Loading…
or to bookmark your favorites and sync them to your phone or calendar.
strong>All Levels [clear filter]
arrow_back View All Dates
Friday, November 15
 

10:00am IST

Understanding Digital Governance
Friday November 15, 2024 10:00am - 10:45am IST
Speakers
avatar for Shivangi Nadkarni

Shivangi Nadkarni

CEO | Co-Founder, Arrka
CEO Co-Founder @ Arrka | Data Privacy, AI Governance, Digital Trust | IAPP Advisory Board Member | Speaker at IAPP Conferences | TEDx Speaker| Author | Jury Member | Event Advisory Boards Member
Friday November 15, 2024 10:00am - 10:45am IST

10:45am IST

The Dark Side of AI: Exploring Adversarial Threats
Friday November 15, 2024 10:45am - 11:30am IST
 As artificial intelligence (AI) becomes an integral part of our digital landscape, the looming threat of adversarial attacks casts a shadow over its immense potential. This presentation takes a technical deep dive into the evolving landscape of AI security and the relentless tactics employed by adversaries to exploit vulnerabilities. Attendees will gain insights into the various attacker strategies including OWASP LLM TOP 10, and security flaws in LLM frameworks that are exploitable. Moreover, there will be demos of adversarial AI attacks on POC applications. Demos covered include the Fast Gradient Sign Method (FGSM), Prompt injection to Code execution, Poisoning Training Data, Model Serialization Attacks, and SQL injection in LLM applications. The session aims to equip attendees with a comprehensive understanding of the adversarial tactics prevalent in AI security and empower them to guard against the shadows that threaten AI systems.
                                   
    
Speakers
avatar for Alex Devassy

Alex Devassy

AppViewX
Friday November 15, 2024 10:45am - 11:30am IST

1:15pm IST

Shift-left Security with Open Policy Agent(OPA) controls
Friday November 15, 2024 1:15pm - 2:00pm IST
  As organizations adopt Infrastructure-as-Code (IaC) practices, ensuring compliance and enforcing best practices across multiple Terraform configurations becomes a critical challenge. Open Policy Agent (OPA) provides a powerful solution by enabling policy-as-code, decoupling decision-making from policy enforcement. In this session, we will explore how to leverage OPA policies to define guardrails for Terraform runs, preventing or enforcing specific actions based on predetermined rules. We will demonstrate how to group these policies in a Version Control System (VCS) like GitHub and enforce them using GitHub Actions workflows. Attendees will learn how to write OPA policies tailored to their organization's requirements, integrate them with Terraform, and automate policy evaluation using GitHub Actions.
                                   
    
Speakers
avatar for Anshu Bathla

Anshu Bathla

Lead Consultant - Security, AWS
Friday November 15, 2024 1:15pm - 2:00pm IST

2:00pm IST

Zero Day Apocalypse: The Rising Cyber Threat Landscape
Friday November 15, 2024 2:00pm - 2:45pm IST
Imagine a hidden flaw in the application software that hackers can exploit before anyone even knows it exists. These are called zero-day vulnerabilities, and they're becoming a bigger problem. Hackers are finding these flaws faster than ever before, and when they use them to attack, the damage can be huge.
Think about the times you've heard about big companies getting hacked. Many of these attacks use zero-day vulnerabilities. Hackers can steal personal information, disrupt businesses, and even cause financial losses. It's like a ticking time bomb in your application.
To protect ourselves from these dangers, we need to be smarter about how we use and maintain our application software. This means regularly checking for updates, writing code carefully, and having a plan in place to deal with attacks when they happen.
In short, the threat of zero-day vulnerabilities is real and growing. By being proactive and taking the right steps, we can reduce our risk and keep our digital world safe.
                                   

Speakers
avatar for Somen Das

Somen Das

Technology Head, Attack Surface Management, TCS
Technology Head, Attack Surface Management @ TCS
Friday November 15, 2024 2:00pm - 2:45pm IST

3:30pm IST

Building Secure AI Systems: A Comprehensive Approach to AI Security
Friday November 15, 2024 3:30pm - 4:15pm IST
 AI security is emerging and it necessary for organization and AI practitioners to incorporate secure way of developing and adopting AI systems. This means at each stage of SDLC there needs to controls and best practices to be followed specific to AI apart from traditional application security practices (Secure SDLC).
SDLC Stage vs AI Security Controls:
Design - Risk Assessments / Threat Modelling AI systems Development - Asset Inventory / tracking , protect sensitive data and supply chain security
Deployment - Secure MLOps, Incident Management, AI Security assessments, Secure Infrastructure
Operate and Maintain - Secure Logging and Monitoring, Patch management.
References and Resources will be shared.
By the end of this talk, the audience will have a clear understanding of how to approach AI security and will be equipped to develop guidelines that ensure the security of AI systems throughout their lifecycle.
                                   
    
Speakers
avatar for Gowtham Sundar

Gowtham Sundar

Head - AppSec, SPH Media
Friday November 15, 2024 3:30pm - 4:15pm IST

4:15pm IST

Maturing Your Application Security Program
Friday November 15, 2024 4:15pm - 5:00pm IST
                                                After working with over 300 companies on their application security programs the most common question I receive is “what’s next?”. They want to know how to mature their programs, and when they look at the maturity models available, they find them intimidating and so far beyond their current maturity level that they feel impossible. In this talk I will take you through 3 common AppSec program maturity levels I have encountered over the years, with practical and actionable next steps you could take immediately to improve your security posture.
                   Outline:
• Intro to myself, the format of this talk, and how I conducted this research (by working with over 300 companies over 5 years of working with IANs research. Meeting with 1-5 companies per week). All of the companies are considered enterprise, so this talk will focus on enterprise, not SMB.
• Explain to the audience, gently, that the current maturity models available (OWASP SAMM, BSIMM and NIST) scare the pants off of most clients, and seem utterly impossible. It’s not that the maturity frameworks are bad, it’s that they are too “pie in the sky” compared to where more organizations currently are. I *WISH* our industry could be at that level. We are not.
• Model 1: we just PenTest the important app(s) once a year, little to no governance
                   This is, unfortunately, extremely common. Even in 2024 I am working with enterprises that have ZERO AppSec programs, starting from scratch. That said, we all need to start somewhere, and if they are meeting with me (or another AppSec consultant) then they are serious!
                   Often no formal SDLC at all
Often very mixed tech stack
Often code is located in several places, everyone doing their own thing Why this model is bad: it’s quite expensive for what you are getting
                   (pentesting as your only AppSec is $$$$), terrible coverage, developers do not feel supported, there’s no opportunity for them to learn, etc.
                   How to mature this model, *realistic* next steps:
                   Secure Coding training, followed up with quarterly lunch and learn style events to teach them about whatever the most pressing issue is for the AppSec team (lesson on a common vulnerability, incident issues, whatever)
                   If little-to-no-budget:
                   use a free tool like Zap or Burp for DAST (in a sandbox), and Semgrep OSS
                   try to identify one or more devs who might be willing to do some security work, and assign the tools to them
                   Get a secure coding guideline and try to get the developers to follow it, even a super basic one
                   Create a list of security requirements for all new web app and API projects, try to get projects to use it
                   Try to get all your code into the same place, set SAST against your code repo, try not to cry after your first scan
                   Talk to head of developers about plans for IT modernization, you all want a real SDLC, you all want project management, you all want centralization
                                                             
       
                                                and standardization.
Threat model your super important app(s) then socialize the results with
                   the developers. So they understand the threats to your org and your mission. This will raise awareness a lot.
                   Share information on past incidents, if appropriate, so the devs understand where you are coming from
                   Scan your codebase for secrets, rotate them and start checking them in somewhere that is not your code base
                   Put a WAF in front of any app that is *terrible*
                   You still PenTest the important apps, but now sometimes you pass the tests.
                   If budget, add this:
hire a full time AppSec person as #1 step - best possible spend
buy a paid second generation SAST (no one will tolerate tons of false
                   positives at this point), still use free/almost-free DAST
• Model 2: SAST + DAST and perhaps one other tool, some governance
                   This is the most common AppSec program I see at Enterprises.
                   They pay a lot of money for 2-3 tools, and have partially rolled them out. They send lots of bug reports, few things get fixed. “Why won’t the developers just fix things?”
                   Little-to-no documentation, little-to-no interaction with developer teams, may have done a failed champs program
                   There is an AppSec program with 1 or 2 people, but it’s not consistent or well directed, always responding to fires
                   Why this model is bad: coverage is bad. Not much is fixed. We’re not here to find lots of vulns and make reports, we are here to reduce organizational risk, and these programs usually make only a tiny dent. They also tend to cause friction.
                   How to mature this model, *realistic* next steps:
Do all the stuff from the previous Maturity model.
You will likely need additional AppSec resources for this, ensure they are
                   not all just PenTesters who used to be sysadmins, you need to have at least one resource with lots of coding experience in their background that understands the developer brain and processes
                   Assess whether your tools are working for you and your devs. If you’ve had your SAST and DAST for 2+ years and they are not adopted or completely rolled out, WHY NOT? Likely you have the wrong toolset. Time to upgrade/modernize
                   Ideally you would have tooling that looks at your running apps (and APIs), your written code, and third party code. This can be anywhere from 2 tools to 5, depending on how thorough you want to be. Focus on getting as many true positives as possible, and try to add as much auto-triage as you can, so you show developers the lowest possible number of things to fix. Examples: validate your secret findings, only show reachable third party code vulns, use AI to tr
Speakers
avatar for Tanya Janca

Tanya Janca

Head of Community and Education, SEMGREP
Friday November 15, 2024 4:15pm - 5:00pm IST

5:00pm IST

The Role of CISOs in Shaping the Future of Digital Trust
Friday November 15, 2024 5:00pm - 5:30pm IST
Speakers
avatar for Sunil Varkey

Sunil Varkey

CISO
Over 27 years of leadership experience specialized in Information Cyber Security with large corporates in Banking, Telecom, ITES, software and Manufacturing in Middle East, US & India.
Friday November 15, 2024 5:00pm - 5:30pm IST