AppSec USA 2016 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tracks [clear filter]
Thursday, October 13


The Ways Hackers Are Taking To Win The Mobile Malware Battle

In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. The team that uncovered iOS malicious profiles, WiFiGate, HTTP Request Hijacking, No iOS Zone and Invisible Profiles are taking it upon themselves to coach developers and organizations on how to regain control, and turn the tables on the hackers behind next-generation mobile malware. 

In his presentation, Yair will discuss cutting-edge techniques used by malware writers to circumvent mobile security paradigms such as app-sandboxing and containers. Mr. Amit will then break down the current set of techniques (signatures, static analysis & dynamic analysis) used to identify malware on mobile devices, and identify the pros and cons of these approaches. He will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions. 

During a live, interactive demo, Yair will create a mobile malware on stage, meant to be undetected by static and runtime analysis technologies.

avatar for Yair Amit

Yair Amit

CTO & Founder, Skycure
Yair Amit is co-founder and CTO at Skycure, leading the company’s research and vision and overseeing its R&D center. Yair has been active in the security industry for more than a decade with his research regularly covered by media outlets and presented in security conferences around... Read More →

Thursday October 13, 2016 9:30am - 10:30am
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Continuous Integration: Live Static Analysis using Visual Studio & the Roslyn API
For over 10 years, Visual Studio has provided basic source code analysis through FxCop and StyleCop. While these code analyzers focus mainly on design conformance, code consistency, and best practices, there is very little support for enforcing secure coding techniques. To address this gap, Microsoft started a project back in 2011 called CAT.NET to help identify secure coding bugs such as XSS, SQL Injection, and XPath Injection. Unfortunately, CAT.NET failed and never made it past the first version. Aside from purchasing expensive commercial static analysis tools, .NET development teams have been left without an easy way to integrate secure code scanning rules into Visual Studio. At least until now...

With the release of Visual Studio 2015, the open-source .NET Compiler Platform (aka “Roslyn”) exposes a set of code analysis APIs capable of querying the source code, identifying a security issue, and reporting it as code is written! In this talk, we will explore the code analysis APIs and show you how to create a live static analysis rule. Come prepared to see demonstrations of Visual Studio static analysis rules in action, and walk away with a static analysis rule pack to run against your organization’s .NET applications.

avatar for Eric Johnson

Eric Johnson

Senior Security Consultant, Cypress Data Defense, LLC
Eric Johnson is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. Eric is a Certified SANS Instructor and is a course author for DEV544: Secure Coding in .NET, DEV531: Mobile App Security Essentials, and several... Read More →

Thursday October 13, 2016 9:30am - 10:30am
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Everything is Terrible: Three Perspectives on Building, Configuring, and Securing Software
Developers, operations, and security all have differing agendas and benchmarks for success. One is tasked with building new features, the next with delivering and making them available, and the third is tasked with mitigating the risks associated with the previous two.

Core to the DevOps movement is the idea of building empathy with people in other teams in order to align for business success. Providing the perspectives from three engineers who have each lived primarily in one of Dev, Ops, or Security, but have also worked collaboratively to try not to kill each other. They will talk about their backgrounds, provide practical examples from daily experiences, and share suggestions on building common tooling that minimizes friction and enhances collaboration.

This talk will discuss
- The misalignment of priorities that organisations often force upon these groups
- Struggles with collaboration and working cultures
- Common bottlenecks associated with release cycles and security processes
- Building empathy and optimizing for communication that doesn't involve fisticuffs (or other 19th century combat styles)

The audience will come away with:
- Ideas for handling these complicated situations
- Approaches for building workflows and possible tooling suggestions to minimize the tire fires
- A new appreciation for those on the other sides of the silo walls

avatar for Chris Barker

Chris Barker

Turning in his pager for an airline miles membership, Chris Barker now helps fellow system administrators refine and automate their infrastructure. In his past life as a systems administrator, he has administered Linux, Windows, and OS X systems in infrastructure ranging from small... Read More →
avatar for Adrien Thebo

Adrien Thebo

Adrien is a software engineer at Puppet. He started in IT Ops in 2005 and started writing code to automate everything, inadvertently becoming one of the earliest devops hipsters (he did devops before it was cool). Adrien joined Puppet in 2011, first on the Operations team where he... Read More →
avatar for Bill Weiss

Bill Weiss

Sr Manager of SysOps, Puppet
As a red-and-blue-team member turned sysadmin herder, Bill Weiss had an early introduction to automation in security, and he's spent the rest of his career trying to bring that idea to more places. He started out working in the .gov, moved to Chicago to spend several years at a financial... Read More →

Thursday October 13, 2016 9:30am - 10:30am
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Practical Static Analysis for Continuous Application Security
Static code analysis tools that attempt determine what code does without actually running the code provide an excellent opportunity to perform lightweight security checks as part of the software development lifecycle. Unfortunately, building generic static analysis tools, especially for security, is a costly, time-consuming effort. As a result very few tools exist and commercial tools are very expensive - if they even support your programming language.

The good news is building targeted static analysis tools for your own environment with rules specific to your needs is much easier! Since static analysis tools can be run at any point in the software development lifecycle, even simple tools enable powerful security assurance when added to continuous integration. This talk will go through straight-forward options for static analysis, from grep to writing rules for existing tools through writing static analysis tools from scratch.

avatar for Justin Collins

Justin Collins

Brakeman Guy
Justin has been an application security engineer at SurveyMonkey, Twitter, and AT&T Interactive, and is the primary author of Brakeman, a free static analysis security tool for Ruby on Rails. His commercial product, Brakeman Pro, was acquired by Synopsys in 2018.

Thursday October 13, 2016 10:45am - 11:45am
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


SPArring with the Security of Single Page Applications
SPArring with the Security of Single Page Applications

When SPArring with the security of a Single Page Application (SPA) you need to be like a Mixed Martial Artist (MMA) fighter who understands several specialties to be successful.

In MMA, a fighter needs to be skilled in several martial arts styles, such as boxing, kickboxing, Muay Thai for the stand up portion of the fight. Then, he needs to know wrestling or judo to take the fight to the ground, and once he’s on the ground, he needs to know Jujitsu and Sambo to submit his opponent. 

When doing battle with a SPA, a pen-tester must become an MMA hacker…A Mixed Multilayer Application Hacker. As an MMA Hacker, you need to understand the multitude of complex application layers that are only getting more complex and interconnected by the day.

This discussion will include MMA Hacker training on the following application layers:
Interface layer: Become familiar with SPA frameworks (AngularJS, ReactJS). These SPA frameworks fundamentally change the browser communication that security experts have long understood. 
Backend layer: Dig into different REST API’s and learn how they are used and where to find the weaknesses.
Network layer: Learn more about WebSockets and how they fundamentally change TCP/HTTP as you have always known it to be.
Interconnectivity layer: Get to know how SPA’s are often interconnected with 3rd party API’s or presentation elements and how this can create security issues that get inherited from trusting the 3rd party.
Tools: Understand what tools are available to help you address these challenges, and the potential gaps exist in the tools we all depend on.

Join this talk to start your MMA Hacker training today!

avatar for Dan Kuykendall

Dan Kuykendall

Senior Director, Application Security Products , Rapid7
Dan Kuykendall is the Senior Director of Application Security Products at Rapid7 where he directs the strategic vision, research and product development for the company’s application security solutions. In addition to keeping up with the latest attack patterns, Dan remains focused... Read More →

Thursday October 13, 2016 10:45am - 11:45am
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Your License for Bug Hunting Season
You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs.

avatar for Jim Denaro

Jim Denaro

Partner, CipherLaw
Jim is a registered patent attorney in the Washington, D.C. area and advises clients on offensive and defensive applications of intellectual property. Jim has particular expertise in information security and cybersecurity technologies, and is a frequent speaker and writer on the subject... Read More →
avatar for Casey Ellis

Casey Ellis

Founder, Bugcrowd
As Founder of Bugcrowd, Casey Ellis brings over 14 years of information security experience to lead the company’s technology vision and strategic operation. Prior to Bugcrowd, he served as chief security officer at ScriptRock and as an information security specialist and account... Read More →

Thursday October 13, 2016 10:45am - 11:45am
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Barbarians at the Gate(way)
This talk will examine the tools, methods and data behind the DDoS and web attacks against cloud platforms and traditional architectures that are prevalent in the news headlines.

Using collected information, the presentation will demonstrate what the attackers are using to cause their mischief & mayhem, and examine the timeline and progression of attackers as they move from the historical page defacers to the motivated attacker.

We will look at their motivations and rationale and try to give you some sort of understanding of what patterns to be aware of for your own protection.

avatar for Dave Lewis

Dave Lewis

Global Advisory CISO, Duo Security
Dave Lewis has twenty five years of industry experience. He has extensive experience in IT security operations and management including a decade dealing with critical infrastructure. Lewis is a Global Advisory CISO for Duo Security (now Cisco). He is the founder of the security site... Read More →

Thursday October 13, 2016 1:00pm - 2:00pm
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Next Gen Web Pen Testing: Handling Modern Applications in a Penetration Test
As technology advances and applications make use of newer technology, our penetration testing techniques and methods have to keep up. In this presentation, Jason Gillam and Kevin Johnson of Secure Ideas will walk attendees through new web technologies and how testing methods can change to handle the nuances. Some examples of technologies and changes that will be discussed during the talk are; HTTP/2, CSP, CORS and RESTful APIs. During the presentation, Kevin and Jason will walk through each new system or feature and methods to test it. After presenting these techniques, Jason and Kevin will walk through the new modern vulnerable application and the release of the new SamuraiWTF 4.0.

avatar for Jason Gillam

Jason Gillam

Secure Ideas LLC
Jason Gillam is a Principal Security Consultant with Secure Ideas. He has over 15 years of industry experience in enterprise software solutions, system architecture, and application security. Jason has spent most of his career in technical leadership roles ranging from startups to... Read More →
avatar for Kevin Johnson

Kevin Johnson

CEO, Secure Ideas
Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions... Read More →

Thursday October 13, 2016 1:00pm - 2:00pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Using language-theoretics and runtime visibility to align AppSec with DevOps
Programming languages are becoming more powerful and capable, and applications more porous than ever before -- burdening developers and security professionals alike. Evolving constraints, patterns and definition lists make validating data inputs and preventing injections while maintaining application performance unwieldy and difficult. Nobody wants vulnerabilities in their code, but with the rise of Agile DevOps, security is usually playing catch-up. 

A new breed of embedded runtime security tools coined Runtime Application Self-Protection (RASP) are enabling developers and security admins to see beyond potential vulnerabilities and identify the actual attacks that are hitting their applications in production. RASP comes in several shapes and sizes, and this talk is designed to introduce the audience to the RASP implementation based on the LANGSEC methodology and its mission to align Security and DevOps – giving both teams the visibility and automation they need to work in synchrony.

LANGSEC has been a promising yet heady topic on the fringes of AppSec for several years, and its ready for a mainstream debut. LANGSEC attempts to use the grammar and linguistic constructs of the programming language itself to solve vulnerability classes that arise from user input unintentionally changing the expected behavior of an application (XSS, SQLi, command injection, CSRF, format string, stack / heap overflow, file inclusion). 

This session will begin by pointing out the flaws and limitations of any application security model that is dependent on traditional techniques that rely on signatures, definitions, pattern-matching, regular expressions or taint analysis. Once solely the obscure domain of compiler geeks, Language Security, a.k.a. LANGSEC, is a completely different approach and has gained a lot of traction as a much more robust approach to securing and releasing applications more quickly and easily.

avatar for Kunal Anand

Kunal Anand

Co-founder and CTO, Prevoty
Kunal Anand is the co-founder and CTO of Prevoty, a runtime application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company’s global Digital Entertainment and Gaming initiatives. Kunal... Read More →

Thursday October 13, 2016 1:00pm - 2:00pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Cleaning Your Applications' Dirty Laundry with Scumblr
Like many cutting-edge companies, the environment at Netflix is constantly changing. New applications are deployed everyday, code is pushed every hour, and systems are spun-up and down at will to support changing demand patterns of online video streaming. This, combined with Netflix's 100% cloud model, provides significant challenges in understanding our assets, the risk they pose, and the vulnerabilities they expose.

In order to help address these issues we developed and released an open-source tool call Scumblr in 2014. Scumblr was initially focused on the outside--find interesting intelligence from the Internet and bring it to our attention. Internally at Netflix, however, we've set our sights on new challenges and have found new and innovative ways to use the Scumblr platform to make an AppSec engineer's life a little bit easier. Through a series of small tweaks as well as larger architectural changes, Scumblr has become a versatile tool that allows us to track a wide range of information including changes to endpoints on netflix.com, risk profiles for each application in our environment, and the status of vulnerabilities across a thousands of applications. We've made changes to Scumblr to make it faster, more flexible, and more powerful and we're ready to share these changes with the open source community.

Attendees of this talk will get an understanding for how we designed a tool that has been successful in tackling a broad range of security challenges. We'll share our latest uses for the tools include details on how we're using Scumblr for vulnerability management, application risk tracking and other uses. Finally, we'll discuss how you can replicate what we've done by sharing new plugins that integrate with Arachni, AppSpider, Github, while also showing just how easy it is to create new integrations that open up new opportunities for automation, data collection and analysis.

avatar for Scott Behrens

Scott Behrens

Senior Application Security Engineer, Netflix
Scott Behrens is a senior application security engineer for Netflix. Before Netflix, Scott worked as a senior security consultant at Neohapsis (Cisco) and as an adjunct professor at DePaul University where he taught a graduate course on software security assessment. Scott's expertise... Read More →
avatar for Andrew Hoernecke

Andrew Hoernecke

Andy Hoernecke is a Senior Application Security Engineer on the Product and Application Security Team at Netflix where he spends his time on security automation, identifying and driving systemic security improvements to the Netflix architecture, and developing open source security... Read More →

Thursday October 13, 2016 2:15pm - 3:15pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Should there be an Underwriters Laboratories certification for software in IoT products?
The US Cybersecurity National Action Plan released in February 2016 announced that the US government, specifically the Department of Homeland Security, is collaborating with the Underwriters Laboratories and industry partners to develop a Cybersecurity Assurance Program that would test and certify the security of devices that are part of the Internet of Things (IoT), such as infusion pumps and refrigerators. One of the goals is to ensure that software embedded in these devices is free of vulnerabilities that could be exploited. 

UL certification of software within products is a controversial topic. Proponents point to CyberUL certification as a means of assuring that IoT products meet acceptable standards such as owner-unique passwords, automated software and firmware updates, and IoT product software that is free of SQL injection and Cross Site Scripting flaws. Proponents also see the CyberUL as a proactive measure to provide security safeguards for the vastly expanding digital infrastructure. Opponents point out that it is a major investment in a solution that addresses less than 0.1% of real-world attacks; many would rather see the investment in CyberUL transferred to fixing the problems that account for most attacks, such as unpatched software, bad passwords and users succumbing to phishing. Opponents also say that the cost associated with getting CyberUL certification can create a barrier to the introduction of innovative products.

This panel will discuss the pros and cons of the Cyber Assurance Program’s pursuit of a CyberUL certification and the impact it may have on the application security community. It will appeal to conference attendees who are interested in how policy affects technology, builders of new technologies that are targets for CyberUL certification, and breakers who may see the CyberUL as either an opportunity or a challenge to overcome.

avatar for Josh Corman

Josh Corman

Joshua Corman is a Founder of I am The Cavalry (dot org) and CSO for PTC. Corman previously served as Director of the Cyber Statecraft Initiative for the Atlantic Council, CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The... Read More →
avatar for Anita D'Amico

Anita D'Amico

CEO, Code Dx, Inc.
Anita D’Amico, PhD is CEO of Code Dx, Inc. which provides open-source and commercial application security solutions based on advanced technologies developed by Secure Decisions, an R&D organization which she had also directed. Her roots are in experimental psychology and human factors... Read More →
avatar for Kevin Greene

Kevin Greene

Department of Homeland Security, Science and Technology
Kevin Greene works in the federal government overseeing software assurance and application security research and development projects. He currently is focusing on the build-out of the Software Assurance Marketplace (SWAMP), a national marketplace and collaborative research forum designed... Read More →

Thursday October 13, 2016 2:15pm - 3:15pm
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Threat Modeling with Architectural Risk Patterns
Current approaches to Threat Modeling emphasise manual analysis typically performed by developers together with a security specialist.  This has a high initial cost, both in terms of time and the skills required to perform it.  Both of those constraints are under pressure as organisations increase the speed and volume of software development.  In enterprise environments there is the additional challenge of scaling this activity across thousands of products with a limited number of software security specialists to guide the process.  Lack of necessary security skills is also a reason that many smaller companies never attempt threat modeling in the first place.
This talk will present a software-centric method of threat modeling that uses risk patterns to increase the speed of creating a threat model and that also introduces a degree of consistency into the process.  We’ll present a series of incremental improvements to the use of risk patterns from a simple checklist based approach to the use of a flexible rules engine.


This method could be implemented by tooling to automatically generate a threat model based on architectural decisions.  The technique employs principals from Object Oriented software design such as inheritance and method overloading so that the contents of the patterns can be practically maintained and extended without unnecessary repetition.  Organisations can use this method to extract the expertise from their software security experts so that threat modeling knowledge is retained and can be re-used within the organisation.

avatar for Stephen de Vries

Stephen de Vries

Founder, CEO, Continuum Security SL
Stephen is the founder of Continuum Security and focussed on building AppSec tools to support security in the SDLC, including the IriusRisk threat modeling tool and BDD-Security open source security testing framework. His background is in software development and security testing... Read More →

Thursday October 13, 2016 2:15pm - 3:15pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


How to Find the Next Great Deserialization CVE
The talk will generalize the recent spate of deserialization attacks, including a brief discussion of an originally authored exploit for a recently discovered CVE. 

The commonalities between deserialization attacks will then be discussed, laying the framework for a "how to" guide on finding and exploiting deserialization vulnerabilities.

The talk will also explain the incredible difficulty faced when using traditional appsec defenses (input validation, signaturing) to stop these vulnerabilities, and explain free and open source options for builders to protect themselves from such attacks.

avatar for Arshan Dabirsiaghi

Arshan Dabirsiaghi

Chief Scientist, Contrast Security
Arshan is an accomplished security researcher with over 10 years of experience advising large organizations on application security. Prior to Contrast Security, Arshan spent 8 years at Aspect Security in a research role where he used static and dynamic technology to perform security... Read More →

Thursday October 13, 2016 3:30pm - 4:30pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


HTTPS & TLS in 2016: Security practices from the front lines
Implementing strong security for Internet‐facing services has grown more challenging and more complex over the past two years. With protocol‐level vulnerabilities like FREAK, BEAST, CRIME, POODLE, & LOGJAM, Ops teams are forced to reevaluate long‐held assumptions about foundation system network code. What are the right tradeoffs between modern network security requirements versus widespread legacy client and user interoperability? How do we apply these to traditional Apache and Nginx servers, mobile app web services, and non‐browser infrastructure like libcurl, proxies, API endpoints, and load balancers? And what's the deal with Curve25519, ChaCha/Poly1305, LibSodium, BoringSSL, and LibreSSL?
Here, we present a practitioner's crash guide to modern site and web service endpoint encryption using HTTPS. We cover the "TLS 101" (and 201) fundamentals of certificates: ECDSA vs RSA, 2K vs 4K, ephemeral Diffie‐ Hellman (elliptic curve versus static), Domain Validation vs Extended Validation. We'll talk about intermediate and root authorities (and why Superfish is such a problem), and then look at some best practices around https including certificate transparency (CT), pinning (HPKP), and strict transport security (HSTS). Lastly, we'll give updates from the OpenSSL 1.1 audit, and point to well curated configuration guides and recipes for https and TLS.

avatar for Eric Mill

Eric Mill

Eric Mill is a software engineer and advocate for a web that is safe and secure for all of its users. Eric is currently an advisor and engineer in a federal government agency, and has previously worked at the Sunlight Foundation on open data infrastructure and policy.
avatar for Kenneth White

Kenneth White

Director, Open Crypto Audit Project
Kenneth White is a security researcher whose work focuses on networks and global systems. He is Director of the Open Crypto Audit Project (OCAP), currently managing a large‐scale audit of OpenSSL on behalf of the Linux Foundation's Core Infrastructure Initiative. In his day job... Read More →

Thursday October 13, 2016 3:30pm - 4:30pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


When encryption is not enough: Attacking Wearable - Mobile Application communication over BLE
Communication protocols have evolved from the traditional Serial and LAN ports to complex and lightweight protocols of today, such as Bluetooth Low Energy (BLE), ANT+ and ZigBee. Bluetooth Low Energy (BLE) is a popular protocol of choice for wearables which are low energy, low performance computing systems. The BLE standard specification provides for a variety of security mechanisms for channel encryption to protect data against snooping and man-in-the-middle style attacks.

In our presentation, we talk about the security assumptions made by popular mobile operating systems when they adopt the BLE specification and how this impacts their communication with wearable devices. We include vulnerability case studies to discuss how rogue mobile applications can use the same set of BLE encryption keys as the legitimate companion application, and get access to personal information or cause denial of service conditions on the wearables. We will discuss the insufficiencies of the protocols and the need for extra measures if the use cases demand confidentiality and integrity of data in transit.

We will present high level flows to correctly design secure communication channels between a phone application and the wearable device.

avatar for Chandra Prakash Gopalaiah

Chandra Prakash Gopalaiah

Intel Corp
Chandra has worked in software development and security domain for about 8 years in various roles. Prior to joining Intel, he worked for Motorola Mobility Inc., in Android development. He has a Masters degree in Computer Science from San Diego State University
avatar for Sumanth Naropanth

Sumanth Naropanth

Intel Corp
Sumanth has worked in the information security industry for a decade in a variety of roles, including incident response, feature development and security assurance. He worked for Sun Microsystems and Palm before his current job at Intel. He has a Masters in Computer Science (Security... Read More →
avatar for Kavya Racharla

Kavya Racharla

Intel Corp
Kavya has a Masters in Information Security from the Johns Hopkins University and a passion for Security. She worked for Oracle and Qualcomm’s security teams before she started her current job at Intel.

Thursday October 13, 2016 3:30pm - 4:30pm
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001
Friday, October 14


Protect Containerized Applications With System Call Profiling
Container technologies like Docker are gaining mainstream interest from development and operations teams. Unlike virtual machines, containers running on the same host share the underlying OS kernel. As such, a malicious container can influence the execution of other containers through the common kernel by either exploiting a kernel vulnerability or simply leveraging the privileges of the compromised container. In this talk we describe an approach to harden and isolate containerized applications via system call profiling. We show that one can develop accurate system call profiles via static analysis of the container images and knowledge of the host system. Using this profile in runtime, one can monitor for and protect against malicious behavior that deviates from the profile. We show that one can build these profiles automatically from analyzing information within the container image and Dockerfiles. We show that runtime profiling and monitoring adds approximately 5-8% performance overhead for running applications. We demonstrate system call profiling on a sample micro-service application and show that it is a non-intrusive and effective method to detect behavioral anomalies with low false positives.

avatar for Chenxi Wang

Chenxi Wang

Dr. Chenxi Wang is Chief Strategy Officer of Twistlock, where she is responsible for product strategy and thought leadership. Chenxi built an illustrious career at Forrester Research, Intel Security, and CipherCloud. At Forrester, Chenxi covered mobile, cloud, and enterprise security... Read More →

Friday October 14, 2016 9:30am - 10:30am
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Putting an “I” in Code Review – Turning Code Reviewing Interactive
Everybody knows that manual code review can be a tedious and lengthy effort, with complexity growing exponentially with the size of the code. However, understanding code flow and focusing on relevant parts can become much easier when employing interactive debugging techniques. This allows combining the best of penetration testing and code review benefits to achieve maximum results in the most efficient manner. In this talk we will explain and demonstrate this eye-opening technique for effectively performing a manual code review on a live system using a debugger and provide a quick starter kit for implementing this technique. 

avatar for Ofer Maor

Ofer Maor

Director of Security Strategy, Synopsys
Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product developmentAs the founder and... Read More →

Friday October 14, 2016 9:30am - 10:30am
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Why using SMS in the authentication chain is risky and what better options are available
Passwords are horrible for security. Over the past 20 years we’ve bolstered the password with other factors, the most common being a one time password (OTP, TOTP, HOTP) that is either generated on a physical device the user holds, in a smartphone app or most commonly sent via SMS. Using SMS for authentication is not secure. We’ve known this for years, but recently we’ve been reminded of this with problems with Google and Apple SMS security. 

SMS is important to ensure we have a backup way of allowing people to login to systems, but it should always be a last resort. So what’s the first resort? Second factors to the password need a different communications channel to the one a user is authenticating to. SMS is not secure, but push notification methods are. It is possible to initiate a communication channel via Apple, Google and Microsoft mobile notification networks. At the end of these push notifications is a secured app that in turn securely communicates with the 2FA back end. Not only is this method more secure, it’s actually a far improved user experience that can be extended beyond the login to secure in application transactions.

This presentation will go over the limitations of traditional two-factor methods and introduce the improved approach using a push notification channel to achieve the same goal, i.e. authenticate a user identity by validating the initiating request comes from a person who has something in their possession which is trusted.

avatar for Simon Thorpe

Simon Thorpe

Director of Product, Twilio - Authy
Simon works in the product group at Authy and has over 15 years of experience in the security and identity management space. Working at companies like Oracle, Microsoft and Okta, he has spent a lot of time understanding and architecting solutions to secure all sorts of information... Read More →

Friday October 14, 2016 9:30am - 10:30am
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Exploiting CORS Misconfigurations for Bitcoins and Bounties
Hear the story of how a specification’s innocent intentions toward security and simplicity mingled with Real World Code and ultimately spawned hosts of unfortunately exploitable systems.

Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It’s already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.

In between looking at websites with harmful misconfigurations that range from depressingly predictable to utterly unfathomable, I'll reflect on where the CORS specification and implementations collaborated to save developers from themselves, and where the good intentions didn't work out so well. From this, I’ll propose several potential solutions and mitigations aimed at specification authors, browser vendors, developers and pentesters with varying degrees of optimism.

avatar for James Kettle

James Kettle

Director of Research, PortSwigger Web Security
James Kettle is Director of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience... Read More →

Friday October 14, 2016 10:45am - 11:45am
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Patterns of Authentication and Self-Announcement in the Internet of Things (IoT)
The need to connect ‘things’ to each other in the IoT ecosystem introduces new security requirements for authentication and self-announcement due to four major characteristics of IoT
1. Physical access and infinite time available to adversaries to take apart devices 
2. Lower computation power of standalone devices 
3. Unforeseen and emergent behavior of the system if arbitrary nodes are compromised 
4. Endless possibility of privacy intrusion based on data intelligence and indirect identity inference. 
In this work the IoT systems are modelled using a number of elements: person, machine/device, service, server, client (esp. mobile), and passive marker. New authentication scenarios emerge when these items introduce themselves to each other on trusted or untrusted networks. The majority of authentication and self-announcement needs could be modelled using the above elements. For major authentication and self-announcement scenarios, possible authentication patterns are presented. Here are four examples of how these patterns apply to sample IoT scenarios: 
• Home automation as enabled by NEST devices
• Device collaboration in Zigbee-based networks
• Smart inventory management using NFC/RFID
• Remote device control based on XMPP (SASL authentication)
The minimum computation power (capability to perform cryptographic operations) and privacy preserving considerations are analyzed in each case.

avatar for Farbod H Foomany

Farbod H Foomany

Senior Security Researcher (Tech. Lead), Security Compass
Farbod H Foomany is a senior application security researcher (technical lead) at security compass. He has a bachelor degree in electrical engineering (control systems), Masters degree in artificial intelligence and robotics, and has completed a PhD with main research on security aspects... Read More →
avatar for Amir Pourafshar

Amir Pourafshar

Application Security Researcher, Security Compass
Amir Pourafshar is an application security researcher at Security Compass. Amir is currently part of a research team working on an IoT project that aims to investigate and formulate the security requirements of system design/development in internet of things (IoT) ecosystem. Amir... Read More →

Friday October 14, 2016 10:45am - 11:45am
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Practical tips for web application security in the age of agile and DevOps
The SDLC has been the standard model for web application security over the last decade and beyond, focussing heavily on gatekeeping controls like static analysis and dynamic scanning. However, the SDLC was originally designed in a world of Waterfall development and its heavy weight controls often cause more problems than they solve in todays world of agile, DevOps, and CI/CD. 

This talk will share practical lessons learned on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to: 
1) Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices
2) Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly 
3) Measure maturity of your organizations security efforts in a non-theoretical way

avatar for Zane Lackey

Zane Lackey

Chief Security Officer, Signal Sciences
Zane Lackey is the Co-Founder / Chief Security Officer at Signal Sciences and the Author of Building a Modern Security Program (O’Reilly Media). He serves on multiple public and private advisory boards and is an investor in emerging cybersecurity companies. Prior to co-founding... Read More →

Friday October 14, 2016 10:45am - 11:45am
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Automating API Penetration Testing using fuzzapi

Despite the widespread use of REST API calls using various frameworks, security researchers continue to discover many vulnerabilities in APIs. Vulnerabilities are frequently found in the APIs of applications produced by even the most mature development teams – which include internet giants Facebook, Google and Microsoft etc.

Where do the developers fail? After studying several API vulnerabilities across the internet, the main problem our team has identified is that developers often have little understanding of how to write or implement secure REST APIs. Most fail while trying to solve the complexity of writing APIs for web and mobile platforms simultaneously. Another significant problem the team has identified is that most DevOp engineers and Penetration testers have no standard platform that provides coverage of common vulnerabilities typically found in APIs. It has been a challenge for penetration testers to practice security testing on APIs across multiple platforms in the absence of such vulnerable applications.

Our project is trying to address this problem for the broader community by developing a platform to better understand and practice testing for the most common API vulnerabilities. Rather than a tool that only identifies vulnerabilities in web services, we have built a platform that enables everyone to test and understand a large range of API vulnerabilities that exist in both web and mobile applications. 

As part of this presentation, our team will release an API Fuzzer as an OWASP Project to help developers test the APIs they develop during the early stages of the SDLC. The tool can be integrated into the build pipeline to allow developers to identify vulnerabilities prior to Pen Testing. Also, Pen testers can also use this tool against various APIs during their testing which will allow them to automate few tasks.

avatar for Abhijeth Dugginapeddi

Abhijeth Dugginapeddi

Abhijeth D(@abhijeth) is a security Consultant working for a bank in Australia. Previously worked with Adobe Systems, TCS and Sourcenxt. Security Enthusiast in the fields of Penetration Testing, Application/Mobile/Infrastructure Security. Believes in need for more security awareness... Read More →
avatar for Lalith Rallabhandi

Lalith Rallabhandi

Lalith Rallabhandi (@lalithr95) currently works as a Developer Intern at Shopify. He has previously worked with Hackerrank, Zomato and Google Summer of Code. Likes to code, break stuff mostly with web applications and is a Ruby on rails Enthusiast. Found bugs with Google, Microsoft... Read More →

Friday October 14, 2016 1:00pm - 2:00pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


DevOops: Redux
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:

-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)

avatar for Chris Gates

Chris Gates

Sr. Security Engineer
Chris Gates has extensive experience in network and web application penetration testing, Red Teaming and Purple Teaming. Chris is currently learning to be a part time fixer instead of full time breaker. In the past he has spoken at the United States Military Academy, BlackHat, DefCon... Read More →
avatar for Ken Johnson

Ken Johnson

CTO, nVisium
Ken Johnson, CTO of nVisium, has been hacking web applications professionally for 8 years. Ken is both a breaker and builder and currently leads the nVisium product team. Previously, Ken has spoken at DerbyCon, AppSec USA, RSA, AppSec DC, AppSec California, DevOpsDays DC, LASCON... Read More →

Friday October 14, 2016 1:00pm - 2:00pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Needle: Finding Issues within iOS Applications
Assessing the security of an iOS application typically requires a plethora of tools, each developed for a specific need and all with different modes of operation and syntax. The Android ecosystem has tools like "drozer" that have solved this problem and aim to be a ‘one stop shop’ for the majority of use cases, however iOS does not have an equivalent.

"Needle" is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Given its modular approach, Needle is easily extensible and new modules can be added in the form of python scripts. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.​ The only requirement in order to run Needle effectively is a jailbroken device.

We will be describing the tool's architecture, capabilities and roadmap. We will also demonstrate how Needle can be used to find vulnerabilities in iOS applications from both a black-box and white-box perspective (if source code is provided). 

avatar for Marco Lancini

Marco Lancini

Security Consultant, MWR InfoSecurity
Marco Lancini is a Security Consultant at MWR InfoSecurity in the UK, specialising in mobile applications. He works assessing apps and device configurations for a number of large organisations including banking, financials, telco, and energy providers. He has a Master degree in Engineering... Read More →

Friday October 14, 2016 1:00pm - 2:00pm
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


If You Can’t Beat ‘Em Join ‘Em: Practical Tips For Running A Successful Bug Bounty Program
Having a bug bounty program is one of the most efficient methods of finding security vulnerabilities today. But, as anyone who has tried to run a bug bounty program knows, it's not a trivial undertaking... As professionals who have helped to manage hundreds of bug bounty programs, we're uniquely positioned to provide advice on how to succeed. Whether you're already running a bug bounty program, are looking to run a bug bounty program, or are a researcher, this talk aims to deepen your knowledge of the subject.

avatar for Grant McCracken

Grant McCracken

Solutions Architect, Bugcrowd
Grant is currently the Director of Program Operations and Solutions at Bugcrowd, and has been in the application security space for the last eight years, and the bug bounties for the last five. He's gotten his OSCP, given talks at Appsec USA and EU, and enjoys helping others get into... Read More →
avatar for Daniel Trauner

Daniel Trauner

Daniel Trauner is a Senior Application Security Engineer at Bugcrowd – a crowdsourced cybersecurity solution. He works with (and is sometimes a part of) the thousands of security researchers worldwide who collectively attempt to understand, break, and fix anything that companies... Read More →

Friday October 14, 2016 2:15pm - 3:15pm
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Misconfigured CORS and why web application security is not getting easier.
Web Application Security is actually really hard to enter into the "big-leagues" with a mature security program like facebook, google, and the like. These orgs are very mature and oftentimes roll out the newest, lastest, greatest security features.

Part of entering in to the big leagues usually requires the implementation of advanced browser security features and HTTP Response headers.

I want to tell a personal story about finding a massive vulnerability in about 1000 out of the Alexa top 1million sites that caused sites to basically turn off SAMEORIGIN policy. 
- How I thought to try my exploit
- Who was vulnerable
- Details of the exploit

I want to talk about the difficultly understanding the details of the CORS headers that caused the issue. Lots of things to understand.

I want to then talk about individual security technologies and their operational issues associated with them.
- CORS etc etc etc.

There's a lot of operational issues to cover.

Finally I want to make a plea to stick to the basics before you try to roll these things out. Most sites don't get any utility from these features and they only cause problems.

avatar for Evan Johnson

Evan Johnson

Security Systems Engineer, CloudFlare
I'm Evan Johnson. I work at CloudFlare and previously worked at LastPass. I developed a password manager in my spare time called passgo, https://github.com/ejcx/passgo. On twitter he is @ejcx_

Friday October 14, 2016 2:15pm - 3:15pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Scaling Security Assessment at the Speed of DevOps
Scaling Security Testing at the Speed of DevOps

Recent software development trends, namely DevOps, Continuous Integration, Continuous Delivery, and Continuous Deployment, have empowered developers and drastically reduced the DevTest window forcing teams to adopt highly automated test infrastructures. While the adoption of these trends and automated test frameworks have improved feature delivery and time to market, they have complicated security assessment, producing substantial gaps between the current release and the last security audited code. Consumers are now being forced to
adopt new code releases daily or hourly without substantive security review, especially in the Software as a Service (SaaS) sector. As engineering teams rapidly embrace these development methodologies, the community must evolve security testing strategies so as to enhance the security posture of products, services, and solutions.

This evolution must address three primary problems elucidated by the
aforementioned development trends:

1. Testability: Security requirements should be testable and verifiable.
2. Scalability: Security requirement should be capable of being
automated in a best-effort fashion so as to scale effectively.
3. Accessibility: Security tools and results should be easily digestible
by software engineers and testers, and new security tools should be
accessible to all development and test engineers.

Therefore, we have developed and are preparing to open source a new distributed security testing framework called Norad which facilitates security assessment at scale. This framework automates multiple open-source and vendor security tools and aggregates their results for review. It also provides an SDK which promotes the development of community developed security test content. This talk will explain Norad's design philosophy, architecture, and demonstrate its usage.

avatar for Blake Hitchcock

Blake Hitchcock

Software Engineer, Cisco
Blake Hitchcock has been building and breaking web applications for 6 years with Cisco. He loves writing in Ruby, and 'Burp' is not just something he does after a few too many kielbasas. When he's not doing web stuff, Blake enjoys fitness, food, sports, and cheering for his beloved... Read More →
avatar for Brian Manifold

Brian Manifold

Brian Manifold has worked as a software/security engineer at Cisco for the past 4 1/2 years. His main areas of interest at work are web development and web security. Outside of work he enjoys playing music, anything CNC (milling, 3d printing, etc..) related, hardware electronics... Read More →
avatar for Roger Seagle

Roger Seagle

Principal Engineer, Cisco
Roger Seagle Jr. is a Principal Engineer in the STO TIP team at Cisco. Previously, he worked in Cisco's Advanced Security Initiatives Group (ASIG) where he assessed the security posture of Cisco products and advised product teams on patching and mitigating vulnerabilities. Roger regularly... Read More →

Friday October 14, 2016 2:15pm - 3:15pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business. This isn’t a theoretical talk. It covers the results of successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees. Yes, real stats on improvements seen will be provided.

Beyond providing concrete examples of how to optimize your AppSec program, the talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in. It will also introduce several new OWASP projects which will help you on your journey: the OWASP AppSec Pipeline project, OWASP Defect Dojo and the AppSec Pipeline toolbox. This talk’s content plus these open source projects are more than you’ll need to get started buying down the technical security debt and unshackle you from traditional AppSec thinking.

avatar for Matt Tesauro

Matt Tesauro

Senior AppSec Engineer, Duo Security
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was... Read More →

Friday October 14, 2016 3:30pm - 4:30pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Breaking and Fixing your ‘Docker’ ized environments
This presentation extracts few points from CIS Docker 1.12 benchmark which was co-authored by me. Ref: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker12.100

Abstract: The concept of containerization was in Linux from ages in the form of jails, zones, LXC etc. but it is since 2 years it gained tremendous recognition. The credit goes to "Docker" which made the concept of containerization very useful and handy by adding many benefits to existing container technologies. Tech giants like Redhat, Google, IBM, VMware etc. are not only the biggest contributors to this most active open source project but also major users of it. Only Google spins up more than 2 billion containers per week, more than 3,300 containers per second. Inspired from Docker, Microsoft also started its container technology by extending its research project "Drawbridge". The effect of containers already impacted the virtual machine market and this impact is going to increase significantly in near future.

Security is always an important issue for any upcoming technology and Docker is no exception to it. This presentation starts with a brief introduction to containers vs. virtualization technology, Docker ecosystem and then goes deep into "Docker Security". It touches each and every component listed below in the Docker container pipeline and gives details about the ways on how they can be broken and then defensive measures to secure them.

Container Pipeline Components:
a) Images
b) Container Runtime
c) Host security
d) Daemon security
e) Communication security ( daemon <=> client , daemon to registry etc.) f) Registry security Below is the brief overview only on Images, containers components.

1. Images
a. Image security analysis in which I have extracted more than 50 Docker hub images (which also includes official images) and found critical vulnerabilities like Heartbleed, Shellshock, CSRF, XSS etc. in them. The presentation also provides a comprehensive security analysis on Docker hub images , how vulnerable are they and gives details about alternative options available for getting secure images
b. Protecting images
- Efficient scanning : binary level scanning, hash based comparison instead of version string matching mechanisms
- Docker Content Trust: Ensures authenticity, integrity and freshness guarantees (Is this really secure to use?)
- 20 golden rules to be followed for "writing Dockerfiles and maintaining images" securely

2. Containers
a. Detailed explanation about how containers isolation can be torn apart
b. Docker claims that their containers are "Secure by Default" and also a popular report on Linux containers released by NCC Group states that "Docker has strong defaults". In this presentation, I will be proving that Docker defaults are vulnerable to DOS, side channel, remote exploitation etc. vulnerabilities. Besides, I will also be explaining about a few other ways of exploiting Docker containers if CIS Docker bechmark rules were not adhered
c. 20 golden rules to be followed for ensuring secure container runtime

Apart from the topics mentioned above, this presentation also throws a light on the tools available in market for securing container ecosystem along with the pros and cons of each tool : Twistlock, Aquasec, Nautilus etc.

avatar for Manideep Konakandla

Manideep Konakandla

Carnegie Mellon University
Is an Author, Security Researcher, Speaker and a J.N Tata Scholar. He is current Security Researcher + Masters student in Information Security @Carnegie Mellon University, USA and is currently researching on "Security of containers with focus on Docker". He has authored a book at... Read More →

Friday October 14, 2016 3:30pm - 4:30pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Containerizing your Security Operations Center
As security professionals, we have no shortage of tools available to us in our offensive and defensive pursuits. How we choose to deploy, maintain, and share these tools across teams can prove to be burdensome and overly complex. Security teams are becoming swept up in the DevOps movement and we are being encouraged to bring visibility into our workflows and toolsets. This means moving things from our local boxes to a more available and collaborative environment. This talk will share lessons learned from building a pluggable, cloud­based "Security Operations Center" running entirely on containers to help security teams rapidly build out scanning pipelines, centralize alerts, investigate malware, and easily collaborate with teams across the organization. I’ll dive into the architecture and design of the cluster and how to quickly get a POC running in Kubernetes

avatar for Jimmy Mesta

Jimmy Mesta

CTO, Manicode Security
Jimmy Mesta is an application security leader that has been involved in Information Security for nearly 10 years. He is the chapter leader of OWASP Santa Barbara and co-organizer of the AppSec California security conference. Jimmy has spent time on both the offense and defense side... Read More →

Friday October 14, 2016 3:30pm - 4:30pm
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001