Win a Flipper Zero!

Sign up for the event, share the link to this page on LinkedIn and tag Tromzo, and we'll enter you to win the Flipper Zero!

Must be present at the training to win!
Free Training!
Developers & Security
Practical Discussions
Real Takeaways
1
9:00 - 9:25 AM - James Wickett (DryRun Security)
Context Over Mandate: Where Developers and Security Meet
This talk explores what is missing in most organizations and the intersection points between developers and security and what to do about it.
9:30 AM - 12:15 PM - Jim Manico (Manicode Security)
Secure Coding with Jim Manico - The OWASP Top 10 for Developers
In the rapidly evolving realm of web development and application security, the OWASP Top 10 remains a cornerstone document, acting as a beacon for developers and security professionals alike. Reflecting a broad-based consensus, it spotlights the most critical security risks threatening web applications, thereby shaping the frontier of secure coding techniques.

With an ever-increasing emphasis on web-based interactions, the significance of a deep understanding of these risks is paramount. As developers etch lines of code giving life to web applications, a firm grasp of secure coding practices becomes not merely beneficial, but essential.

This immersive and engaging presentation seeks to equip attendees with a comprehensive understanding of the OWASP Top Ten 2022 release, intending to empower developers with the knowledge necessary to author secure, resilient software. As we navigate through this labyrinth, we shall focus on in-depth discussions around: With an ever-increasing emphasis on web-based interactions, the significance of a deep understanding of these risks is paramount. As developers etch lines of code giving life to web applications, a firm grasp of secure coding practices becomes not merely beneficial, but essential.

This immersive and engaging presentation seeks to equip attendees with a comprehensive understanding of the OWASP Top Ten 2022 release, intending to empower developers with the knowledge necessary to author secure, resilient software. As we navigate through this labyrinth, we shall focus on in-depth discussions around: With an ever-increasing emphasis on web-based interactions, the significance of a deep understanding of these risks is paramount. As developers etch lines of code giving life to web applications, a firm grasp of secure coding practices becomes not merely beneficial, but essential.

This immersive and engaging presentation seeks to equip attendees with a comprehensive understanding of the OWASP Top Ten 2022 release, intending to empower developers with the knowledge necessary to author secure, resilient software. As we navigate through this labyrinth, we shall focus on in-depth discussions around: With an ever-increasing emphasis on web-based interactions, the significance of a deep understanding of these risks is paramount. As developers etch lines of code giving life to web applications, a firm grasp of secure coding practices becomes not merely beneficial, but essential.

This immersive and engaging presentation seeks to equip attendees with a comprehensive understanding of the OWASP Top Ten 2022 release, intending to empower developers with the knowledge necessary to author secure, resilient software. As we navigate through this labyrinth, we shall focus on in-depth discussions around:

A01:2021-Broken Access Control
A02:2021-Cryptographic Failure
A03:2021-Injection
A04:2021-Insecure Design
A05:2021-Security Misconfiguration
A06:2021-Vulnerable and Outdated Components
A07:2021-Identification and Authentication Failures
A08:2021-Software and Data Integrity Failures
A09:2021-Security Logging and Monitoring Failure
A10:2021-Server-Side Request Forgery

Join us as we embark on this enlightening journey, delving into the unique intricacies of each risk, exploring defense strategies, and fostering a culture of security-minded web application development. This presentation aims to instill a robust defensive mindset, helping attendees to weave a narrative of secure coding that transcends the bounds of standard practices.
2
9:30 - 10:25 AM - Sri Pulla (Cloudflare)
Evolution of AppSec Through Risk and Automation
In the day and age of cyberwarfare it is important to build cyberwarriors which starts with building an integrated scalable application security program. A risk based program not only provides tools to protect an organization but also its customers. In this session, Sri Pulla, Director of Application Security from Cloudflare will share easy ways to mature appsec programs and seamlessly build automation and integration with engineering processes with risk being a catalyst to drive change.
3
10:30 - 11:25 AM - Eric Sheridan (Tromzo)
Five Strategies for Deriving an Effective Remediation Gameplan
Product Security has a massive data problem that almost nobody is talking about. With the widespread adoption of cloud-native and distributed application architectures coupled with "DevSecOps" and "Shift-Left" security testing methodologies, Product Security teams are left with a backlog of vulnerabilities numbering in the millions. Where the heck do you start when 1+ million of those vulnerabilities are either "High" or "Critical"? Attempting to tackle this and operationalize a solution inevitably leads to "Excel Hell" with people having to make instinctual, gut-based, and often reactionary decisions about risk. In short, Product Security teams have been set up for failure...and it's not their fault.

Are you living in "Excel Hell", struggling to make meaningful progress on your own vulnerability backlog? If so, then check this out.

We set out on a journey to analyze millions of findings across a wide range of industry verticals and technology stacks with the goal of identifying the most effective strategies that can be used to produce a Remediation Gameplan that aligns with the business. Join Eric Sheridan, Chief Innovation Officer at Tromzo, as he shares the results from this deep-dive initiative along with real-world case studies, demonstrations, anecdotes, and alerting policies expressed using “security-as-code”. Participants of this session will learn how to apply the following strategies to effectively operationalize their vulnerability backlog remediation efforts:

Strategy #1: Cutting the Fat - Excluding the Things We Don't Care About
Strategy #2: Once is Enough - Deduplicating Vulnerabilities
Strategy #3: Going Beyond 'Severity' - Contextual Prioritization
Strategy #4: Doing More with Less - Batch Remediation Campaigns
Strategy #5: Placing a Stop Sign - Adopting Preventive Controls


In short, you'll walk away better prepared to make a meaningful difference in the world. Oh, and one more thing... we might poke a little fun at a "vulnerability" or two along the way. See you there!
4
11:30 AM - 12:10 PM - Colleen Dai (Semgrep)
Secure Defaults: Empowering Developers to Write Secure Code
Despite our best efforts, software vulnerabilities we have been tackling since the genesis of the security industry still haunt us now. In fact, the OWASP top 10 has not changed much in the past few years. This indicates that we need a new approach to running AppSec programs — one that doesn't involve playing bug whack-a-mole. We will talk about how we can use secure defaults to eliminate classes of vulnerabilities and effectively scale your AppSec program while building a strong partnership with developers. We will also discuss a few companies that have effectively done this, and how you can do this yourself.
5
1:00 - 1:55 PM - Matt Johansen (Reddit)
Threat Modeling for Cloud Infrastructure and Applications
There is a superpower available to us when we are staring at a stack of technology cobbled together in a modern public cloud provider. That superpower is Threat Modeling.

In this session, we will navigate the complex terrain of cloud security, uncovering potential vulnerabilities, and learning how to systematically assess and mitigate risks. Through real-world examples and case studies, we'll demonstrate the practical application of Threat Modeling, enabling you to proactively address security concerns and protect your infrastructure.

It will be my goal to demystify the process of Threat Modeling, breaking it down into manageable steps and frameworks that can be readily incorporated into your development and deployment cycles. We will explore threat modeling methodologies, discuss best practices, and share valuable insights on integrating security into the very fabric of your cloud infrastructure.

We’ll also highlight common pitfalls, and showcase effective countermeasures to these frequent mistakes. This session is designed to equip you with a robust understanding of Threat Modeling, empowering you to make informed decisions when it comes to securing your cloud infrastructures and applications. Whether you're a seasoned security professional, a cloud architect, or a developer eager to enhance your security mindset, this talk’s goal is to be valuable to all of the above.
6
2:00 - 2:55 PM - Esha Kanekar (Netflix)
The 4C's for Driving At-Scale Security Programs
Today as we scale our business and operations, cross-functional work continues to increase in complexity and the barrier to timely execution and delivery is very high. In this talk, we’ll discuss the 4C's approach for driving large, at-scale security programs across an evolving engineering ecosystem to meet business goals while managing security risks. I’ll provide the audience an overview of how our Vulnerability Management program execution is structured on the 4C's foundations and share our learnings so far.
7
3:00 - 3:55 PM - Johnathan Kuskos (Chaotic Good Information Security)
Hacking the Hackers Hacks: Good, Fast, Cheap, Pick ALL 3!
We’ve heard it everywhere and it applies to hacking as well: Good, fast, and cheap, and you can only have two.

Buckle in because this is going to be a fun one. I’ve spent over a decade in the weeds on security assessments. Some of the highest pressure moments have included the following:

Delivering high pressure consultant bakeoffs, non impressive discoveries usually result in losing the client. Knee jerk last minute security assessments (such as it’s a lovely Sunday afternoon and you get a call that the thing is going live Monday morning).

Panic hunting 0 day IOC’s so that the companies I worked for could get patched before the latest tweeted payload wrecked us.

Covering for a friend on a Wednesday for an assessment due Friday and they’ve barely made it off of the unauthenticated portions.

All of these things have one major thing in common: there’s never enough time. This talk is going to be about how to tackle security assessments when you’re having to choose between a good night's rest or funneling the next 8 hours into what you suspect is a blind SQLi, but really isn’t exploitable in the end. We’re going to talk about prioritization, what to automate, what NOT to automate, rabbit holes, off the shelf tooling, custom tooling, the 15 minute rule, and more. By the end of this chat, you should have a feeling for how an experienced hacker is able to balance picking the right things to focus on, with the most appropriate tool for the job, and getting through each piece of work while still being home in time for dinner. This talk will be technical, a hair philosophical, but ultimately focus on helping you think of the areas you can personally iterate on to be a stronger and well rounded penetration tester or bug bounty hunter.
8
4:00 - 5:00 PM
Happy Hour & Career Village
Representatives from Reddit, Cloudflare, Semgrep, Tromzo, DryRun Security, and more will be at the event with open positions and ready to hear more about you!
Free Training!
Developers & Security
9:30 AM - 12:15 PM - Jim Manico (Manicode Security)
Secure Coding with Jim Manico - The OWASP Top 10 for Developers
In the rapidly evolving realm of web development and application security, the OWASP Top 10 remains a cornerstone document, acting as a beacon for developers and security professionals alike. Reflecting a broad-based consensus, it spotlights the most critical security risks threatening web applications, thereby shaping the frontier of secure coding techniques.

With an ever-increasing emphasis on web-based interactions, the significance of a deep understanding of these risks is paramount. As developers etch lines of code giving life to web applications, a firm grasp of secure coding practices becomes not merely beneficial, but essential.

This immersive and engaging presentation seeks to equip attendees with a comprehensive understanding of the OWASP Top Ten 2022 release, intending to empower developers with the knowledge necessary to author secure, resilient software. As we navigate through this labyrinth, we shall focus on in-depth discussions around: With an ever-increasing emphasis on web-based interactions, the significance of a deep understanding of these risks is paramount. As developers etch lines of code giving life to web applications, a firm grasp of secure coding practices becomes not merely beneficial, but essential.

This immersive and engaging presentation seeks to equip attendees with a comprehensive understanding of the OWASP Top Ten 2022 release, intending to empower developers with the knowledge necessary to author secure, resilient software. As we navigate through this labyrinth, we shall focus on in-depth discussions around: With an ever-increasing emphasis on web-based interactions, the significance of a deep understanding of these risks is paramount. As developers etch lines of code giving life to web applications, a firm grasp of secure coding practices becomes not merely beneficial, but essential.

This immersive and engaging presentation seeks to equip attendees with a comprehensive understanding of the OWASP Top Ten 2022 release, intending to empower developers with the knowledge necessary to author secure, resilient software. As we navigate through this labyrinth, we shall focus on in-depth discussions around: With an ever-increasing emphasis on web-based interactions, the significance of a deep understanding of these risks is paramount. As developers etch lines of code giving life to web applications, a firm grasp of secure coding practices becomes not merely beneficial, but essential.

This immersive and engaging presentation seeks to equip attendees with a comprehensive understanding of the OWASP Top Ten 2022 release, intending to empower developers with the knowledge necessary to author secure, resilient software. As we navigate through this labyrinth, we shall focus on in-depth discussions around:

A01:2021-Broken Access Control
A02:2021-Cryptographic Failure
A03:2021-Injection
A04:2021-Insecure Design
A05:2021-Security Misconfiguration
A06:2021-Vulnerable and Outdated Components
A07:2021-Identification and Authentication Failures
A08:2021-Software and Data Integrity Failures
A09:2021-Security Logging and Monitoring Failure
A10:2021-Server-Side Request Forgery

Join us as we embark on this enlightening journey, delving into the unique intricacies of each risk, exploring defense strategies, and fostering a culture of security-minded web application development. This presentation aims to instill a robust defensive mindset, helping attendees to weave a narrative of secure coding that transcends the bounds of standard practices.
Practical Discussions
Real Takeaways
9:00 - 9:25 AM - James Wickett (DryRun Security)
Context Over Mandate: Where Developers and Security Meet
This talk explores what is missing in most organizations and the intersection points between developers and security and what to do about it.
9:30 - 10:25 AM - Sri Pulla (Cloudflare)
Evolution of AppSec Through Risk and Automation
In the day and age of cyberwarfare it is important to build cyberwarriors which starts with building an integrated scalable application security program. A risk based program not only provides tools to protect an organization but also its customers. In this session, Sri Pulla, Director of Application Security from Cloudflare will share easy ways to mature appsec programs and seamlessly build automation and integration with engineering processes with risk being a catalyst to drive change.
10:30 - 11:25 AM - Eric Sheridan (Tromzo)
Five Strategies for Deriving an Effective Remediation Gameplan
Product Security has a massive data problem that almost nobody is talking about. With the widespread adoption of cloud-native and distributed application architectures coupled with "DevSecOps" and "Shift-Left" security testing methodologies, Product Security teams are left with a backlog of vulnerabilities numbering in the millions. Where the heck do you start when 1+ million of those vulnerabilities are either "High" or "Critical"? Attempting to tackle this and operationalize a solution inevitably leads to "Excel Hell" with people having to make instinctual, gut-based, and often reactionary decisions about risk. In short, Product Security teams have been set up for failure...and it's not their fault.

Are you living in "Excel Hell", struggling to make meaningful progress on your own vulnerability backlog? If so, then check this out.

We set out on a journey to analyze millions of findings across a wide range of industry verticals and technology stacks with the goal of identifying the most effective strategies that can be used to produce a Remediation Gameplan that aligns with the business. Join Eric Sheridan, Chief Innovation Officer at Tromzo, as he shares the results from this deep-dive initiative along with real-world case studies, demonstrations, anecdotes, and alerting policies expressed using “security-as-code”. Participants of this session will learn how to apply the following strategies to effectively operationalize their vulnerability backlog remediation efforts:

Strategy #1: Cutting the Fat - Excluding the Things We Don't Care About
Strategy #2: Once is Enough - Deduplicating Vulnerabilities
Strategy #3: Going Beyond 'Severity' - Contextual Prioritization
Strategy #4: Doing More with Less - Batch Remediation Campaigns
Strategy #5: Placing a Stop Sign - Adopting Preventive Controls


In short, you'll walk away better prepared to make a meaningful difference in the world. Oh, and one more thing... we might poke a little fun at a "vulnerability" or two along the way. See you there!
11:30 AM - 12:10 PM - Colleen Dai (Semgrep)
Secure Defaults: Empowering Developers to Write Secure Code
Despite our best efforts, software vulnerabilities we have been tackling since the genesis of the security industry still haunt us now. In fact, the OWASP top 10 has not changed much in the past few years. This indicates that we need a new approach to running AppSec programs — one that doesn't involve playing bug whack-a-mole. We will talk about how we can use secure defaults to eliminate classes of vulnerabilities and effectively scale your AppSec program while building a strong partnership with developers. We will also discuss a few companies that have effectively done this, and how you can do this yourself.
1:00 - 1:55 PM - Matt Johansen (Reddit)
Threat Modeling for Cloud Infrastructure and Applications
There is a superpower available to us when we are staring at a stack of technology cobbled together in a modern public cloud provider. That superpower is Threat Modeling.

In this session, we will navigate the complex terrain of cloud security, uncovering potential vulnerabilities, and learning how to systematically assess and mitigate risks. Through real-world examples and case studies, we'll demonstrate the practical application of Threat Modeling, enabling you to proactively address security concerns and protect your infrastructure.

It will be my goal to demystify the process of Threat Modeling, breaking it down into manageable steps and frameworks that can be readily incorporated into your development and deployment cycles. We will explore threat modeling methodologies, discuss best practices, and share valuable insights on integrating security into the very fabric of your cloud infrastructure.

We’ll also highlight common pitfalls, and showcase effective countermeasures to these frequent mistakes. This session is designed to equip you with a robust understanding of Threat Modeling, empowering you to make informed decisions when it comes to securing your cloud infrastructures and applications. Whether you're a seasoned security professional, a cloud architect, or a developer eager to enhance your security mindset, this talk’s goal is to be valuable to all of the above.
2:00 - 2:55 PM - Esha Kanekar (Netflix)
The 4C's for Driving At-Scale Security Programs
Today as we scale our business and operations, cross-functional work continues to increase in complexity and the barrier to timely execution and delivery is very high. In this talk, we’ll discuss the 4C's approach for driving large, at-scale security programs across an evolving engineering ecosystem to meet business goals while managing security risks. I’ll provide the audience an overview of how our Vulnerability Management program execution is structured on the 4C's foundations and share our learnings so far.
3:00 - 3:55 PM - Johnathan Kuskos (Chaotic Good Information Security)
Hacking the Hackers Hacks: Good, Fast, Cheap, Pick ALL 3!
We’ve heard it everywhere and it applies to hacking as well: Good, fast, and cheap, and you can only have two.

Buckle in because this is going to be a fun one. I’ve spent over a decade in the weeds on security assessments. Some of the highest pressure moments have included the following:

Delivering high pressure consultant bakeoffs, non impressive discoveries usually result in losing the client. Knee jerk last minute security assessments (such as it’s a lovely Sunday afternoon and you get a call that the thing is going live Monday morning).

Panic hunting 0 day IOC’s so that the companies I worked for could get patched before the latest tweeted payload wrecked us.

Covering for a friend on a Wednesday for an assessment due Friday and they’ve barely made it off of the unauthenticated portions.

All of these things have one major thing in common: there’s never enough time. This talk is going to be about how to tackle security assessments when you’re having to choose between a good night's rest or funneling the next 8 hours into what you suspect is a blind SQLi, but really isn’t exploitable in the end. We’re going to talk about prioritization, what to automate, what NOT to automate, rabbit holes, off the shelf tooling, custom tooling, the 15 minute rule, and more. By the end of this chat, you should have a feeling for how an experienced hacker is able to balance picking the right things to focus on, with the most appropriate tool for the job, and getting through each piece of work while still being home in time for dinner. This talk will be technical, a hair philosophical, but ultimately focus on helping you think of the areas you can personally iterate on to be a stronger and well rounded penetration tester or bug bounty hunter.
4:00 - 5:00 PM
Happy Hour & Career Village
Representatives from Reddit, Cloudflare, Semgrep, Tromzo, DryRun Security, and more will be at the event with open positions and ready to hear more about you!
Tuesday, September 5, 2023

Developers and Security are Friends Day


[email protected]

Request a demo