Day of Shecurity 2018 Agenda

Check out what talks we have lined up for this year's conference.  As we approach the conference day, we'll be adding more speakers and sessions so be sure to check back here for the latest updates.

This year we will be offering three key tracks, each uniquely designed for wherever you may be professional within the security industry.  Learn more about tracks below:

 
 
Start End 1st Floor 5th Floor
Boardroom Training Keynote RM1 RM2 RM3 RM4
8:00AM 9:00AM Breakfast / Arrival (Keynote Hall) | IT Help (RM 1) Career Fair
9:00AM 9:30AM Introduction / Keynote (Deidre Diamond - CyberSN/Brainbabe, Vijaya Kaza - Lookout, Astha Singhal - OWASP)
9:30AM 10:15AM OWASP WORKSHOP BURP SUITE WORKSHOP Deidre Diamond Media / PR / DoS Staff Robert Fly / Nicole Fish Kelly Albrink Ty Sbano
BREAK        
10:30AM 11:15AM Kristy Edwards Robert Fly / Nicole Fish Kelly Albrink Ty Sbano
11:15AM 12:00PM Amanda Rousseau Robert Fly / Nicole Fish Kelly Albrink Ty Sbano
12:00PM 1:00PM Lunch
1:00PM 1:45PM OWASP WORKSHOP TINFOIL CTF Ari Willet Media / PR / DoS Staff Robert Fly / Nicole Fish Kelly Albrink Burp Suite Office Hours
1:45PM 2:30PM Carolyn Lear
Jyothsna Lekkala
Robert Fly / Nicole Fish Kelly Albrink Burp Suite Office Hours
BREAK        
2:45PM 3:30PM Manju Mude Robert Fly / Nicole Fish Kelly Albrink Burp Suite Office Hours
3:30PM 4:15PM Heather Eggers Robert Fly / Nicole Fish Kelly Albrink Burp Suite Office Hours
BREAK  
4:30PM 5:00PM WOMEN IN SECURITY PANEL (Manju Mude, Deidre Diamond, Ainsley Braun, Astha Singhal, Eva Galperin)
5:00PM 5:30PM WRAP UP CEREMONY / RAFFLE (Keynote Hall)
5:30PM 6:30PM CELEBRATE && SOCIALIZE (5th Floor)
8:00AM
9:00AM

Breakfast / Arrival

Keynote Hall

Welcome to Day of Shecurity

 
9:00AM
9:30AM

Introduction / Keynote

Keynote Hall

Deidre Diamond - CyberSN/Brainbabe, Vijaya Kaza - Lookout, Astha Singhal - OWASP

 
9:30AM
12:00PM

Surbhi Shah - OWASP Workshop

Boardroom

This workshop will help you understand the vulnerabilities most frequently found in web applications. The hands-on workshop will go in depth about OWASP Top 10 vulnerabilities and will cover their causes and implications for vulnerable websites and help you identify and fix them when you see them in code.

 
9:30AM
12:00PM

Jason Haddix, Leif Dreizler - Penetration Testing with Burp Suite

Training Room

Become a better developer by breaking things! Learn how to brute force passwords, drop databases, scan websites for vulnerabilities, and more by learning how to use Burp Suite, an indispensable tool for penetration testers. This is a highly-technical track that will feature full access to the professional version of Burp Suite during the conference. Attendees will be required to have Burp Suite running prior to the event. The morning session will feature three full hours of hands-on classes. After lunch, there will be a self-directed lab so users can follow their own interests and utilize teaching assistants with expertise in the tool.

Sections:

A fast-paced introduction to Burp
  • Browser profiles
  • Helper Extensions
  • Burp Site map
  • Burp Proxy
  • Burp Scope
Threat Modeling and Content Discovery
  • Burp Spider
  • Burp Content Discovery
Fuzzing for vulnerabilities
  • Understanding Burp Scanner
  • Manually Fuzzing with Burp Intruder
  • SQL Injection
  • CMD Injection
  • ++
  • IDOR enumeraztion with Intruder
  • Helpers for Fuzzing (Seclists and FuzzDB)
Auxillary Burping
  • Password Bruteforce with Intruder
  • Forms
  • Basic Auth
Useful Burp Extensions
  • IDOR - AuthMatrix, Autorize
  • Attack Selector
  • Logging++: Flow, Logger++, Error Message Checks
  • HUNT

Prerequisites:

Come with Burp Suite Pro installed and ready to use. This includes:

  • Burp Suite installed
  • Burp Suites SSL certificate installed in your browser and being able to see HTTPs traffic in the Proxy tab.
  • Chrome or Firefox installed and configured with Burp as it's proxy. For easy switching of proxy setting a Chrome of FF extension is recommended, like FoxyProxy
The best guide is Portswigger's "Installing and Configuring Burp" page located here:

 
12:00PM
4:15PM

Divya Natesan - OWASP Workshop

Boardroom

This workshop will introduce the participants to the techniques needed to remotely detect and validate the most common vulnerabilities in web applications. Participants will gain experience in automated and manual testing with Burp Suite and other popular tools in the industry. Participants will leave with an understanding of how to find and exploit the most common and high impact vulnerabilities in the web applications.

 
12:00PM
4:15PM

Tinfoil CTF

Training Room

Come join us for the first ever Shecurity Capture The Flag (CTF)! A CTF is a set of challenges and puzzles where you’ll learn all sorts of practical ways to hack software. You can participate with an existing team, or we will assign you one, so you won't be doing this alone. Even if you have done CTFs in the past, there are still plenty of interesting challenges to be had during this session! Whether you’d like to learn web security, reversing, or social engineering, we've got you covered.

 
9:30AM
10:15AM

Deidre Diamond - Hack Your EQ: Grow Your Career

Keynote Hall

Did you know that Emotional Quotient (EQ) is capable of evolving over the course of your entire life? The studies show that it is EQ that determines success. So what is EQ and what are the soft skills that make up EQ? How can you leverage these soft skills to move up the Leadership ladder and how does the lack of EQ skills impact our communities job retention and happiness statistics? Learn the art of making and managing measureable agreements, win-win communication, and how to use lean language.

 
10:30AM
11:15AM

Kristy Edwards - 5 New Attack Surfaces that Need Female Security Minds

Keynote Hall

Every industry needs security talent, and this talk looks at 5 industries with unique attack surfaces that will benefit from intelligent, creative security pros. We’ll use what we know from analyzing today’s attack surfaces (e.g., web-facing apps, cloud services) to examine what’s unique about each of the new areas. The talk highlights how each of the 5 areas uniquely needs people with skills sets that you may already have or be willing to develop.

 
11:15AM
12:00PM

Amanda Rousseau - Introduction into Reverse Engineering Malware Techniques

Keynote Hall

Reverse engineering is core skill in the information security space, but it doesn’t necessarily get a wide spread exposure that other skills get even though it can help you with your security challenges. In this session we will go over recognizing common malware techniques through light dynamic and static analysis. These malware techniques will include entrenchment, obfuscation, and command and control. We will also go over various tools, assembly language and reverse engineering concepts that you will need as a foundation for looking at malware.

 
1:00PM
1:45PM

Ari Willet, Shelley Wu - Consulting Skills in Security

Keynote Hall

Skills gained while consulting can give you a huge leg up in having a successful security career. Don’t want to spend a few years in consulting to reap the benefits? We don’t blame you! Security is a team sport that all departments within a company need to play. As security professionals (or aspiring security professionals!), we need to garner support and partner with other groups to get security initiatives accomplished. We’ve put together a crash course in skills for success in security (and, honestly, most other careers). Join us to learn these time-tested methods to make more inroads at work and put your projects on the road to success!

 
1:45PM
2:30PM

Carolyn Lear - A Secure Development Lifecycle (SDL) Primer
Jyothsna Lekkala - Threat Modeling Overview & Pro-Tips

Keynote Hall

Carolyn will review the purpose of SDL, and how it can integrate in an automated fashion into an agile development environment and processes. SDL developer training and Champion supporting programs will also be discussed so the audience can walk away with actionable ideas to try within their organization.

Jyothsna's presentation includes a brief overview of threat modeling, and a collection of often missed real-world security design gaps during the Design Phase within the Development lifecycle. Armed with these common missed threats, and how to identify them, the audience will be ahead of the game when creating threat models!

 
2:45PM
3:30PM

Manju Mude - Risk and Reward

Keynote Hall

You’ve heard the phrase “without risk, there is no reward”, this talk explores the common patterns women take around careers in infosec and what's holding them back from achieving their dreams. Being successful in infosec is more about passion and bravery, coupled with technical aptitude the industry requires. We will discuss security career paths and reflect on taking risks leading to success!

 
3:30PM
4:15PM

Heather Eggers - How to Communicate Information Security Risks and Drive Meaningful Action

Keynote Hall

It is one thing to have a risk management program in place to identify, assess, and respond to information security risks, but the real value in information security risk management is effectively communicating risk to drive action at all levels of the company. Information Security is an enterprise wide risk that has the attention of executive leadership and boards of directors, but it can be difficult to translate technical concepts and risks into tangible business impact and value. In this session, we'll discuss approaches and techniques for communicating information security risks and aligning with the right stakeholders to drive action both at the executive/board level and at the technical/functional level.

 
9:30AM
4:15PM

Robert Fly, Nicole Fish - Oh, the Humanity: Using Behavioral Science To Improve Security

Breakout Room 2

90% of data breaches are due to human error. So what do enterprises give their employees to defend themselves against sophisticated attackers? Boring, bland, and ineffective training. In this interactive session we’ll take a step back and look at the psychology of why attacks succeed and how to take inspiration from subjects like behavioral science and gamification to empower individuals and start addressing this long standing gap.

 
9:30AM
12:00PM

Kelly Albrink - Network Penetration Testing Toolkit: Netcat, Nmap, and Metasploit Basics

Breakout Room 3

Learn the top three tools needed to get started in network penetration testing. This hands on workshop will have you port scanning, creating payloads, and popping shells. Laptop required. Please come with a fresh Kali or ParrotOS virtual machine installed.

 
9:30AM
10:15AM

Ty Sbano - 101: Overview of threat modeling

Breakout Room 4

Threat modeling is an advanced term that you as a security professional are already constantly doing. Come learn the basics of how to threat model applications to provide an effective risk assessment for critical / high risk projects with tangible outcomes for your customers. Also learn where threat models can be successful and the common fallacies of threat modeling, especially when trying to deploy it at scale to 1000’s of apps vs 1 flagship application. The presenter will provide real world stories of where threat modeling has worked and failed from practical examples.

 
10:30AM
11:15AM

Ty Sbano - 201: Advanced threat modeling in a DevOps world (aka Hacker Stories)

Breakout Room 4

As the Tech continues to change, there is a growing need for rapid iteration and targeted requirements built into existing development lifecycles. Having the proper skills to hone in what is important is an art, not a science. As a security professional your job is to empower the business and this segment will provide an mindset and process to advance security integration at the requirements gathering / design phase. This course will focus on a very practical approach to threat modeling while building a greater culture of security.

 
11:15AM
12:00PM

Ty Sbano - 301: Threat Modeling in Action or BYOTM (Bring Your Own Threat Model)

Breakout Room 4

This will be an open working session where attendees can bring their own scenario to be threat modeled. It is recommended that anything brought as an example be anonymized to avoid any conflicts of interest. In the off chance we do not have an actual live example, we will review a practical real-world example together.

 
4:30PM
5:00PM

Manju Mude, Deidre Diamond, Ainsley Braun, Astha Singhal, Eva Galperin - Day of Shecurity Town Hall

Keynote Hall

Come with your thoughts and questions about the day as we have an open air conversation about your Day of Shecurity experience.

 
5:00PM
5:30PM

Wrap Up Ceremony / Raffle

Keynote Hall

...