2018 Communication

This course is designed for anyone who wants to improve their ability to present and train on technical topics to both technical and non-technical audiences.

Application Security Risk for Executives and Managers

Application Security Risk for Executives and Managers

May 8, 2018 InfoSec 101

This course is designed for executives and managers who want to better understand the real-world risks that their company deals with on a day-to-day basis.

Gold Sponsors

Boasting a population of nearly 500,000, Mesa is the 36th largest city in the United States and second largest in the Phoenix-Mesa Metro area. Larger than Miami, Minneapolis, Atlanta, and St. Louis, Mesa covers 138 square miles inside a 21-city region with a total population of 4.3 million, projected to reach 6 million by 2030. Smart companies such as Apple, Boeing, Bridgestone, FUJIFILM, and Nammo Talley all have large operations in Mesa.

Cyber Warfare Range

Our purpose is to develop a well-trained workforce versed in the continuous improvement process for cyber security. This is done through self-paced training, organic mentoring and a real-world experience.

Alion Science and Technology

Bronze Sponsors

Affiliate Sponsors

Venues

Mesa Convention Center (Conference Venue)

263 N Center St, Mesa, AZ 85201

(480) 644-2178

Phoenix Marriott Mesa (Preferred Lodging)

200 N Centennial Way, Mesa, AZ 85201

(480) 898-8300

Register:

$249

Expires: Feb 16

Early-Registration

Admission to all conference sessions and evening events Coffee breaks, receptions Exhibit Hall access

Buy Now

$399

Expires: Feb 16

One-Day Training Ticket

InfoSec Train the Trainer Application Security Risk for Managers

Buy Now

$20

Career Mini-Track (March 1, 2018)

1:00pm - 5:30pm at Mesa Convention Center Start Your Career In CyberSecurity 3 Sessions, Q&A, Closing Keynote

Buy Now