Friday, September 21st
8AM
Registration + Continental Breakfast Opens
Ann Johnson's Morning Keynote Address
GDPR, the CLOUD Act, and the emphasis on 3rd party security are converging. Mr. Hamilton will discuss navigating these and other issues in the context of using external service providers to supply networking, applications, and infrastructure.
We all authenticate to tens or even hundreds of services every day. Some times we even notice when that happens, and rarely we spend a few seconds thinking about what we just did. There are a lot of misconceptions about how identity and authentication needs to work. In this session, Jesper goes through 10 (more or less) mistakes that a number of organizations and service providers make when it comes to implementing an identity and authentication strategy.
TBD
API adoption in both consumer and enterprises has gone beyond predictions. It has become the ‘coolest’ way of exposing business functionalities to the outside world. Both the public and private APIs, need to be protected, monitored and managed. API security has evolved a lot in last five years. The growth of standards, out there, has been exponential. Following best practices in securing APIs will help to wade through the weeds to keep the bad guys away while realizing the internal and external benefits of developing APIs for your services. This talk guides you through the maze of options and shares industry leading best practices in designing APIs for rock-solid security.
Do organizations truly know who and what are grabbing secrets in their environments? In this talk we investigate the Secret Zero problem and answering the question of securing highly sensitive credentials used as part of automation services.
TBD
Security needs to be redefined as an approach that programmatically secures resources in an enterprise or in the cloud in predictable, controlled and cost effective manner. Disruptive technologies like SDN, Cloud, Server virtualization are exploding and are already challenging Security. Security controls are required to be portable and should be programmed into networks, hosts, VMs and client machines, it needs to be everywhere and follow the source no matter where the client moves. With growing number of threat and huge number of events per day it is not humanly possible in future to create cases, analyze and take corrective actions. We need technology that can learn bad behavior and predict threats without being explicitly programmed. Logical policies are desired as compared to physical configurations.
Blockchain technologies have been developing rapidly but how to protect user data and credentials on the blockchain remains big challenge. This talk shows how hardware enforced crypto technology such as Intel SGX can be leveraged to design a hardware hot wallet which maximizes the protection on private keys of blockchain users while maintaining great usability. A live demo will be shown to illustrate how security and usability are both achieved with the design.
Mr. Stocker will discuss early experience with the CSA Code of Conduct in the context of assessing a major Cloud Service Provider. We will cover challenges, wins, and lessons learned.
The dramatic increase of crypto currency price reshaped cybersecurity landscape, dedicated devices are created to mine crypto currency, malware authors target both dedicated miners, and convert IoT devices into miners. This presentation describes the economy of crypto currency and how IoT security's role in this booming area.
Penetration testing cloud-based applications has many special considerations to get the best results. This detailed presentation will help organizations leveraging the cloud understand these nuances to reduce cloud application or business risk. This presentation will provide attendees insights on: working with your CSP (IaaS, PaaS, and SaaS) for approvals to conduct testing, learning what a CSP tests as part of their security obligations (and what they don’t!), how to leverage third-party reports for your penetration testing, the unique attack vectors within each cloud deployment model, best practices for defining a penetration testing plan for services in scope, internal/external, black/gray/white box testing, pros/cons of automating application penetration testing, and the benefits of penetration testing beyond compliance requirements.
In the cloud, the difference between a well secured application and one vulnerable to attack can come down to a few simple choices made by a developer or operations engineer. Matt will describe the best practices he recommends for keeping cloud deployments secure, and how implementing these controls can ruin a pentester’s day. While the discussion will focus on Azure, most of these suggestions are applicable to all public cloud users.
BitCoin/Blockchain Panel – vendors including Microsoft and bitcoin traders and blockchain users/services
Is your Source too Open? As we further adopt open source and move towards the future of serverless and containerized workloads, have we opened the doors too far? This is a panel discussion talking about some of the pitfalls and simple steps to avoid when working with open source and containers. Open source repositories and vendor marketplaces. The inherent risks of not managing your GitHub or other open repositories or marketplaces means you give up your rights to your own code. Risks, vulnerabilities and liabilities that should be managed as well as any other code release platforms.
At an unprecedented pace, cloud computing has simultaneously transformed business and government, and created new security challenges. The development of the cloud service model delivers business-supporting technology more efficiently than ever before. The shift from traditional client/server to service-based models is transforming the way technology departments think about, designing, and delivering computing technology and applications. However, the improved value offered by cloud computing advances have also created new security vulnerabilities, including security issues whose full impacts are still emerging. This presentation aims to provide individuals with an up-to-date, expert-informed understanding of cloud security risks, threats and vulnerabilities in order to make educated risk-management decisions regarding cloud adoption strategies.