SPEAKER: BRIAN VERMEER

Join us for an captivating live hacking session with Brian Vermeer.

In Brian's opinion, open source modules are undoubtedly impressive. However, they also represent an undeniable and massive risk.

Within open source modules you are introducing someone else's code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your user's data.

This talk will use a sample application, Goof, which uses various vulnerable dependencies, which together with Brian, you'll exploit as an attacker would. For each issue, Brian will explain why it happened, show its impact, and – most importantly – see how to avoid or fix it. Brian will live hack exploits like the classic struts vulnerability that recently made it famous, along with Spring Break and several others.

In this talk, you'll learn:

That security is important. Not only for your own code but also the frameworks and libraries you depend on
What might happen when using outdated libraries with known vulnerabilities

The adoption of microservices architecture has continued to increase across the industry in recent years. Governing the behavior of microservices is rather challenging. In addition to our home-born microservices, we also have services that are part of our stack: API gateways, messaging brokers, orchestration tools, and service mesh solutions, to name a few.

Having such a large amount of services can decrease policy compliance’s consistency and make governance harder to maintain, forcing us to redeploy services on each policy change. Enter Open Policy Agent (OPA). OPA is a CNCF incubation project that makes our policy more consistent, and therefore gives us more control over the system. In this talk, we will discuss what is OPA, and explore OPAs’ integrations with all the levels of our cloud-native stack, along with on-stage demos. Join us on this journey to better microservices governance.

Technical Level: Intermediate

Additional Notes: This is a comprehensive talk with a demo, in this talk we will discuss the whole concept of OPA and how it handles authorization policies and governance.

Join the awesome Lunar team - Kasper Nissen and Bjørn Hald Sørensen, alongside Snyk's Matt Jarvis to talk about their open source project - a Prometheus Exporter for Snyk.

Find out more about the project here: https://community.snyk.io/phennex/introducing-the-prometheus-exporter-by-lunar-3emj

And join us for an excellent live event & demo on December 9th | 5PM GMT.

Speakers: Guy Podjarny, Founder & President @ Snyk, and Alyssa Miller, AppSec Advocate

Co-Organizers: Sharone Zitzman & Simon Maple

Call for Papers is still open until November 12th.

Register Here.

SPEAKER: ALYSSA MILLER

What an exciting year for Snyk and Docker - with announcements starting May, and just recently at SnykCon about native integrations with both products, and now we want to show you all of that goodness in action.

Join Eric Smalling from Snyk and Peter McKee from Docker] for an end-to-end walkthrough and demo of all of the recent product integration announcements.

In this session, you'll learn how Docker and Snyk work together to ensure security from first pull of your Docker images all the way through deployment.

You won't want to miss it.

• Learn more about what we're doing with Docker by following the tag
• To add to your calendar click here

👉🏾👉🏾 REGISTER TO THE COMMUNITY to be able to participate.👈🏾👈🏾

From developers, for developers.

United by our passion for Open Source, we are very excited to be teaming up with Payara for another panel event. In this session we will be discussing all things security. How can you minimise security risks when developing your applications? Let's discuss...

What to expect? An interactive discussion between cloud-native experts, Open Source contributors, and you.

What's on your mind? Join the conversation, ask us your burning questions.

On the panel, we are thrilled to welcome: Rudy De Busscher, Brian Vermeer, and Stefan Liesche.

Rudy De Busscher loves to create (web) applications with the Java EE platform and MicroProfile implementations and is currently working for Payara Services Limited in the Service Team. He helps customers, writes technical content, is part of some MicroProfile implementations and advocates the Payara Products in various ways.
He is active in the IT industry for more than 20 years and created many applications for customers. He is also a big fan of OpenSource and helped in various OpenSource projects like DeltaSpike, PrimeFaces, and Apache Myfaces. He is also passionate about Web Application Security using OAuth2, OpenID Connect, and JWT. He maintains the Octopus OpenSource project and is a member of the Jakarta EE Security API team.

Brian Vermeer, Developer Advocate for Snyk and Software Engineer with over a decade of hands-on experience in creating and maintaining software. He is passionate about Java, (Pure) Functional Programming and Cybersecurity. Brian is an Oracle Groundbreaker Ambassador, Utrecht JUG Co-lead, Virtual JUG organizer and Co-lead at DevSecCon. He is a regular international speaker on mostly Java-related conferences like JavaOne, Devnexus, Devoxx, Jfokus, JavaZone and many more. Besides all that Brian is a military reserve for the Royal Netherlands Air Force and a Taekwondo Master / Teacher.

Stefan Liesche is the Architect for IBM Hybrid Cloud on Z. Stefan is focused on security, transparency and protection of data and services in flexible cloud environments. Stefan worked in various areas as Technical leader within IBM, most recently as Chief Architect for IBM Cloud Hyper protect Services and IBMs Watson Talent Portfolio where Stefan was building AI driven solutions that transform recruiting and career decisions within global organisations, that not only enhances quality of decisions, but also allows HR functions to enhance fairness and tackle biases. Stefan also innovated within the Exceptional Web Experience products for several years with a focus on open solutions and integration. Stefan has more than 20 years of experience as technical leader, collaborating with partners and customers through joint projects, as well as within IBM's product development organisation.

Jadon Ortlepp and Miriam Oglesby created this series of panel discussions. Bringing together experts and communities in the spirit of collaboration and open source to share, exchange and discuss hot developer topics.

Join us online.

We look forward to seeing you there!

Joining information:
Navigate to the Crowdcast link, click the 'Save my spot' button to register. Enter your email address or social media login. Check your email for a confirmation and a link to join the event, along with the option to add the event to your calendar.

Instructions on how to setup your device for Crowdcast can be found here: https://www.crowdcast.io/setup

Discover more:
Payara https://www.payara.fish/
Snyk https://www.snyk.io/
IBM Developer https://developer.ibm.com/

Register here for a free IBM Cloud account: https://ibm.biz/BdqUKm
(no credit card required)

This talk provides a brief history of how development, operations and security testing have become highly complex. It continues to outline the key problems with traditional security solutions and why in 2020 companies around the world are still figuring out a good way to manage security as part of rapid development cycles. Specifically, the big challenge of introducing and fixing new security issues versus tackling the existing security dept of existing applications.

To quote Bishop Desmond Tutu, “There comes a point where we need to stop just pulling people out of the river. We need to go upstream and find out why they’re falling in.”

After setting the stage, the remainder of the talk will focus on the paradigm shift that security solutions have to incorporate in order to solve the problem of sustainably secure applications on all layers. This will explore how the elements of Speed, Just in time training, and Data science have to be leveraged to empower development teams around the globe to get ahead for once and finally become able to move fast and be safe at the same time.

The 3 core takeaways for the audience are:

1.) Where security practices have gone wrong so far.

2.) What new technologies will cause a paradigm shift in how security is applied at scale.

3.) How security will look like in 5-10 years.

SPEAKER: ALYSSA MILLER

It may be hard for some to believe, but it’s been over a decade since DevOps was first introduced. It wasn’t very long after that the concept of DevSecOps began to emerge as security practitioners attempted to keep application security practices engaged in software delivery. However, recent surveys show that even in organizations that have adopted a DevSecOps model, security is still often viewed as a bottleneck. This idea of security as an inhibitor can undermine the promise of DevSecOps to deliver a culture of shared responsibility for security. Hacker, former developer, and application...

Speaker: Matt Jarvis

SPEAKER: ALYSSA MILLER

Please save the date for the IIA/ISACA Chicago Chapter’s 7th Annual Hacking Conference. Last year’s record attendance was a huge success and we look forward to seeing everyone again!

Date: Monday/Tuesday, November 9-10, 2020

Time: 7-8 am Registration and Breakfast; 8 am-5 pm Educational Sessions; 5 pm Reception (9th only)

SPEAKER: BRIAN VERMEER

We all love scaffolders like Spring Boot Initialzr. It creates a brand new app with all the latest versions of the libraries we need to get going, enabling us to build awesome applications quickly. But after creating our initial application who is responsible for the dependency management and what happens over time when new features get added. How can we make sure this large proportion of your application gets the attention and testing needed to ensure we deliver and maintain a secure and functional application.

In this session, we look at the best practices of how to build a proper dependency management strategy. How to pick your application dependencies, keep them up to date, and clean out manifest files with tons of dependencies. And maybe even more important, what are the consequences of not being on top of this?

SPEAKER: ALYSSA MILLER
If you're a barista that has never worked in a tech job, how do you land a role in security? What if I told you there are skills you have that apply directly to roles in security. In this session we're going to get into some real talk about landing your first security gig. We will analyze the challenges that aspiring security professionals need to overcome in order to find their way into an entry level position. We'll look at the issues of job descriptions, certifications, degrees, and other job search related challenges. We'll analyze data from a recent primary research to better understand how education, certifications, mentoring, and other characteristics impact the job search. Finally we'll use that information to share tangible real strategies you can use to overcome those hiring obstacles.

SPEAKER: BRIAN VERMEER

There’s no better way to understand container security than seeing some live hacking! This session introduces the state of docker security by reviewing vulnerabilities in Docker images and their impact on applications and demonstrates via hands-on live hacking. This session further provides the audience with security best practices when building docker container images, and each successful hack will help you better understand the mistakes you can make, their implications, and how you can avoid them.

SPEAKER: ALYSSA MILLER

It may be hard for some to believe, but it’s been over a decade since DevOps was first introduced. It wasn’t very long after that the concept of DevSecOps began to emerge as security practitioners attempted to keep application security practices engaged in software delivery. However, recent surveys show that even in organizations that have adopted a DevSecOps model, security is still often viewed as a bottleneck. This idea of security as an inhibitor can undermine the promise of DevSecOps to deliver a culture of shared responsibility for security. Hacker, former developer, and application security advocate Alyssa Miller dives into the key issues that keep DevSecOps culture from becoming a reality. She’ll provide insights from recent studies that have looked at the state of DevSecOps and share evidence that organizations are still failing to mature their processes in order to achieve the ideals of a shared responsibility culture. Through her analysis, Alyssa identifies tangible, practical actions that organizations can take immediately to begin improving collaboration and enablement within the DevSecOps pipeline. Alyssa will demonstrate what steps can be taken to create mutual enablement between Development, Security, and Operations disciplines. Finally, Alyssa delivers a forward-looking viewpoint for what lies beyond DevSecOps, and how this culture can be cultivated and extended into the broader business.

SPEAKER: ALYSSA MILLER

Alyssa Miller (CISM) is a life-long hacker, security advocate, author, and public speaker with almost 15 years of experience in security roles. She has always had a passion for deconstructing technology, particularly since buying her first computer at the age of 12 teaching herself BASIC programming. In her career, Alyssa has performed all forms of security assessments but given her developer background, she has a dedication to application security. She specializes in working with business and security leaders to design and deploy effective security programs that strengthen enterprise security posture. She is currently an Application Security Advocate for London-based Snyk Ltd.

Alyssa is committed to advocating for improving security practices and the community. Not only does she speak internationally at various industry, vendor and corporate events, Alyssa also engages in the community through her online content, media appearances, and security community activism. Her journey through security was recently featured in Cybercrime Magazine. She’s also been recognized in Peerlyst’s e-Book “50 Influential Penetration Testers”. Alyssa is chapter leader for Women of Security (WoSEC), Advisory Board Member for BlueTeam Con, and a member of the WiCyS Racial Equity Committee.

SPEAKER: ERIC SMALLING

Explore a world of dystopian examples where the dream of modernizing legacy applications with containers turned into implementation nightmares and how they clawed their way back out of the grave.
Examples:

• Pharmaceutical web-app team miscalculates JVM heap and Java Garbage Collection drives Out-Of-Memory killings
• Vendor application licensing costs skyrocket when run in an orchestrated container cluster
• Bank learns how not to scan and patch vendor’s middleware platform in live running containers
• Data scientists create Frankenstein’s monster treating containers like VMs
• Financial company tries to cut corners licensing by putting all of their eggs containers in just a few baskets servers and is brought to its knees when disaster strikes
• Never expose your network underbelly to your enemies; A.K.A. Just because your CNI can do clever tricks doesn’t mean you should!

SPEAKER: ALYSSA MILLER

Tracking the software and software components an organisation uses in its products and its operations is crucial for responding to emergency threats. However, building and maintaining these Software Bills of Materials (SBOMs) is very challenging, especially across large enterprises. In this session, Alyssa Miller discusses the hidden threats in the Software Supply Chain, and analyzes some of the unique challenges of open source software, IoT and Medical devices, and Industrial Control Systems. She’ll share real world strategies and risk mitigations that organizations should employ to address these threats and reduce the risks associated with them.

SPEAKER: ALYSSA MILLER

It wasn’t long after that the concept of DevSecOps began to emerge as security practitioners attempted to keep application security practices engaged in software delivery. However, recent surveys show that even in organizations that have adopted a DevSecOps model, security is still often viewed as a bottleneck. This can undermine the promise of DevSecOps to deliver a culture of shared responsibility for security.Hacker, former developer, and application security advocate Alyssa Miller dives into the key issues that keep DevSecOps culture from becoming a reality. She’ll provide insights from recent studies that have looked at the state of DevSecOps and share evidence that organizations are still failing to mature their processes in order to achieve the ideals of a shared responsibility culture.

Snyk's very own, first-ever user conference. It will EPIC. Join us!

Join the world’s strongest community of DevSecOps practitioners and leaders for this two-day event.

SPEAKER: ALYSSA MILLER

Deepfake media and the neural networks that create it, are fundamentally changing how we think about security defenses. Learn how this media is created, how it can be detected and possibly prevented, as well as methods to defend against the threats. We’ll even see how this tech can be used for good.

SPEAKER: BRIAN VERMEER

Open-source modules are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your user's data. This talk will use a sample application, Goof, which uses various vulnerable dependencies, which we will exploit as an attacker would. For each issue, we'll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it. We'll live hack exploits

SPEAKER: ALYSSA MILLER

SPEAKER: LIRAN TAL

In this talk Liran discusses how a weekend side-project turned into 1500 stars github repository with over 21 contributors! How and why did it succeed?

SPEAKER: BRIAN VERMEER

We all love scaffolders. Creating a brand new app with all the latest versions of the libraries we need to get going, enabling us to build awesome applications quickly. But after creating our initial application who is responsible for the dependency management and what happens over time when new features get added.

How can we make sure this large proportion of your application gets the attention needed to ensure we keep a secure and functional application. In this session, we look at how to build a proper dependency management strategy. And what are the consequences of not being on top of this?

Agenda
17.00 | Welcome to this GOTO Night with Brian Vermeer
17.05 | Brian Vermeer's talk begins
17.30 | Live Q&A session with Brian Vermeer
17:55 | Thank you for joining us in this GOTO Night