$100 – $1,500

Loco Moco Security Conference

Event Information

Share this event

Date and Time



Kalapaki Beach Hotel | Kaua'i Marriott Resort

3610 Rice St

Lihue, HI 96766

View Map

Refund Policy

Refund Policy

No Refunds

Event description


Loco Moco Product Security Conference

For special hotel rates, visit https://book.passkey.com/event/49708229/owner/10862/home

Join us on the shores of Lihue on Kaua'i, Hawaii for a gathering of security professionals. The Loco Moco Security Conference is a product security conference where a security engineer can learn from others' experiences. You can expect highly educational content based on security best practices that will help manage, scale, and improve all security programs. You can also expect sun, waves, and the spirit of aloha.

Three Days, Single Track Presentations

We are big fans of the single track format. We are trying to tell a story of how to build a successful program and the single track format ensures that everyone had the same experience.

Two Days, Training Available Prior to Event

We're going to have some great training options available for those with less experience as well as classes to entice even the biggest know-it-alls. Conference passes are included when training is purchased.

Job Fair

Companies like Slack, Uber, Google, and more will be participating in a career fair immediately after the first half of Friday. Attendees will have the chance to recruit experienced and entry level candidates, many of whom will have just completed hands on workshops and the conference.

Collaborative Capture the Flag

Concurrently with the job fair, we will be having an open and non-competitive capture the flag event. This will involve challenges for those with no web experience to those with years of experience. There is no high score, esoteric challenges, or prize at the end but instead there is a chance to work together and share practical knowledge of real life examples. Apply what you have learned in a fun and friendly environment! Collaboration is encouraged and the answers are public. Working your way to an answer with less and less help is the goal.

Building Secure API's and Web Applications: Secure Coding with Aloha

Jim Manico

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/advisor for Signal Sciences and BitDiscovery. Jim is also a frequent speaker on secure software practices, is a member of the JavaOne rockstar speaker and Java Champion community and is the author of "Iron-Clad Java: Building Secure Web Applications" from McGraw-Hill and Oracle Press. Jim also volunteers for the OWASP foundation where he helps build application security standards and other documentation.

Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.

Laptop Requirements: Any laptop that can run an udpated web browser and "Burp Community Edition".


The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 2-day course provides essential application security training for web application and webservice developers and architects.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks. This course will include secure coding information for Java, PHP, Python, Javascript and .NET programmers, but any software developer building web applications and webservices will benefit.
Day 1 of the course will focus on web application basics.

  • Introduction to Application Security
  • Introduction to Security Goals and Threats
  • HTTP Security Basics
  • CORS and HTML5 Considerations
  • XSS Defense
  • Content Security Policy
  • Intro to Angular.JS Security
  • Intro to React.JS Security
  • SQL and other Injection
  • Cross Site Request Forgery
  • File Upload and File IO Security
  • Deserialization Security
  • Input Validation Basics
  • OWASP Top Ten 2017

Day 2 of the course will focus on API secure coding, Identity and other advanced topics.

  • Webservice, Microservice and REST Security
  • Authentication and Session Management
  • Access Control Design
  • OAuth Security
  • OpenID Connect Security
  • HTTPS/TLS Best Practices
  • 3rd Party Library Security Management
  • Application Layer Intrusion Detection

We end day 2 with a competitive hacking lab. It's a very fun and informative way to end the course.

Defending Modern DevOps Environments: A Hands-on Approach: Kubernetes and Docker Demystified

Jimmy Mesta

Jimmy Mesta is an application security leader that has been involved in Information Security for nearly 10 years. He is the chapter leader of OWASP Santa Barbara and co-organizer of the AppSec California security conference. Jimmy has spent time on both the offense and defense side of the industry and is constantly working towards building modern, developer-friendly security solutions. Jimmy's core focus has been in application and cloud security with an emphasis on secure architecture, automated testing, developer training and defensive techniques.

Student Requirements: Familiarity with at least one public cloud provider is recommend- ed. Students should also have basic Docker knowledge and experience launching and managing basic cloud instances. Basic command line and scripting skills are highly recommended.

Laptop Requirements: Any laptop with at least 2GB of free ram available that can run Docker, Minikube, and Virtualbox.


The Cloud as we know it is changing. Containers have taken the center stage as the preferred method of developing and deploying software into production. As security practitioners, we must adapt to the latest technologies or be left in the dust.

This technical 2-day course will focus on the ins and outs of building a modern cloud infrastructure capable of taking containers from a developer’s laptop to production, in a secure manner.

The hands-on portion of the course will rely heavily on Kubernetes for the deployment and orchestration of Docker containers. Each student will build a sandbox Kubernetes cluster from scratch using Google Container Engine (GKE) or locally using Minikube.

At the completion of this course, students will have an operational, version controlled, deployment pipeline capable of shipping a container to a Kubernetes cluster while performing a number of automated security checks along the way.

Some of the principals and techniques covered in this course include:

  • DevSecOps Principles
  • Kubernetes and Docker Security Controls
  • Third-Party Security Considerations
  • Identity and Access Management Secure Deployment Pipelines
  • Security Automation
  • Infrastructure as Code
  • Scaling Security Operations
  • Data Security and Encryption
  • Logging, Monitoring, and Alerting

  • Adam Baldwin

    Adam Baldwin

    npm VP of Security
  • Ryan O' Boyle

    Ryan O' Boyle

    Veracode Manager, Product Security
  • Nikki Brandt

    Nikki Brandt

    Slack Product Security Engineer
  • Leif Dreizler

    Leif Dreizler

    Segment Application Security Engineer
  • Daniel Fett

    Daniel Fett

    yes.com Security Research
  • Matthew Finifter

    Matthew Finifter

    Uber Security Engineer
  • CG Christine Gadsby

    Christine Gadsby

    BlackBerry Head of Product Security Operations
  • Lexi Galantino

    Lexi Galantino

    GitHub Community & Safety Engineer
  • Jeremiah Grossman

    Jeremiah Grossman

    Bitdiscovery CEO
  • Tanya Janca

    Tanya Janca

    Microsoft Senior Cloud Security Advocate
  • Terian Koscik

    Terian Koscik

    GitHub Software Engineer
  • Krzysztof Kotowicz

    Krzysztof Kotowicz

    Google Information Security Engineer
  • Jake Kouns

    Jake Kouns

    Risk Based Security CISO
  • Matt Langlois

    Matt Langlois

    GitHub Product Security Engineer
  • David Lindner

    David Lindner

    Contrast Security Director, Application Security
  • Jorge Lopez

    Jorge Lopez

    Microsoft Principal Security PM Manager
  • Jim Manico

    Jim Manico

    Manicode Security Secure Coding Educator
  • Bob Martin

    Bob Martin

    MITRE Sr. Secure SW & Technology Principal Engineer
  • Neil Matatall

    Neil Matatall

    GitHub Product Security Engineer
  • Jimmy Mesta

    Jimmy Mesta

    Manicode Security CTO
  • Katie Moussouris

    Katie Moussouris

    Luta Security CEO
  • DN David Nalley

    David Nalley

    BlackBerry Open Source Guy
  • Tony Ngo

    Tony Ngo

    Uber Security Engineer
  • PO Pieter Ockers

    Pieter Ockers

    Adobe PSIRT Manager
  • Ron Perris

    Ron Perris

  • Debosmit (Debo) Ray

    Debosmit (Debo) Ray

    Uber Software Engineer
  • Philippe De Ryck

    Philippe De Ryck

    Pragmatic Web Security Founder
  • Michael Scovetta

    Michael Scovetta

    Microsoft Principal Security PM Manager
  • Michele Spagnuolo

    Michele Spagnuolo

    Google Senior Information Security Engineer
  • MW Mike Webber

    Mike Webber

    BlackBerry CISO
  • Lukas Weichselbaum

    Lukas Weichselbaum

    Google Senior Information Security Engineer
  • James Wicket

    James Wicket

    Signal Sciences Head of Research
  • Fikrie Yunaz

    Fikrie Yunaz

    Slack Product Security Engineer

Share with friends

Date and Time


Kalapaki Beach Hotel | Kaua'i Marriott Resort

3610 Rice St

Lihue, HI 96766

View Map

Refund Policy

No Refunds

Save This Event

Event Saved