Keynotes
Jaya Baloo is Avast’s Chief Information Security Officer (CISO) and joined Avast in October 2019. Previously, Ms. Baloo held the position of CISO at KPN, the largest telecommunications carrier in the Netherlands, where she established and lead its security team whose best practices in strategy and policy are today recognized as world leading. Prior to this, Ms. Baloo also held the position of Practice Lead Lawful Interception at Verizon, and worked at France Telecom as a Technical Security Specialist. Ms. Baloo is formally recognized within the list of top 100 CISOs globally and ranks among the top 100 security influencers worldwide. In 2019, she was also selected as one of the fifty most inspiring women in the Netherlands by Inspiring Fifty, a non-profit aiming to raise diversity in technology by making female role models in technology more visible. Ms. Baloo has been working in the field of information security, with a focus on secure network architecture, for over 20 years and sits on the advisory boards of the NL’s National Cyber Security Centre, PQCrypto and the EU Quantum Flagship. She serves on the audit committee of TIIN capital, a cybersecurity fund, and is also a member of the IT Committee of Sociale Verzekeringsbank. Ms. Baloo is currently a vice chairwoman of EU Quantum Flagship. Ms. Baloo has spoken widely at high profile conferences such as RSA, TEDx, HiTB, Nullcon, on topics including Lawful Interception, VoIP, Mobile Security, Cryptography, and Quantum Communications Networks. Additionally, Ms. Baloo is a faculty member of the Singularity University since 2017, where she regularly lectures.
Talk: Our Secure Future
Abstract:How do we build a better future for information security by examining the lessons learned in the recent as well as distant past?
Mark is the founder of OWASP, founder and CEO of SourceClear (acquired by Veracode in 2018) and now the co-founder of Open Raven (https://www.openraven.com), a data security company. He is a British ex-pat currently living in San Francisco and usually found riding a bicycle.
Talk: 20:20 - The History and Future of OWASP
Abstract:20 years ago I was moderating the webappsec mailing list on securityfocus and had just started a new job running application security at Charles Schwab, when the CIO came running down down the hall demanding to speak to the new guy. He wanted to know why we were in the Wall Street Journal and what I was going to do about it. I felt like I had been framed. After fending off ambulance chasers and wading through marketing “bull shiitake” from vendors, I realized there was a gap that needed to be filled. OWASP was born. No real plan, no real goal, armed with just a belief that the world needed better information I sent out a call to action for like-minded people to get involved. The rest as they say is history. Looking back it’s been an amazing success story of a community that has had a significant positive impact on the world during a time when development technology and the threat landscape has changed beyond recognition. What was critical to OWASPs success and how should it evolve over the next 20 years? We will take a walk down memory lane, star gaze into the future and leave with an updated call to action for the next twenty years.
Philippe De Ryck helps developers protect companies through better web security. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional knowledge of the security landscape. As the founder of Pragmatic Web Security, Philippe delivers security training and security consulting to companies worldwide. His online course platform allows anyone to learn complex security topics at their own pace. Philippe is a Google Developer Expert and an Auth0 Ambassador for his community contributions on the security of web applications and APIs.
Talk: AppSec is too hard!?
Abstract:Looking at available tools and features, it is easy to conclude that AppSec is shooting for the moon. Modern frameworks build security in by default, and vulnerable technologies are replaced by more secure alternatives. But regardless of all these good intentions, we see the same vulnerabilities popping up over and over again. Are we just careless when building applications, or is AppSec too hard? Throughout this talk, we review various cases where frameworks and libraries get in the way of security, paving the way for application-level vulnerabilities. With practical examples, we investigate more robust approaches to application security. The patterns we discuss will not only help you to improve the security of your applications but also make application security more manageable at scale.
Eva Galperin is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF's Tor Relay Challenge, to writing privacy and security training materials (including Surveillance Self Defense and the Digital First Aid Kit), and publishing research on malware in Syria, Vietnam, and Kazakhstan. When she is not collecting new and exotic malware, she practices aerial circus arts and learning new languages.
Talk: Who Deserves Cybersecurity? Expanding Our Circle of Care
Chris Wysopal, Veracode's CTO and co-founder, is responsible for the company's software security analysis capabilities. One of the original vulnerability researchers and a member of L0pht Heavy Industries, he has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He published his first advisory in 1996 on parameter tampering in Lotus Domino and has been trying to help people not repeat this type of mistake for 25 years. Chris started his professional application security journey in 2000 at the pioneering security consultancy @stake where he was VP of Research. Following on with his research in static analysis he founded Veracode with Christien Rioux in 2006. He graduated with a Bachelor of Science degree in computer & systems engineering from Rensselaer Polytechnic Institute. He is also the author of "The Art of Software Security Testing" published by Addison-Wesley.
Talk: AppSec: from Outsiders to Allies
Abstract:AppSec roots began with late 90’s vulnerability research and the ultimate technology outsiders, hackers. Microsoft didn’t even want to touch application security until customers threatened to stop buying over the monthly worms of the early 2000’s. Then the threat space changed and attacks weren’t for just done for fun, but done by criminal gangs and nation states. Critical bugs were monetized in the millions of dollars and led to national level security events. In 2021 there is a realization that the security of the software the government purchases has a lot to do with how secure the government is. Now almost every development team needs some AppSec and they want it tightly embedded in their development process. This talk will discuss how we got here and how we need to work as allies with the software development team.