MusicCityCon 2019

June 13, 2019 • Tech Hill Commons
MusicCityCon is Nashville's new product security conference for everyone. Join us for our inaugural year, as we bring together information and product security experts, practitioners, students, and enthusiasts to learn from one another and deepen our understanding of the security challenges facing all of us. Register by clicking the "REGISTER HERE!" button below:
REGISTER HERE!

Speakers

Sponsors

Schedule

  • 13 June

Peter Kim

Security Architect/Partner
Chronos Global
Peter Kim has been in the information security industry for the last 15 years. During this time he was a penetration tester/red teamer for multiple utility companies, Fortune 1000 entertainment companies, government agencies, and the Federal Reserve. He has given back to the security community by teaching penetration testing courses at the community college and creating and maintaining one of the largest security communities in the Southern CA area (LETHAL). He is the best-selling author of three offensive security books, The Hacker Playbook 1, 2 & 3. He has also spoken and taught training courses at multiple security conferences and community events.

13 June

Phillip Maddux

Principal Application Security Researcher & Advisor
Signal Sciences
Phillip Maddux, former head of application security at Goldman Sachs, is a Trusted AppSec Advisor at Signal Sciences. He has over 10 years of experience in information security, with the majority of that time focused on application security in the financial services sector. In his spare moments he enjoys converting ideas to code and committing them to Github.

13 June

Hayley Denbraver

Developer Advocate
Snyk
Hayley Denbraver is a Developer Advocate at Snyk. Her focus is on encouraging security education and the adoption of better security practices within developer communities. She has spoken at a number of Python community events, both within the US and internationally, and is branching out into other language communities. In a previous chapter of her life, Hayley worked as a licensed Civil Engineer.

13 June

Joel Tomassini

Senior Principal Security Engineer
SAASSY
Presenting with Casey Rosini. This duo has been involved in security together for almost ten years with their roots starting in mobile security research and malware analysis. Over the years the two have been instrumental in their positions with building and maturing security research, penetration testing, and red team programs. They are founding members of their company's Strategic Advanced Application & Software Security Product Analysis Nebulus Tactical Security (SAASSY PANTS) Division, as well as co-founders of the local OWASP Chapter,

13 June

Casey Rosini

Principal Security Engineer
SAASSY
Presenting with Joel Tomassini. This duo has been involved in security together for almost ten years with their roots starting in mobile security research and malware analysis. Over the years the two have been instrumental in their positions with building and maturing security research, penetration testing, and red team programs. They are founding members of their company's Strategic Advanced Application & Software Security Product Analysis Nebulus Tactical Security (SAASSY PANTS) Division, as well as co-founders of the local OWASP Chapter,

13 June

Dr. Amy Harris

Associate Professor
Middle Tennesee State University
Dr. Amy Harris is an associate professor of information systems and analytics in the Jennings A. Jones College of Business at Middle Tennessee State University. There, she teaches undergraduate and graduate courses in business intelligence and analytics. In partnership with the Nashville Technology Council, she established the "Middle Tennessee Tech" research program in 2018 to provide industry, economic development, and academic audiences with data on the current state of the local technology workforce.
Dr. Harris is passionate about tech workforce development, as well as diversity and inclusion. She is active in the Nashville tech community, serving on the steering committee for the Nashville Analytics Summit, as a board member for Women in Technology Tennessee, and as a member of the Nashville Technology Council’s diversity committee. She was the 2019 recipient of the NTC's "Champion of the Year" award.

13 June

Brian Lucy

CISO
CKE Restaurants Inc.
Brian Lucy is the CISO for CKE Restaurants Inc. In this role, Brian is accountable for the global security of CKE corporate as well as its 3000+ restaurants. Brian has close to 20 years of IT experience in a variety of industries including healthcare, retail, financial services and Big 4 advisory. This includes a diverse background in Information Security, Risk Management, Technology Operations and Management Consulting. Brian volunteers on various boards including the business school of his alma mater and his kids swim club. He enjoys spending time with his wife and 3 children who are active in swimming, soccer and wrestling. Brian holds a Bachelor of Science in Microbiology and a Master of Business Administration from Tennessee Technological University.

13 June

Susan Richards

Change Healthcare
HITRUST Compliance Program Director
Susan is the HITRUST Compliance Program Director for Change Healthcare, a healthcare technology company that offers software, analytics, network solutions and technology-enabled services to inspire a better healthcare system. She recently completed her Masters of Information Technology (MSIT) at Lipscomb University. She is Treasurer of the Middle TN Information Systems Security Association (ISSA) chapter. Susan serves on the InfoSec Nashville conference planning committee, the Metro Nashville Information Security Advisory Board (ISAB) and Vol State Community College CIT Advisory Council.

13 June

Matt Rose

Global Director Application Security Strategy
Checkmarx
Matt has over 18 years of software development, sales engineering management and consulting experience. During this time, Matt has helped some of the largest organizations in the world in a variety of industries, regions, and technical environments implement secure software development life cycles utilizing static analysis. Matt’s extensive background in application security, object-oriented programming, multi-tier architecture design/implementation, and internet/intranet development has been key to many speaking engagements for organizations like OWASP, ISSA, and ISACA.

13 June

Brandon Evans

Senior Software Engineer
Asurion
Brandon is a Senior Software Engineer at Asurion. He works on their Tech Expert service, which offers personalized help, guidance and tips across all of the customer's connected devices. Brandon is also an Instructor at the Vanderbilt University Web Development Coding Bootcamp. Previously, Brandon was a developer for Smartvue Corporation, an Internet-of-Things video surveillance startup that has since been acquired by Johnson Controls.
Brandon has a Bachelor's Degree in Computer Science from Binghamton University, where he was also a competitive member of their debate team. Although primarily a software developer, he has served as a Security Maven for Asurion since early 2018, promoting best security practices to his teammates to improve the security posture of the company overall. Through the program, he has acquired the GSEC and GSSP-JAVA certifications, attended the 2019 AppSec California Conference, and won two Security Innovation Capture the Flag events. He is also a contributor to the OWASP Serverless Top 10 Project.

13 June

Jay Lagorio

Software Engineer/ Independent Security Researcher
Jay Lagorio, a software engineer and independent security researcher, has been building computers and networks and writing code nearly his entire life. He received a B.S. in Computer Science from UMBC in 2008 and an M. Eng. from the Naval Postgraduate School in 2015. With 10 years of experience in a variety of capabilities development and technical advisory positions, he works to bridge the gap between IT/security management and practitioners. Although he specializes in Windows development, his side projects currently include open source intelligence projects to find data left out in the open waiting to be discovered.

13 June

Jabez Abraham

Cloud Security Architect
Asurion
As a Cloud Security Architect working in the Enterprise Architecture team at Asurion, Jabez is passionate about cloud computing. He thrives on solving problems when leveraging native cloud services for building secure and supportable solutions. At Asurion, he helps in defining the strategies, roadmaps and solutions to embrace the value of the public cloud as well as ensure the protection of Asurion infrastructure, applications and data for Cloud Native, Hybrid and inter-cloud deployments. He has spent extensive amount of time working through the various aspects of adoption while embracing a #Cloudbydefault approach. Jabez also leads organizational transformation in Cloud and Security Domains specifically in AWS.

13 June

Dr. Daniel Fabbri

Founder & CEO
Maize Analytics
Daniel Fabbri, Ph.D., is the Founder and CEO of Maize Analytics, as well as an Assistant Professor of Biomedical Informatics and Computer Science at Vanderbilt University. His research focuses on machine learning applied to electronic medical records, clinical data, and data privacy. Dr. Fabbri's research has been sponsored by the National Science Foundation, National Institutes of Health and U.S. Department of Defense. His research on machine learning in healthcare and data privacy has been published in JAMA Internal Medicine, the Journal of the American Medical Informatics Association, Journal of Pediatrics, International Journal of Medical Informatics, and multiple other computer science proceedings.

13 June

Dr. Paul McNeil

Founder
MB Usable Security
Dr. Paul McNeil is a cybersecurity and marketing analytics researcher. He is the founder of MB Usable Security, a company focused on developing usable cybersecurity solutions. Dr. McNeil has a PhD in Computer and Information Systems Engineering from Tennessee State University, where his research focused on mobile cybersecurity. He also holds a MS in Computer Science from Vanderbilt University, where his human-computer interactions was his main focus.

13 June

Jeremy Young

Principal Software Engineer
Asurion
I'm a meteorologist turned DevOps and Security nerd. Open source software is a passion of mine as is automating everything I can to help provide security and operational value to products I help support. I'm a happy and grateful husband and father of two children, graduate of the University of Kentucky and Western Kentucky University and love living in such a booming area of the country.

13 June

Rene Kolga

Sr. Director of Product
Nyotron
Rene Kolga, CISSP, has over 15 years of cybersecurity experience in the areas of endpoint protection, insider threat, encryption and vulnerability management. He worked for both Fortune 500 companies and Silicon Valley startups, including Symantec, Citrix, Altiris, ThinAir and Nyotron. Rene earned his Computer Science degree from Tallinn University of Technology. He frequently speaks on security topics at industry conferences like Black Hat, InfoSecurity and (ISC)2 Security Congress.

13 June

Don Baham

President
Kraft Technology Group, LLC
KTG offers a wide range of services, including technology strategic planning, virtual CIO services, network engineering, hardware and software selection and installation, ongoing network support, managed services, IT function outsourcing, and cloud solutions. Within his role, Don is responsible for delivering IT strategic planning and virtual CIO services, the development of client relationships, bringing new solutions to the market, and leading the strategic direction of KTG.

     Don has more than 17 years of experience in information technology with a blended background in technology consulting and architecture, information security and business development.

13 June

Jon Stanford

Principal Software Engineer
Asurion
12 years writing code both professionally and contributing to open source projects. Currently working on embedded linux and evangelizing security during development.

13 June

Chris Rathermel

VP of Information Technology
Bridge Connector
Chris Rathermel joins Bridge Connector as Vice President of Information Technology in Nashville with rich experience designing, developing, and globally scaling IT solutions. He has worked for a diverse portfolio of industry sectors, with expertise in conflict-resolution, getting to the “root cause,” and bettering lives with tech solutions.

Most recently, Chris served as AVP of Technology at Franklin-based Work Institute, which predicts workforce behaviors to help engage and retain talent within organizations. By pioneering integrations that combine workforce research, human capital analytics and financial metrics, he was able to improve the organization's security and policy practices, scaling the company internationally and enabling new business with leading defense contractors.

Chris co-founded Medarchon, where he created and patented the technology for a web and smartphone app-based system, Quarc, that improves the clinical paging process with a message prioritization and routing feature, and by driving faster response times — effectively chipping away at some of the communication breakdowns that plague the industry. Later iterations of the product have included integrations with EHRs, authentication and scheduling systems, where Chris's role was to ensure data security and functional scalability.

Prior, Chris worked for Kroll, Baker Tilly, and Charter Communications, where he produced solutions ranging from webbased applications that assess security risks, including HIPAA, to creating a new method of routing customer service phone representatives to supervisors, saving around $1 million per call center annually.

Known for his personal brand of mentoring developer teams, leading them to high-performance and their organizations through substantial growth, Chris loves a good hackathon, and has also participated in an educational mentorship program for low-income students. He is a graduate of the University of Wisconsin with a B.A. in management
information systems. When not at the office, he enjoys spending time with his wife and their new baby daughter, cheering on the Greenbay Packers, and relaxing anywhere he can around the water, including water-related sports.

13 June

Mark Geeslin

Sr Director of Application & Product Security
Asurion
Mark Geeslin is currently enterprise principal security engineer and senior director of application & product security at Asurion. Mark has been working in the software development and security industries for over 25 years in diverse environments ranging from high-tech security start-ups to Fortune 100 companies. Over the past decade he has directed AppSec programs for various leading technology firms in Silicon Valley. Besides his extensive experience as a software engineer, Mark's expertise includes all the usual AppSec suspects, such as penetration testing, threat modeling, software security analysis, and security automation. Most recently, Mark has been spending a good deal of time with his friends at SAASSY, transforming the cultures of large corporations into those that enthusiastically embrace and profit from the philosophy, principles, and practices of DevSecOps. Mark has degrees in computer science and theology, and holds numerous security industry certifications.

13 June

Asurion

Presenting Sponsor

Checkmarx

Session Sponsor

Snyk

Session Sponsor

Infoblox

Happy Hour Sponsor

Rapid7

Happy Hour Sponsor

Chronos Global

Keynote Sponsor

Security Innovation

CTF Sponsor

L3 FORCEX

Platinum Sponsor

Mobile Mentor

Platinum Sponsor

Optiv

Platinum Sponsor

WhiteHat

Platinum Sponsor

Registration & Breakfast

08:00 AM 09:00 AM All Rooms

Opening Remarks

09:00 AM 09:15 AM Cyber Range Event Center

Speakers

Keynote: Seeing Red in a Blue Team Mindset

09:15 AM 10:10 AM Cyber Range Event Center

You buy all the latest security products, regularly run vulnerability scanners, hire pen testers and meet compliance... But you still get hacked!?!?! What are some ways to change our traditional mindset on defensive security and to stop focusing only on reactive response. This talk will go into detail about how to build a Red Team program, the benefits we've seen, simulations we've run, capturing metrics, and what we find to be effective. Our focus is now changing from the number of vulnerabilities reported to how quickly organizations can detect and stop evil.

Speakers

Break

10:10 AM 10:30 AM All Rooms

Red Team: Exploring Persistence Thru Unsuspected Carriers

10:30 AM 11:20 AM Cyber Range Event Center

Imagine ... an abundance of applications ready to be installed on a fleet new employee systems. Or ... the executive that needs the latest software delivered with a personal and no-risk-of-failing-touch. It can be a daunting task when done manually or with automation; in any case that software needs to be installed somehow, sooner than later. In this talk we will discuss how an attacker can maintain access to a company infrastructure by modifying frequent-use and trusted components, and additionally explore different scenarios in which this attack can be propagated through the network undetected.

Speakers

Vendor Management in the Era of Big Data and Machine Learning

10:30 AM 10:50 AM Dell Learning Center

The digitization of information and push for interoperability has enabled unprecedented data sharing. The ability for users to analyze broad batches of data has improved many areas of business and saved companies countless hours of work. This shift has allowed businesses to turn to vendors with expertise in areas like billing, population health, marketing, etc. to analyze their data sets and perform tasks that they used to do manually. While there are many benefits from utilizing third-party vendors, there are additional risks that come into play when businesses outsource data to these vendors that are normally not discussed in the setup process. It's important for businesses to understand what these risks are and how to manage them.
When it comes to outsourcing data to third-party vendors, the risks of how data is stored and where are key issues that need to be discussed. Data mixing, machine learning model mixing, and data repurposing are all threats that face businesses when they send out their data. Understanding what exactly these threats mean, and what issues they present, can help companies better understand data sharing, and therefore ask the right questions to protect their data while utilizing third-party vendors. Listeners will learn about these various risks, and how to properly manage them to ensure a continual data governance process. Whether a student, enthusiast or expert, understanding these threats is beneficial to an overall understanding of data sharing processes.

Speakers

Security by Persuasion: How to Use Debate Tactics to Enhance Your Company's Security Posture

11:00 AM 11:20 AM Dell Learning Center

     In software development, there is always a balance between functionality and security. As anyone in the field knows, the only perfectly secure system is one that contains no sensitive data, is off of the network, and is powered down. For the benefit of our customers and shareholders, technology companies must balance these goals.
This can feel like a Herculean task due to the different priorities and values of team members. Technologists view product managers and salespeople as renegades who are willing to jeopardize everything just to deliver a fancy new feature on-time. On the other-side, engineers are oftentimes viewed as impractical and naïve curmudgeons who care more about saying "no" than actually moving the needle. How can these differences be reconciled?
     The truth is that we are really not so different. Regardless of how a person juggles quality, security, and agility, everyone wants to deliver value for our customers and shareholders in a responsible way. If our high-level incentives appear not to be aligned, we have a communication problem, not an idealogical one.
This presentation will demonstrate how subtle changes in how engineers communicate their concerns can drastically increase the persuasiveness of their message. Topics will include incentive alignment, language accessibility, building credibility, and being a team player without compromising your ideals.
     At times, it is tempting to dismiss the other side as simply being wrong and unwilling to listen. Unfortunately, without influence, change is impossible. The more extreme of a position a person takes, the more they alienate those around them, even those who generally agree with them. By simply using a softer touch, it is possible to improve the security posture of an organization while finding allies across the aisle.

Speakers

Break

11:20 AM 11:30 AM All Rooms

Stranger Danger

11:30 AM 12:20 PM Cyber Range Event Center

Open source modules are undoubtedly awesome. However, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. The wrong package can introduce severe vulnerabilities into your application, exposing your application and your user's data. This talk will use a sample application, Goof, which uses various vulnerable dependencies, which we will exploit as an attacker would. For each issue, we'll explain why it happened, show its impact, and – most importantly – see how to avoid or fix it.

Speakers

The Life of a 0-Day

11:30 AM 11:50 AM Dell Learning Center

We've all heard stories about advanced nation-states leveraging zero-days to exploit a previously unknown security vulnerability. Perhaps the most infamous example is Stuxnet (with its four zero-days) that went undetected for an estimated five years prior to being discovered. However, that does not mean the ability to develop exploits for zero-day vulnerabilities is reserved only for well-financed state-sponsored actors.
     We will cover the definition of zero-days, their types (including immortal, quasi-alive, etc.), the cost of developing or buying zero-day exploits and their lifetime. What is the life expectancy of zero-day exploits and their underlying vulnerabilities? You are up for a surprise (or two)!
     Finally, we will embark on a discussion of whether the government should stockpile zero-days or disclose them as soon as they are discovered. This talk leverages data from the first large-scale study of zero-days.

Learning objectives:
-Understand definitions of zero-day vulnerabilities and exploits as well as their different types.
-Learn the average lifetime of zero-days from discovery and exploit creation to public disclosure.
-Explore the question of zero-day stockpiling by governments based on the research data.

Speakers

Graphical Authentication: The Other White Meat

12:00 PM 12:20 PM Dell Learning Center

This talk discusses the benefits and practicality of graphical authentication in cybersecurity. This matters because many organizations struggle with developing a culture of safe password management. 81% of company data breaches are due to poor passwords. These breaches can sometimes put a company out of business. Graphical passwords make it easier for end users to remember unique passwords. Listeners will benefit from gaining a general understanding of the graphical authentication, its pros and cons, and some additional resources on the topic.

Speakers

Lunch Service

12:20 PM 12:50 PM Cyber Range Event Center

Information Security in Middle Tennessee: Report Release and Panel Discussion

12:50 PM 01:50 PM Cyber Range Event Center

The "Middle Tennessee Tech" research program started in 2018 to provide our community with data on the current state of the local technology workforce. In recognition that information security is an important aspect of the local tech landscape, we (the NTC and MTSU) decided to produce a report that focuses on the current demand for information security talent as part of that program. 
    This session will present the results of that report, providing a status update on the state of the information security workforce in Middle Tennessee. The report presentation will be followed by a panel discussion with industry leaders engaging with the report's findings.

Speakers

Break

01:50 PM 02:00 PM All Rooms

How to Put the Sec in DevOps

02:00 PM 02:50 PM Cyber Range Event Center

Automation and DevOps have changed the way organizations deliver products. The shift towards DevOps made it pretty clear that companies are adopting this organizational model in order to facilitate a practice of automated software deployment. While the traditional idea of a “software release” dissolves away into a continuous cycle of service and delivery improvements, organizations find that their traditional application security solutions are having a hard time to adapt to the new process and security becomes an inhibitor to the complete process.
In this session, you’ll learn how different organizations adopted security into their DevOps processes. What obstacles need to be addressed when introducing AppSec to DevOps and when should Sec be added to DevOps?
Join us to:
  • Discover which obstacles should be expected and how to overcome them
  • Understand what functionality is key to enable real automation of your AppSec program
  • Explore the benefits of having security as part of your DevOps automation (what’s in it for me)?

Speakers

Building Secure Serverless Architectures

02:00 PM 02:20 PM Dell Learning Center

With the maturity of the Public Cloud platforms, the possibility of being able to provision nearly unlimited amount of capacity is lucrative. Enterprises are either in the process of evaluating, moving or in full adoption of the Cloud using various well known or lesser known vendors. With this disruptive shift in computing, there is a deeply coupled challenge of enabling users to the full potential of the Usability and Feature rich aspects of the Cloud (managed services, micro-services, independent scaling, etc.) against the Security requirements from compliance and internal security teams, many of them which are catered to on-premises type installations. With this also comes the underlying risk of visibility and the need to adopt to the changing cloud trends, reduced time to market, failing fast etc. There is no explicit privacy in a shared Cloud infrastructure; with the rise of Ransomware, scares such as Meltdown, S3 bucket leakage etc. organizations cannot afford to tread lightly in this space. With serverless, there is even more ambiguity on how each service interacts within itself or with external services such as IaaS, PaaS; and how they can make sure they mitigate risks such as MITM, replay attacks etc. This talk will focus on a broad range of topics including, OWASP top 10, Secure Code Reviews, WAF, IP Filtering, JWT tokens within micro-services, session management, encryption at REST and field level encryption.
Listeners will learn the technical aspects of the various serverless patterns and the potential threats in the various pattern. Get an awareness of how migrating to serverless architecture challenges traditional security thinking and how to navigate around it.

Speakers

Testing for privilege escalation, persistence and exploitation opportunities in the cloud

02:30 PM 02:50 PM Dell Learning Center

Shifting security left in the delivery pipeline is an ongoing struggle for many enterprises. At Asurion we want to empower independent, product-focused development teams to live out the "two-pizza team" mentality. That necessarily includes ensuring a compliant platform and testing for security issues. It's all too easy in today's world to misconfigure a cloud resource and be vulnerable to information or data leakage, or worse, exploitation of a resource that was never intended to be made public. I want to share a solution we're working on at Asurion to help add a tool to the toolboxes of our teams. DevOps practices like infrastructure as code and/or CI/CD aren't new. Adding in security validations early in the delivery cycle helps ensure that as little as possible makes it to production in a risky state. Want to know if you're doing something risky like storing secrets in user data or your environment? What about whether or not your IAM policy is loose enough to be used as a pivot point for further attacking? Check for these things early if you can!

Speakers

Finding Valuable Needles in Global Source Code Haystacks with Automation

03:00 PM 03:50 PM Cyber Range Event Center

In this talk we'll take a look at how OSINTers can automate having cool things brought to us. I will define "cool things," describe data sources for those cool things, and show you how you too can Craal the web in your sleep and wake up to great results to sift through. Automated search capabilities of online developer tools are powerful and through that power we will put those tools to work in ways not originally envisioned by their creators. Our targets are Pastebin, Github, and Buckets with some help along the way from lesser known services to increase our effectiveness.
     You'll come away with the knowledge you need to lazily let the search engines of the web work for you through automation while still finding fantastic data for your random responsible disclosures or targeted bug bounties. Neither the stickiest Pastes, the hubbiest Gits, nor the sealist Buckets will be safe from you and the rest of us will be better for it. After describing the capabilities available to you I will tell you what you can do to keep yourself safe from this technique. If your data is already exposed in the ways described, I'll walk you through what to do to clean up the mess.

Speakers

Living off the land: Naked and Afraid edition, your tool bash builtins

03:00 PM 03:20 PM Dell Learning Center

Pop a box only to find out it's an embedded device with no binaries. What can we do if the only tool available is bash's builtins? Can we still perform recon?
     We will explore the limitations and available resources on minimalistic boxes. Engaging both hackers who may one day obtain a network foothold in an iot device and developers of the embedded devices with limited resources.

Speakers

How to Build DevSecOps Right the First Time

03:30 PM 03:50 PM Dell Learning Center

“Hope” is not a strategy or a solution when it comes to building DevSecOps. IT security veteran and Bridge Connector VP of IT, Chris Rathermel, explains how to take advantage of the new tools and processes that currently exist, to ensure you are building solid DevSecOps processes and systems correctly, on the first approach. Learn how to employ proactive strategies and testing that can save your organization time and money in the long-run.

Speakers

Break

03:50 PM 04:10 PM All Rooms

Keynote: Application Security for the Modern Web

04:10 PM 05:00 PM Cyber Range Event Center

Speakers

Closing Remarks

05:00 PM 05:30 PM Cyber Range Event Center

Happy Hour, Presented by Rapid7

05:30 PM 06:30 PM Cyber Range Event Center