Our flagship gathering NowSecure Connect 2019 — the premier event for mobile DevSecOps and OSS — is just around the corner on June 3 – 4 in Washington, D.C.
Featuring more than 30 speakers, three dedicated tracks and two full days of events, Connect19 offers hands-on training, demos, case studies, keynotes and ample opportunities for fun and networking at no charge to attendees. Here is a rundown of all the great sessions and speakers.
And don’t miss the NowSecure Connect-i-thon Monday Night. Join us for cocktails, food, games and a CMD+CTRL Capture-the-Flag competition hosted by our friends at Security Innovations.
Welcome to OSS Track
David will welcome attendees, introduce the two-day agenda, share his latest insights on the industry and frame the discussion around best practices for building out your mobile appsec testing tactics and toolkit.
Objection: the Journey into Creating a Mobile App Hacking Toolkit
Take a trip back in time to when our idea of runtime instrumentation existed merely as a few hacky python scripts. Two defining pentests will be used as case studies that would shape the future of what would ultimately become Objection. Along the way, lessons learnt and technical challenges that were solved with the help of FRIDA will be discussed.
APKiD: Fast Identification of Android Appshielding Products
APKiD tool (like PEiD for Android Apps) fingerprints compilers, packers, obfuscators, and protectors to provide context about how the APK was potentially built or changed after it was built. The talk will cover the latest changes into the project and show an overview of application shielding and RASP (Runtime Application Self-Protecting) products in the Android ecosystem.
FRIDA: Dynamic Instrumentation Toolkit
Ole André Vadla Ravnås
Ever wanted to understand the internals of an app running on your phone? Want to know what data is passed to a particular crypto function? Then Frida is for you! This talk will introduce Frida and show how it can be used to help analyze binary applications. It will be packed with demos.
RADARE2: The Reverse Engineering Toolkit
Sergi “Pancake” Àlvarez
Reverse engineering is a wide concept that covers several aspects and fields in the computer security world. This presentation will expose the benefits of using RADARE2 from the perspective of an advanced analyst when doing static and dynamic analysis on mobile applications to verify if the application has some security or privacy flaws, making it possible to integrate with other tools like Yara or Frida, or script it with r2pipe and much more.
r2dec: Decompilation Challenges with Mobile Languages
Giovanni Dante Grazioli
This talk will explain how RADARE2 interfaces with r2dec and outputs meaningful pseudocode based on the new languages such as ‘dalvik’ and ‘Objective-C’ and will provide a series of examples for use in your research.
Libimobiledevice: iOS Automation, Instrumentation, and Other Shenanigans
libimobiledevice is an open source framework that allows communication with iOS devices without the need for iTunes or other Apple software. This presentation will give an introduction about how it works, its development history, highlights from the past and discuss use cases of
the library and tools for security research, e.g. creating a fuzzing environment.
Capstone v5: Latest on Open Source Disassembler Framework
Nguyen Anh Quynh
Capstone is a lightweight multi-platform, multi-architecture open source disassembler framework. Soon to be 6 years old, Capstone has been serving as the foundation of various binary analysis research & development in the security industry & academy. This talk briefly looks at the history of Capstone disassembler, with some untold stories. We will present the challenge of maintaining & continuing development of Capstone, the features of Capstone v5, and what lies ahead in the project future.
KillerBee: Assessing IEEE 802.15.4/ZigBee Attack Surface
Mobile devices increasingly connect via gateways with IoT devices, many of which are built on ZigBee (or other protocols atop IEEE 802.15.4). The security of these networks can’t be found via IP network scanning or mobile application assessment, yet they present upstream risks into traditional networks or via the data used in mobile apps. KillerBee continues to be the primary tool for manufacturers and penetration testers to use to assess these networks. We will discuss the various options someone has to assess their networks using KillerBee and provide a ‘quick start’ orientation to the tool to make it easy for people to successfully get started.
DWARF: Bypassing the Latest Reversing Blocking Techniques
Learn how major app developers, mostly gaming, protect the user-space from tampering and hide secrets inside the memory layout. I’ll show some of the sickest logic I met used to prevent debugging and code flow altering. I’ll speak about the DWARF debugger I’ve created together with some guys in the crew to fight those new techniques and extend the capabilities of FRIDA by joining subsystem knowledge and open source tools.
SEDATED℠: New Tool for Preventing Credential/Token Saving in Git
Simeon Cloutier, Allstate
Learn about the new OWASP SEDATED℠ Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) that focuses on preventing sensitive data such as user credentials and tokens from being pushed to Git.
HYGIEIA: Performance Dashboards for DevOps
Rajesh Dhanaraj, Capital One
Learn about Hygieia, a single, configurable open source dashboard, that provides critical health monitoring and visibility which enables improved IT decision making, better software quality, and speed. Hygieia is powered by a Project Consortium of leading-edge DevOps enterprises.
OSS Lightning Talks
Hear from multiple security researchers and tooling engineers on their latest work and discoveries.
NowSecure Workstation Master Class
Michael Krueger, NowSecure
This NowSecure Workstation course provides intermediate to advanced skills development. Attendees will have the opportunity to get hands-on with a live application assessment and learn advanced analysis techniques using real-world scenarios while exploring the many advanced capabilities of NowSecure Workstation tool.
NowSecure AUTO Master Class
Brian Lawrence, NowSecure
Learn how to leverage all the core and advanced capabilities of NowSecure AUTO, from on-demand use cases to fully automated integration with your SDLC toolchain. Through example scenarios and case studies, see how to extract maximum value and insights for your mobile security program.
OWASP MASVS, MASTG, MASVS Roundtable
OWASP provides two great resources for mobile app pen testers to design their security testing requirements and approaches: the OWASP Mobile Applicartion Security Testing Guide (MASTG) and the OWASP Mobile Application Security Verification Standard (MASVS). Each has recently been updated. Join this session to learn from the NowSecure team that has sponsored these documents about the content of these guides and best practices to use them.
Best Practices: Threat Modeling for Mobile
Tony Ramirez, NowSecure
Threat modeling helps organizations balance risk with resources. Attend this session to gain actionable advice for crafting a risk model that ensures every mobile app has baseline security testing coverage and expand based on resilience and defense-in-depth requirements.
Best Practices: Pen Tester Expert Panel
NowSecure Pen Testing Team
In this power-packed panel, the NowSecure pen testing team will share best practices and experiences through an open Q&A format with the audience. Bring your questions and get the answers you need!
Alan Snyder, NowSecure
Hear about the NowSecure vision of mobile appsec for today and the future. Alan will discuss the latest developments in digital and mobile transformation, appsec trends we are seeing across our customer base and the industry, and share details on the NowSecure strategy.
Case Study: Secure by Design
Ethan Wilder, Allstate
Discover how Allstate partners, coaches and trains development teams to incorporate secure by design into their SDLC through DevSecOps to scale their organization.
Case Study: Automating Mobile AST in the CI/CD Process
Joseph Vinikoor, American Express
An American Express leader shares the secrets to success about gaining visibility into the dev operation and instilling a DevSecOps culture and CI/CD Automation. Hear stories about the company’s journey to automating every build and breaking the build if a high-risk vulnerability presents.
NowSecure Product Strategy
Warren Smith and Jeff Fairman, NowSecure
This session will cover the NowSecure Platform and product suite from where we’ve been to where we are going. Learn about the foundations of our technology and engineering approach, check out our own internal DevOps toolchain that we use to produce our software, and get a peek at the product strategy and exciting roadmap ahead.
DevSecOps Industry Panel
Leaders and experts from Brinqa, Security Innovations, Sonatype and NowSecure will weigh in on the latest DevSecOps trends they’re seeing their customers adopt, discuss recent survey data of interest, and share best practices to delivering secure apps faster.
Case Study: Transforming DevOps Securely
Sean Poris, Verizon Media
Combining brands like Yahoo, HuffPost and TechCrunch, Verizon’s media group transforms how people stay informed and entertained, communicate and transact in a fast moving world. In this session, Sean will share his experiences and tactics for enabling the organization to move fast while delivering high quality, secure software.
Case Study: Accelerating Secure Mobile App Release Velocity
Michael Cantor and Victor Jereza, SAIC
Federal agencies and commercial enterprises alike depend on delivering secure mobile apps. In this case study, learn about how SAIC improved time to market for mobile apps with security built-in for their agency clients.
Fireside Chat: Building & Certifying a High Security Commercial Messaging App
Ali Elkoni, Vaporstream
Meet the CTO from the world’s highest security commercial mobile messaging application Vaporstream and learn about its comprehensive security approach to building and certifying the messaging system to deliver maximum protection.
Fireside Chat: Mobile Transformation
Hear from an expert guiding major global enterprises through their digital and mobile transformations ensuring high-quality, secure delivery that drives organization success.
Lessons Learned: Measuring & Managing Mobile App Risk
Andrew Hoog, Founder, NowSecure
In this session Andrew Hoog, founder of NowSecure, leverages over a decade of experience working with Federal Government and commercial organizations while exploring the latest trends and best practices for addressing mobile app risk. Andrew will discuss a practical framework for understanding, modelling and managing risk in federal agencies.
Breakout: Mobile Threat Assessment Scoring & Weighting
In this session, attendees will breakout into small groups to discuss specific questions and map out approaches for scoring and weighting key aspects of mobile threat assessments. Then groups will read out their results and they will be collated, documented and shared with all attendees post event.
Demo: Mobile CDM in Action
See a live demonstration and discuss path agencies can follow to implement Mobile CDM Continuous Diagnostics and Mitigation.
Scaling app vetting from 125 to 16,000 apps
App Vetting & RMF
A DevSecOps Approach to Building NIAP Compliant Apps
NIAP Compliance & Path to Continuous ATO
Michael Krueger, NowSecure
The path to ATO with NIAP compliance can be slow and frustrating. Dig into latest NIAP requirements and see how NowSecure is expanding NIAP capabilities for automated app vetting.
Scaling Mobile AppSec Testing with Automation and Full Coverage
Brian Lawrence, NowSecure
For years the only way to get a full mobile pen test ways to train/hire experts, wire many tools together and take 1 to 2 weeks to get it done. In this session, see how innovations in automation built upon advanced security testing tools like FRIDA and RADARE have led to a new world reality of performing a full coverage pen test in less than 1 hour, which is necessary to scale capacity to test high volumes of mobile apps that release rapidly.
Scaling Mobile AppSec Reporting
Michael Krueger, NowSecure
Having delivered hundreds of pen test reports, learn how Michael has developed a framework and tooling to rapidly assemble reports from a multitude of testing tools to meet varied reporting requirements.
SIGN UP NOW
Once again, spots are filling up quickly and we don’t want you to miss out on this learning opportunity. Register at no charge by our May 22 deadline.