LINEUP (* speakers time subject to change)
Day 01 - May 20, 2019
Do your Pipelines remember? They must if you want to go fast with static analysis - Jimmy Rabon
All static analysis tools produce false positives and often require developer context to determine exploitability of a security risk. Automating a static scan is usually straightforward but building automation workflows around SAST findings require that your Pipelines become smarter over time. Optimizing the data provided by SAST tools is an often overlooked aspect to integrating SAST tooling into the CI / CD pipeline but it is required to be successful. Come learn best practices for successful SAST integration and about how machine learning can help us predict the future, based on our past.
Automating DAST in the DevOps Pipeline - Rana Khali
Web application vulnerability scanners are automated dynamic application security testing (DAST) tools that are used to crawl a web application to look for vulnerabilities. In this session, we’ll present a step by step guide on how to integrate the OWASP Zed Attack Proxy (ZAP) scanner with the Jenkins pipeline. We’ll also look at the limitations of automating the entire security testing process and the dangerous false sense of security this gives an organization.
Hacker Tools for Developers and Testers. (Adding security tests into the pipeline) - Jahmel Harris
There are so many awesome hacker tools for hackers out there - things like nmap, nessus and even zap proxy. They work great if you're a pen tester but trying to use these tools in a way that makes sense for development and testing teams can be challenging. In this session, we'll look at how we can use Frida, a tool used by pen testers, to add in security test cases into our Android applications so they are run as part of the CI/CD pipeline.
Integrated Security Testing - Morgan Roman
Having a dedicated suite of continuously run security tests seems out of reach for all but the most mature security programs. Scanners only scratch the surface of your application. Many companies already have integration tests that snake their way deep into their web application, covering nearly every workflow. In this talk, we will use a minimal amount of work to transform these integration tests into a suite of security tests. We will repurpose Selenium integration tests into security tests to search for common web application flaws such as XSS and SQLi with more context than a scanner. These security tests will traverse the web application the same way a real user would. This session is ideal for testers and developers interested in making security testing part of their continuous integration pipeline.
Understanding the Most Common Secure Coding Standards in Use Today - Arthur Hicken
Roundtable Ask Us Anything About Security - Dr. Jared DeMott
Challenges in implementing and sustaining DevSecOps environment - Hasan Yasar
How to define DevSecOps is a highly-contested topic. Despite what some will lead you to believe, DevOps is not just a set of tools. Nor is it merely a focus on achieving continuous integration, continuous delivery, or continuous deployment. Business values drive DevOps development. Without a DevSecOps mindset, organizations often find their operations, development, and security testing teams working toward a short-sighted incentive while creating their infrastructures, test suites, or product increments. In this talk I will explain DevSecOps, the common misconceptions and roadblocks, and how you can use DevSecOps to help your organization reach new heights of efficiency and productivity without getting frustrated.
Day 02 - May 21, 2019
Test your WAF and make it your friend! - Franziska Buehler
Very often, people are afraid of web application firewalls (WAF) because they can potentially block an application's legitimate
traffic. This can lead to problems in the production, which, admittedly, are really annoying! However, WAFs are a very useful additional layer of defense when it comes to defending attacks, such as those described by the "OWASP Top Ten".
Switching from QE to Product Security - Dwayne Thomas
Switching Software development team membership to cyber security in less time than it takes for a baby to start blinking. How might one enter the most in-demand field in less time than it takes for a baby to start blinking AKA the third trimester of pregnancy? The trick, of course, is that a little extra time between jobs didn't hurt for interviewing. This presentation only hints at recommendations and is not prescriptive. It willingly suggests that other parts of life keep happening. Other smoke and mirrors are revealed in this talk but... quality time advocating high priority fixes, plowing bug bounty programs, presenting security topics for Toastmasters, searching job sites, informational interviews, meet-ups, and obtaining a CISSP certificate all helped for a just in a time career change.
Cloud Security and the Myths around it - Vandana Verma
Threat Modeling @ Scale: Moving From the DevOps Pipeline to the Risk Driven Enterprise - Altaz Valani
Traditional Threat Modeling focuses on the determination of security risk in an application. Today, this view is too narrow and does not deliver continual risk-oriented views of an enterprise application portfolio. Instead, we need an automated vertical pipeline (a policy to execution pipeline) that addresses risk by taking policies as the input and delivering DevOps operating procedures as the output.
Roundtable Ask Us Anything About Security - Dawid Bałut
How to win over that elusive Developer - Adhiran Thirmal
Discover the key to implementing a successful application security testing program is having buy-in from your developers, DevOps and architects.
Why Guild Conferences?
EXPERTS FROM AROUND THE WORLD
We've brought the best speakers in the world to bring you the knowledge you need to stay ahead of the curve in testing.
NO EXPENSIVE AIRLINE TICKETS OR HOTEL ROOMS
You need to keep learning. One of the most rewarding ways to do this is by attending conferences. Unfortunately, sometimes it's difficult to make it to a conference due to travel costs, the price of the conference ticket, or your ability to take time off. Save yourself heaps of time by not having to travel to a conference and try to be able to fit it into your busy schedule.
LIFETIME VIEWING ACCESS - WATCH AT YOUR OWN PACE
At traditional conferences many times you end up missing a session you really wanted to attend. Or you forgot something that the presenter mentioned. Watch each session as many times as you like! So you will be able to listen to the talks at your own pace.
Get the support you need before, during and after the conference in our private Guild slack channel!
Not only do you get top-notch sessions but is all at a super low price. It's a no-brainer and the most cost-effective way to stay up to date with the latest in testing and automation.
THE GUILD GUARANTEE
The price of this conference is a steal considering the amount of awesomeness you’ll be getting.
We guarantee that you will discover a tip, tool, technique or best practice that will help your testing efforts or your career.
If after viewing all the sessions and the live Q&A you can honestly tell me within 60-days that you received zero value from the Guild we’ll refund your money.
What other conference offers an actual guarantee?
That’s how awesome we think Guild Conferences are.
But don’t take our word for it.
Listen to what past Guild members have to say: