SHIFTING LEFT: '21

A one-day virtual DevSecOps conference
JANUARY 28, 2021
VIRTUAL

What to Expect

coders_bw_470x450

Is DevSecOps just hype or does 2021 mark a new shift and focus on securing code at the source?  

Application security is not new but as the speed of development grows ever faster and the implications for code security become even greater, we need to focus on bridging the gap between security teams and developers.

  • Learn the latest and greatest ways to seamlessly integrate security in your CI/CD workflow.
  • Get hands on training using ShiftLeft products and Open Source tools.
  • Hear from leaders in the application security world how a renewed focus on supply chain attacks and prevention of insider attacks will shift the focus on security from endpoint to code.

Hear from DevSecOps Experts

headshot_manish2_400x400
Manish Gupta
CEO, ShiftLeft
headshot_chetan_400x400
Chetan Conikee
CTO, ShiftLeft
headshot_fabian_400x400
Fabian Yamaguchi
Chief Scientist, ShiftLeft
headshot_alok_400x400
Alok Shukla
VP, Product Management, ShiftLeft
headshot_tofiq_400x400
Toufiq Ali
Principal Cybersecurity Engineer, Emirates Group
headshot_shannon_400x400
Shannon Lietz
Dir. DevSecOps and Red Teams, Intuit
headshot_subbu_400x400
Subbu Viswanathan
SVP, Compliance Officer, Vineti
headshot_yonathan_400x400
Yonatan Ryabinski
Enterprise Architect, Vanguard
headshot_adam_400x400
Adam Fletcher
CISO, Blackstone Group
headshot_stu_400x400
Stuart McClure
Ex-CEO, Cylance
headshot_shaleen_400x400
Shaleen Devgun
CIO, Schneider National
headshot_enrique_400x400
Enrique Salem
Partner, Bain Capital
headshot_james_ransom_400x400
Dr. James Ransome
Chief Scientist, CyberPhos
headshot_stanislav_400x400
Stanislav Dashevskyi
Security Researcher, Forescout
headshot_jimmy_xu_400x400
Jimmy Xu
Dir. DevSecOps & Cloud Security, Trace3
headshot_stephenscharft_400x400
Stephen Scharf
CISO, DTCC
headshot_davidestlick_400x400
Dave Estlick
CISO, Chipotle
headshot_matthew_400x400
Matthew Brandman
Lead Application Security Engineer, Blackstone
headshot_farazkhan_400x400
Faraz Khan
Sr. Technical Engineer, Emirates Group
headshot_rahulmaini_400x400
Rahul Maini
Cybersecurity Engineer, Emirates Group

Agenda

All times Pacific Standard Time (PST), UTC -8

07:00
-
07:30
Automatic Vulnerability Discovery with Machine Learning Approaches
Efforts to discover and eliminate software vulnerabilities before they are exposed by production systems struggle to keep up with the high influx of new code produced in modern software development pipelines. While integration and deployment are today automated and continuous, achieving the same for vulnerability discovery without significantly slowing down the continuous release process is an ambitious goal that is yet to be achieved. To achieve it, leveraging machine learning to automatically derive vulnerability detectors from data seems like a promising direction for research. In this talk, Fabian Yamaguchi discusses existing successful approaches in the area and sketches ideas for its future.
07:30
-
08:00
Learning from Practitioner - Fuzzing Security Fixes to Drive Application Security in Dev Process
Toufiq, Rahul and Faraz in this talk discuss the notion of fuzzing security fixes to drive Application Security in dev process. How did Emirates move away from an app-sec led process and into a developer led process? What are the learnings? How does Emirates uses Security Unit Tests to enforce and drive improvements in application security in the developer workflow?
08:00
-
08:45
A Fireside Chat - Future of Application Security
In this panel, we will discuss the state of application security with a focus on key challenges the industry faces and how we should measure application security to convey its value to the key stakeholders. We will conclude by discussing the opportunity that application security provides to uplift the state of security across the industry.
08:45
-
09:15
Introducing - ShiftLeft Academy
Sneak peek into our new offering - ShiftLeft Academy. Secure coding practices are proven to reduce the number of vulnerabilities introduced. However, not all developers are well versed in security. There is a lot of training material available but it often takes hours of reading to get a good understanding. While trying to mitigate a potential vulnerability, developers are looking for information that is actionable and specific to the programming language they are using.In this session, we will look at an upcoming offering - ShiftLeft Academy - and see how developers can get context-sensitive information on vulnerabilities and potential mitigations. We will also see how this can be rolled out and managed across an entire engineering organization.
09:15
-
09:45
Static Analysis of Scala Applications Using Code Property Graph
Scala is gaining a lot of popularity in the web sphere now, owing to its elegant design and a very versatile design that allows a fusion of object oriented design patterns along with a functional programming style. In this session, we will discuss some examples of how critical vulnerabilities can occur in Scala web applications.We will go through some common SQLi and XSS patterns and see how they can be exploited from attacker controlled sources. We will then use static analysis based vulnerability discovery using ShiftLeft NG-SAST to see how such vulnerabilities can be discovered, along with a detailed view of the exact path in the application through which the exploit can pass.
09:45
-
10:15
A ShiftLeft Joern Case Study - Zero Days in TCP Stack by ForeScout
Forescout Technologies disclosed 33 new vulnerabilities, including four remote code execution flaws, in four different open source TCP/IP stacks used by major IoT, OT and IT device vendors, according to a recent report. In this session Stanislav Dashevskyi (who is a member of the Forescout's Project Memoria initiative) will discuss with Fabian Yamaguchi a recent study on the security of TCP/IP stacks.The new vulnerabilities, dubbed "Amnesia:33," were discovered during an analysis of seven open source TCP/IP stacks, including uIP, picoTCP, FNET, Nut/Net, IwIP, CycloneTCP and uC/TCP-IP.This analysis was conducted using static analysis and fuzzing techniques. The team used ShiftLeft's open source Joern (www.joern.io) static analyzer which contributed to 67% of the 33 discovered vulnerabilities.
10:15
-
10:45
Interactive Bug Hunting with ShiftLeft Joern and Ocular
While the world aims to automate each aspect of everyone’s life, the zen masters of the security world still practice the lost art of exploring code. And rightfully so; some bugs are just deep, outrightly complex to model and need custom solutions to help model them before bringing in automation. All the code is a graph and Ocular and Joern provide the necessary framework to ask questions to that graph intelligently. In this session we will show how Ouclar and Joern are used to interactively query the code property graph (CPG) and find vulnerabilities with absolute precision and accuracy. Each of these queries can then be chained to form a custom DIY bug hunting tool that you can deploy in your CI/CD environments.
10:45
-
11:15
Static Analysis of Python Applications Using Code Property Graph
This talk is a tour of what it takes to build a security-focused static code analyzer for Python.You will learn about the challenges one might encounter while building an advanced Static Application Security Testing solution, how the Code Property Graph - an innovative data structure - provides an in-depth view into the security posture of Python web applications, what considerations are important when distributing this software to users, ending with a live demo of a XSS vulnerability found with NG SAST.
11:15
-
11:45
Analyzing Modern JavaScript and TypeScript Applications
JavaScript is arguably the most important modern programming language, but despite its massive popularity, it is inherently very difficult to secure.Code quality testing is commonplace to protect the main branch from defects. Tools such as ESLint, jest and cypress are used to execute linting rules and unit tests to ensure new code doesn’t break the application before it reaches the main branch. Most organizations do not enforce similar security testing and quality gates in pull requests to protect their master branches.This talk will cover a developer-friendly model to analyze code and insert security build rules for JavaScript.
11:45
-
12:30
A Fireside Chat - Application Security, a Sisyphean Struggle for CISOs
In this panel, we will discuss the state of application security with a focus on key challenges the industry faces and how we should measure application security to convey its value to the key stakeholders. We will conclude by discussing the opportunity that application security provides to uplift the state of security across the industry.
12:30
-
01:00
SolarWinds: A Live Analysis with ShiftLeft Ocular
Insider threats are one of today’s most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. It is also one of the most challenging attack models to deal with in practice.In this session we will walk through a live forensic code auditing exercise of Solorigate supply chain insider attack - SUNBURST, SUPERNOVA and SUNSPOT and also discuss detection techniques in early phases of SDLC (Software Development Lifecycle).
01:00
-
01:30
Developer Workflow for CSharp Apps in Azure DevOps
Azure DevOps is a comprehensive service to handle C# workflows. Teams use Azure Repos to develop and collaborate on C# applications, and Azure Pipelines to build and test their apps on every push or pull request. The extensibility of Pipelines allows teams to easily integrate various tools and checks to satisfy their development or security requirements without disturbing a developer workflow.In this session we'll explore a typical C# developer workflow using a .NET app on Azure DevOps. We'll seamlessly integrate security scanning into this workflow, see examples of security vulnerabilities in a C# app, and implement build rules to prevent security issues from being introduced to production code. In addition to demos, we'll talk about how these practices are implemented in the real world at a large financial organization.
01:30
-
01:45
HackerGirl - A ShiftLeft Partnership
Shannon Lietz and Vickie Li will introduce the Hacker Girl program and highlight ShiftLeft’s initiative as part of this program.HackerGirl is a community based concept where we are starting to enumerate a site and pathways to follow along with heroes to learn from. Using this concept, we will partner to create a rich ecosystem for learning and promoting job opportunities. Using this capability, we will highlight where we find successes, build goals, and ask/offer programs for uniting women in transforming the industry. As part of this community, we are looking for companies to create programs which foster opportunities for women and our allies.
01:45
-
02:15
From Zeroes to Heroes - Securibility of Applications
It's not easy to make room for solving all problems end-to-end. As technology advances, complexity increases and ruins our opportunity to work on what matters. To get things done and to solve customer problems, focus is needed. In this talk, we explain how to apply the concept of Securability with a set of use cases to help guide how it compliments software development. Using its simple construct, you can put security tools to work and demonstrate how your products have been developed with adversary resilience in mind.
02:15
-
02:45
A Fireside Chat - How to Detect and Mitigate Insider Attacks in the Light of SolarWinds?
Hosted by Chetan Conikee from ShiftLeft with guests Subbu Viswanathan from Vineti and Yonatan Ryabinski from Vanguard, the goal of the round table discussion is to understand the risk of insider attacks, the risk of using vendor agents and assessing for insider attacks and how can a developer mistake be weaponized to become a backdoor.
02:45
-
03:15
Introducing - Prioritized Software Composition Analysis with the Power of Code Property Graph
Open Source vulnerability prioritization is a hot market problem. Most Open source security solutions report almost all CVEs in open source packages without answering a few important questions. Is that package loaded (or just declared), Is the package being used actively in the appAnd the most important - Is that package containing the CVE be reachable through a vulnerable flow that could be controlled by an attacker. Alok Shukla and Prabhu discuss the above problem and demo this innovative offering from ShiftLeft that allows developers to focus on reachable CVEs in only the loaded/used packages.
03:15
-
03:45
Graph Databases for Code Analysis
Learn how Graph Databases compare to conventional Relational Databases as you model and query a given domain.We will progressively build up an example to find a code vulnerability and discuss how the same would be achieved with SQL.This talk offers a sneak peek behind the curtain of ShiftLeft's code analysis pipeline, as well as a glimpse insight into graph databases.


We can't wait to see you there!