Loading…
This event has ended. Create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, September 19
 

8:00am

Project Summit and Project Reviews USA 2017

Join our our deep dive discussion on the following OWASP Projects ranging from Incubator to flagship projects. We welcome students and contributors to jump right in and work live with project leaders. Project Reviews will also be conducted throughout the Two Day Session of the Project Summit.

Current OWASP Projects Signed Up:

  1. Presenting on 9/19 @ 1:00 pm (45 min) CISO Application Security Guide and Survey Project

  2. Presenting on 9/20 OWASP Core Rule Set Project

  3. Presenting on 9/20 @ 3:00 pm  - OWASP Virtual Village Project Resource

  4. Presenting on 9/20 @ 10:00 AM  - OWASP DefectDojo Project

  5. OWASP ZAP Project

  6. CSRF Protector

  7. OWASP ESAPI Project

  8. OWASP Automated Threats Project


Current OWASP Project Reviews Scheduled:

  1. OWASP Security Knowledge Framework Project

  2. OWASP Security Mobile Testing Guide Project

  3. OWASP Lab/Incubator Projects Deep Dive Health Checks


We would like your feedback and offer a unique opportunity to discuss hot topics.

Currently on the list of topics: (Open to more hot topics)

  • Resources for Projects

  • Reimbursement Form & Process

  • Discourse

  • Kickstarter Pilot Program


Please use our contact us form with any questions or concerns. Contacts at OWASP Foundation: Matt Tesauro and Claudia Aviles Casanovas will be onsite as well.


 


Tuesday September 19, 2017 8:00am - 5:00pm
Coronado Q&R

8:00am

Registration
Tuesday September 19, 2017 8:00am - 5:30pm
North Registration

9:00am

Hands On Hardened Web Service Development using ASP.NET (1 of 2 days)

Class Summary: This hands on, two (2) day class will help students learn how to write hardened ASP.NET based web services. Day one (1) will start off with the very basics of C# and Visual studio and slowly progress through a variety of topics as they pertain to web service hardening. On day two (2), students will dive into standard web service security, and end with trainees writing their own secure service for a fictional project. Individuals who meet the requirements and write a working hardened web service, are entered into a prize drawing.

 

Syllabus:

1. Day One (1) –Fundamentals

a. Visual Studio – Quick Rundown

i. IDE Basics

ii. C# Hello World

b. Basics of Object Oriented Programming

c. Useful 3rd Party Libraries

i. JSON.NET (Newtonsoft.Json)

ii. PushSharp

iii. BouncyCastle

d. Basic Web Service writing

i. Bindings

ii. Database design (quick tutorial)

iii. SOAP Services

iv. RESTful Services

e. Basic Service Security

i. Response Encapsulation

ii. Input validation and Sanitizing

iii. XXE, SQLi, and ‘XSS’ mitigation

f. Transport Security

i. SSL

ii. Binding Parameters

g. Message Security

i. Credential Types

ii. Encryption

iii. Certificates

2. Day Two (2) – Intermediate Service Security

a. Replay Attacks

b. Cross Site Request Forgery

c. WS-Security (SOAP Services)

d. Signature Based Security (RESTful Services)

e. Performance and usability vs Security

f. Afternoon Hardened Web Service Development

 

Experience: This would be the first class I’ve taught on a national scale. I’ve taught people individually on both coding, and penetration testing. I served as an adjunct teacher while in High School and in College.

 



Speakers
avatar for Kelly Correll

Kelly Correll

Security Consultant, NTT Security
I work as a security consultant in NTT Security's Threat Services group. As part of my duties, I perform penetration assessments and social engineering assessments. I also own my own business developing business applications using ASP.NET based technologies. | | When I'm... Read More →


Tuesday September 19, 2017 9:00am - 5:00pm
Fiesta 10

9:00am

Hands-on Security in DevOps and Application Security Automation Workshop (1 of 2 days)

After immensely successful workshops in the Bay Area, Bangalore, AppSecEU 2017 and record, sold-out workshop at the OWASP AppSecUSA 2016 in Washington D.C., we bring to you a new avatar of the Hands-on Security in DevOps workshop, this time, with some focused content on Application Security Automation.  

 

Agile and DevOps have revolutionized the way we deliver apps to customers. Software products today demand rapid everything. Rapid Code Changes, Rapid Deployments and Rapid Delivery. In addition, you have embraced Agile Development Methodologies that stress on iterative product development and flexibility to changing environments. There is one major problem in this entire chain, and that is Application Security.

 

While your product may be rapidly delivered to customers, Application security still remains a massive bottleneck in your continuous delivery pipeline. Application security is critical because companies lose billions of dollars due to vulnerabilities in their applications. Apart from typical vulnerabilities like SQL Injection and Cross Site Scripting, vulnerabilities in authentication, authorization, business logic and cryptographic implementations are more prevalent and can cause massive damage to a software product company.

 

This is why you need SecDevOps. You need a practical, repeatable and scalable way to deliver Application Security to your product across the Agile and DevOps lifecycle. In this workshop you will receive powerful hands on training on how you can implement scalable and effective security for rapid-release applications. The workshop will be a hardcore hands-on workshop with coverage on the following, but not limited to:

 

¥ Static Application Security Testing - Integrated with Continuous Integration Services

¥ Rolling out Custom SAST – using Abstract Syntax Trees and Regular Expressions

¥ Customized Security Automation Scripting Framework with Continuous Integration

¥ Creating specialized Application Security Testing Scripts to be integrated with existing Test Suites

¥ Performing Automated, Authenticated and Parameterized Vulnerability Assessments against Web Apps and Web Services by hacking tools like ZAP and w3af

¥ Automation Scripting for Application Security Vulnerability Scanners – OWASP ZAP Custom Scripts – Active Scanning, HTTPSender, Proxy Scripts, with an introduction to Zest Scrits. MITMproxy Inline Scripting

¥ An Introduction to Behavior Driven Security Testing

¥ Parameterized Security Testing for Web Services using the OpenAPI Specification

¥ Security in Configuration management and Continuous Deployment

¥ Security Practices and Considerations for Docker Deployments

¥ Creating Security Configuration Management “Infrastructure as Code” and Validation Scripts – using Ansible

¥ Practical Threat Modeling in an Agile and DevOps world

 

 



Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Chief Technology Officer, we45
Abhay Bhargav is the founder and CTO of the we45, a focused Information Security Solutions Company. He has extensive experience with Information Security. He has performed security assessments for various enterprises in various domains like banking, software development, retail... Read More →


Tuesday September 19, 2017 9:00am - 5:00pm
Acapulco

9:00am

Mobile App Attack (1 of 2 days)

 

This full-fledged hands-on training will get the attendees familiar with the various Android as well as iOS application analysis techniques and bypassing the existing security models in both the platforms.

 

The main objective of this training is to provide a proper guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.

 

The workshop will also include a CTF challenge designed by the trainer in the end where the attendees will use their skills learnt during the workshop to solve this challenge.

 

This training will mainly focus on the following :

 

> Arm basics and Android native code.

> Reverse engineer Dex code for security analysis.

> Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.

> Runtime analysis of the apps by active debugging.

> Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries , modify these binaries accordingly, resign the application.

> Runtime modification of code. Objective is to learn how the programs/codes can be changed or modified at runtime. we will learn how to perform introspection or overriding the default behavior of the methods during runtime and then we will learn how to identify if the methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc.

> Hooking an application and learn to perform program/code modification.

> By the end of workshop, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges. The workshop will begin with a quick understanding on the architecture, file system,permissions and security model of both iOS and Android platform.

 

NOTE:

The tools and techniques used in the workshop are all open source and no special proprietary tools need to be purchased by the attendees for analysis post the training. Some of the tools taught in the training will be helpful in analysis and automating test cases for security testing of the mobile apps:

 

Drozer

Introspy

Apktool

Dex2jar

Cycript

JD-Gui

SSL Trust killer


Speakers
avatar for Sneha Rajguru

Sneha Rajguru

Payatu Software Labs LLP, Payatu Software Labs LLP
India


Tuesday September 19, 2017 9:00am - 5:00pm
Fiesta 7

9:00am

Open Source Defensive Security (1 of 2 days)

Open Source Defensive Security Training is an Open Source IT Security laboratory dedicated for professionals who need close the gaps in Linux, Web application & Open Source Security knowledge. Very detailed and up to date course content with focus especially on defensive approach gives you the best opportunity for making stronger defensive layers inside your network infrastructures or/and Linux-based products. Delivering a real world scenarios in our Open Source Defensive Security hands-on labs provide a very practical knowledge you need for expand your Linux Security skills.

This is an extremely deep dive training on Open Source-based infrastructure security, Linux systems and network services hardening. We like details as attackers do and that details bring the differences - from offensive and defensive approach. That's how we see it works. Our high-tech workshop has a unique formula “protection vs attack”. This means that most of the security issues we are talking about will be effectively protected by the use of a suitable approach, sophisticated software and dedicated secure configuration. We focus on delivering a defensive content, but we understand that for being good in defense you have to also be good in offense. That way we are providing a kind of knowledge-mix in those fields using Open Source software. Except basic Linux skills and TCP/IP knowledge, most of the lab exercises required of candidate at least basic understanding of what attacker techniques are. We strongly believe that only a mix of broad, systematic Defensive and Offensive Security knowledge can guarantee secure solutions. As Sun Tzu said: "Know your enemy and know yourself and you can fight a hundred battles without disaster."

The workshop has prepared the following examples of laboratory scenarios:
● Web Application Security vs OWASP Top 10 attack techniques and others
● Grsecurity/PAX/GCC hardening vs Linux kernel and userspace exploitation using vulnerabilities from the last past years (PERF_EVENTS, ptrace/sysret, memppodiper, semtex, sendpage, chroot() escape, dirty_cow, others)
● Seccomp/capabilities/namespaces vs exploits
● SELinux vs exploits (Redis Command Execution, Venom, Apache)
● Volatility vs rootkits
● Secure SSH relays and importance of low level privileges rule
● System users accountability, including root
● Linux Domain Controller
● Using sysdig/SystemTAP for detecting deviations in the behavior of daemons and services ● Network packet filtering including TOR, ipsets, IP reputation, port knocking
● Network honeypots vs scanning tools and obstruction of the process of enumeration
● PCAP analysis and Deep Packet Inspection vs malware
● Sandboxing for malware detection and deep analysis (cuckoo, yara) and others

Target:
● Linux administrators & System Architects
● IT Security professionals
● Penetration testers
● IT Security consultants and Open Source specialists

Thanks to this training you will:
● learn techniques to protect your Linux systems against attacks used by modern attackers
● find out how you can protect Linux servers and web applications against real attacks
● learn how to use dozens of solutions and security tools for offensive and defensive scope
● configure several advanced solutions to reduce the success of the attack or minimize the risk of the use of vulnerability

True values:
● real life, 100% pure lab-oriented defensive security scenarios
● minimum theory, maximum hands-on
● a lot of cumulated knowledge in one place
● created by enthusiasts and professionals for professionals with enthusiasm

Agenda:

1. Threats are everywhere - introduction to technical Open Source Defensive Security program.

2. Web application security -> hardened Reverse Proxy -> modsecurity vs HTTP security issues:
● Analysis and practical use of exploits for popular web applications: Jenkins, Zimbra, PHPnuke, Joomla, Drupal, PHPmyadmin, OScommerce, Magento, Wordpress, dotProject and others
● Authorization and authentication: CAS SSO, OAuth, SAML (ipsilon), Federation, Basic / Digest Auth, SSL authentication, LDAP authorization, SAML based - mod_auth_mellon, Kerberos based - mod_auth_kerb, Login-form based - mod_intercept_form_submit, Mod_lookup_identity, mod_pubcookie
●HTTPS – how to achieve status A+?:
○ Attacks:
■ Heartbleed
■ Breach
■ Drown
■ Beast
■ Poodle
■ MiTM: sslstrip
○ Mutual SSL
● Security headers: Content Security Policy, Cross Origin Resource Sharing / Same Origin Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Fetch API, Service Workers, Sub_resource Integrity, Per-page sub-origins, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), Same Origin Policy (SOP) / Cross Origin Resource Sharing (CORS), HPKP, PFS
● Cookies: Secure, Httponly, Domain, Path, Same_site, Clear Site Data Feature Policy, First-party cookies
● HTTP header anomalies Virtual patching
● Full HTTP auditing
● LUA/OpenResty support
● Sensor approach - OWASP Appsensor
● Web application security using Modsecurity - creating dedicated WAF rules against:
■ *Injections
■ Null bytes
■ Path/directory traversal
■ LFI/RFI->Command Execution
■ Cross Site Scripting (XSS)
■ Cross Site Request Forgery (CSRF)
■ HTTP Parameter Pollution (HPP)
■ Open Redirect
■ Insecure Direct Object Reference vs HMAC
■ Forceful Browsing
■ CSWSH - Cross Site Websocket Hijacking
■ Session Security
■ Brute force
■ Slow DOS
■ GEO restrictions
■ Error handling
■ Leakage detection
■ Secure file upload
■ Secure logout / forgot password form
■ Web honeypots
■ Bot/scan protection
■ AV protection
■ PHP Security
■ Tomcat Security
■ Tools:
● Sqlmap, sqlninja
● Xsser
● Dominator
● Skipfish
● ZAP / Burp
● Wafdetect
● Joomscan, wpscan
● Dirbuster, dirb
● Nikto
● JSDetox
● Brakeman
● And others

3. Hardened Linux vs exploits/rootkits:
● Discretionary Access Control (DAC) vs Mandatory Access Control (MAC)
● Grsecurity / PAX
● SELinux / Multi Category Security / sVirt
● Apparmor, Tomoyo, Smack, RSBAC
● GCC hardening: SSP, NX, PIE, RELRO, ASLR vs attacks
● Linux Containers - Docker/LXC
● LKM-off / YAMA / enforcing
● Linux capabilities vs SUID and others
● System call restriction - seccomp
● Integrity checking - IMA/EVM
● Package mgmt security
● Debuggers and profilers - gdb/strace/ldd/Valgring/Yara
● Chroot/jail/pivot_root
● Behavioral analysis - systemtap / LTTng / sysdig
● Memory forensics - Volatility vs malware
● PAM / 2FA
● System update vs reboot
● *privchecks

4. Network security:
● Vulnerability scanning:
● Nmap NSE
● Seccubus
● OpenVAS
● Metasploit
● Linux Domain Controller - IdM/HBAC/SUDO
● SFTP/SCP - Secure SSH Relay
● Restricted shells/commands
● SSH tips and tricks
● Public Key Infrastructure – SSL/TLS
● NFS Security
● Database Security
● DNS Security
● Mail Security
● DOS / scanning / brute-force protection techniques
● Advanced network firewall: iptables/nftables/ebtables
● System honeypots
● Network traffic analysis - wireshark, scapy / tcpdump / tcpreplay
● Suricata / Bro IDS / Snort / SELKS vs known malware and attacks:
     ○ Metasploit,
     ○ PtH,
     ○ Heartbleed,
     ○ shellshock and others
● Security by obscurity

5. System Auditing, integrating & accounting:
● *syslog
● Auditd
● OSSEC / Samhain / aide
● SIEM: Splunk/ELK/OSSIM/osquery

6. Summary: offense vs defense


Speakers
avatar for Leszek Mis

Leszek Mis

VP of Cyber Security / IT Security Architect, Collective Sense / Defensive Security
Leszek Miś has over 12 years of experience in IT security technology supporting the largest companies and institutions for implementation, consulting and technical training. Next to that, he has 8 years of experience in teaching and transferring a technical knowledge and experie... Read More →


Tuesday September 19, 2017 9:00am - 5:00pm
Fiesta 8

9:00am

Practical DevOps Security and Exploitation (1 of 2 days)

Practical DevOps Security and Exploitation is a brand new and unique class by Attify. This class has been created as a result of our many pentest engagement experiences where we have exploited vulnerabilities in the various systems supporting CI/CD during DevOps transition of an organisation. The class covers hands-on techniques to both exploit as well as defend various systems that support the target CI/CD Architecture.

This class takes practitioner's approach in breaking, exploiting and securing systems owned by DevOps teams, thus enabling them to move towards DevSecOps. Some of the topics that we will cover are Exploiting Various tools from the CI/CD landscape like Jenkins, Git, Multiple Cloud instances, practical security issues in Docker instances and setting up your DevSecOps architecture.

This training covers different CI/CD tools with pentesters perspective and hence each tool will be covered as below:

  • Code Versioning Systems (Git, GitHub, Bitbucket etc.)
    • Exploiting the product features
    • Finding existing exploits or implementation loopholes
    • Identifying historically stored sensitive information
    • Hardening and Securing Guidelines
  • Orchestration Tools (Ansible, Saltstack etc.)
    • Exploiting the access rights and configuration mistakes
    • Use of Orchestration tools to mass deploy the exploits
    • Finding sensitive information
    • Guidelines to securely configure and organise the orchestration tools
  • Build Servers (Jenkins, Hudson etc.)
    • Pentesting and Vulnerability Assessment
    • Risk involved with Plugins
    • Exploiting most common configuration mistakes
    • Breaking the boundaries with superuser access rights
    • Scheduling vulnerability assessment reports for the CI/CD chain.
    • Guidelines to avoid security issues with integration of various CI/CD tools
  • Container Platform (Docker, Kubernetes etc.)
    • Pentesting and Vulnerability Assessment
    • Exploiting most common configuration mistakes
    • Guidelines with respect to microservices to avoid bloating containers with superuser access rights
  • Security in Cloud (AWS, Google Cloud etc.)
    • Configuration best practices for Identity & Access Management Portals
    • Planning right network architecture with use of VPC and VPN
    • Securing instances by running only the required services
    • Configuring instances at the boot time to remove unwanted softwares or upgrade to stable software versions with no known vulnerabilities.
    • Using access tokens and Cloud API’s to regularly rotate keys/passwords.

This is an action packed class with over 20+ labs covering a number of attacks, vulnerabilities and exploitation tactics.

Deliverables:

  • Lab handouts with readymade scripts for use
  • Printed commands cheatsheet
  • VM for pentesting and securing DevOps instances with pre-configured tools and vulnerable labs

After the training, attendees would be able to:

  • Identifying vulnerabilities in the implementation of the CI/CD instances.
  • Find and craft publicly available exploits to compromise the CI instance
  • Address configuration related vulnerabilities
  • Abuse Jenkins script console   
  • Create an attack surface map of the entire architecture
  • Implement usage of password vaults.
  • Write build jobs which can enable privileged access to the target system and steal sensitive values
  • Abuse Git history and fix/preventing the problems using git hooks
  • Create scheduled validation scripts to enforce security best practices
  • Perform docker breakouts  
  • Audit different tools used in CI/CD chain
  • Guidelines for centralized authentication and authorization
  • Design secure cloud architectures

Minimum Requirements:

  • Laptop with Windows/Linux/MacOS pre-installed
  • 8 GB RAM
  • 40 GB of free disk space.
  • Modern CPU 2.2GHz or more with Virtualization support
  • Wifi Enabled for network access
  • 1 USB 2.0 port
  • Capability to run VirtualBox/VmWare virtual machines
  • Administrative rights on the laptop to install required software packages.

 

 


Speakers
avatar for Amol Bhure

Amol Bhure

Security Researcher, Attify
Amol Bhure leads the Infrastructure Pentesting team at Attify. He has more than 5 years experience leading corporate pentests and has worked extensively on breaking CI systems, DevOps security, Log analysis and monitoring, and Mobile and Web Application Exploitation. | He is al... Read More →
avatar for Suraj Biyani

Suraj Biyani

Infrastructure Security Consultant, Attify
I have several years of experience with Integration of various tools. For last couple of years have been working at multiple small startups and established organisations to setup different CI/CD tools required to support DevOps transformation. Suggesting and implementing industry... Read More →


Tuesday September 19, 2017 9:00am - 5:00pm
Cancun

9:00am

Practical Hands-on Internet of Things Hacking - 2017 Edition (1 of 2 days)

Practical Hands-on Internet of Things Hacking is an updated version of our previous year class ran at OWASP AppSec US. We received some great feedback with our class, and decided to take it a step further and redesign the course from the ground up and include tons of new material including medical utilities, smart locks, smart home systems, newer radio protocols, advanced exploitation techniques, new exercises on BLE and lots more

 

Practical Hands-on Internet of Things Exploitation is the course for you in case you would like to perform real-world pentest on IoT and smart devices. This “new version” of the course takes a practitioner approach, focusing on how to deal with the IoT devices in a real-world scenario, and not just from a research perspective.

 

Some of the things that we will perform (in an extremely hands-on nature) in this training are:

 

[+] Attacking IoT devices through hardware and embedded exploitation techniques

[+] Firmware reversing, emulation and binary exploitation

[+] Hands-on labs on serial interfaces - UART, SPI and I2C

[+] JTAG debugging, exploitation and advanced techniques for extracting data

[+] Sniffing BLE, Zigbee and other radio communications

[+] Writing own GNURadio processing blocks to decode radio information

[+] Taking over smart home systems

[+] Remote and Local Exploitation for IoT devices

[+] Attacking a smart home and smart enterprise network

And much more.

 

Want to learn how to attack an IoT infrastructure or individual devices? You will walk out of the 2-day class having learnt new skills which you could immediately apply in your job/research roles. Come join the course and experience the fast-paced, action-packed IoT Exploitation class.

 

Note: There is an additional $200 fee for the IoT hacking kit - which includes Attify Badges and custom vulnerable IoT device prepared by us, and an author signed copy of the IoT Hackers Handbook, and additional utilities for other IoT exploitation techniques.



Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile penetration testing and training firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation... Read More →


Tuesday September 19, 2017 9:00am - 5:00pm
Fiesta 9

9:00am

Whiteboard Hacking aka Hands-on Threat Modeling (1 of 2 days)

Toreon proposes a 2 day, trainer-led, on-site, Threat Modeling course. The training material and hands-on workshops with real live Use Cases are provided by Toreon. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:

• A hotel booking web and mobile application, sharing the same REST backend

• An Internet of Things (IoT) deployment with an on premise gateway and secure update service

• An HR services OAuth scenario for mobile and web applications

 

This edition also introduces a new section on privacy threats and privacy by design, including a hands-on privacy impact assessment of a face recognition system in an airport. Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)

 

This training is delivered successfully at OWASP Europe 2016 and is selected for OWASP Europe 2017 and Blackhat USA 2017. More details and the outline of the training are available in the attached syllabus.

 



Speakers
avatar for Steven Wierckx

Steven Wierckx

Consultant, Toreon
Steven Wierckx is application security expert and training at Toreon.com. He is also the project leader for the OWASP threat model project. Steven is a software and security Tester with 15 years of experience in programming, training, security testing, source code review, test au... Read More →


Tuesday September 19, 2017 9:00am - 5:00pm
Baja

10:00am

Developer Summit - Morning Session
We are excited to announce that OWASP will once again be holding a two day Developer Summit at AppSecUSA 2017 on September 19 & 20, 2017. OWASP is providing a structured platform for Developers two days prior to the AppSec USA 2017 conference. The Developer Summit will consist of sessions geared toward learning about security vulnerabilities.

There is NO charge to attend the Developer Summit, so come join us!

We do ask that you SIGN UP so we have an estimated headcount to be sure we have enough space and food.

Half Day Morning Session
Date: Tuesday, September 19, 2017
Time: 10am-1pm
Location: Coronado N&P

Presenter: Robert Hurlbut

Using OWASP Threat Dragon for Threat Modeling

OWASP Threat Dragon is a new OWASP project that introduces a threat modeling tool that is portable (able to be used on the web in various platforms), integrates well with build process, and is a great tool to introduce to developers and teams. This developer hands-on session will focus on introducing the Threat Dragon tool, best ways to use the tool in a day-to-day developer environment, and making it part of the CI implementation (including integration with Jenkins, etc.).

What will be discussed?

  • OWASP Threat Dragon, Threat Modeling

What will attendees learn from attending this session?

  • Using the the OWASP Threat Dragon tool to help with Threat Modeling diagrams and maintenance.

Items attendees are required to bring with them

  • Laptop, GitHub profile

About Robert:
Robert Hurlbut is an independent software security consultant and trainer based in Enfield, CT. Robert is a Microsoft MVP for Developer Technologies and Security and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in software security, software architecture, and software development. You can follow Robert on his blog at https://roberthurlbut.com/blog and on Twitter at https://twitter.com/roberthurlbut.com and each week as a co-host of the Application Security Podcast at https://www.appsecpodcast.org.

Speakers
avatar for Robert Hurlbut

Robert Hurlbut

President, Robert Hurlbut Consulting Services
Robert Hurlbut is an independent software security consultant and trainer with 30 years of industry experience in secure coding, software architecture, and software development. He speaks at user groups, national and international conferences, and provides training for many clien... Read More →


Tuesday September 19, 2017 10:00am - 1:00pm
Coronado N&P

2:00pm

Developer Summit - Afternoon Session
We are excited to announce that OWASP will once again be holding a two day Developer Summit at AppSecUSA 2017 on September 19 & 20, 2017. OWASP is providing a structured platform for Developers two days prior to the AppSec USA 2017 conference. The Developer Summit will consist of sessions geared toward learning about security vulnerabilities.

There is NO charge to attend the Developer Summit, so come join us!

We do ask that you SIGN UP so we have an estimated headcount to be sure we have enough space and food.

Half Day Afternoon Session
Date: Tuesday, September 19, 2017
Time: 2pm-5pm
Location: Coronado N&P

Presenters: Nicole Becher and Tanya Janca

Hacking APIs and Web Services with OWASP DevSlop & PIXI!

Modern applications often use APIs and other micro services to deliver faster and better products and services. However, there are currently few training grounds for security testing in such areas. In comes DevSlop, OWASP's newest project, a collection of DevOps security disasters made as a vulnerable testing and proving ground for developers and security testers alike. DevSlop's Pixi, the first of many entries to come for this OWASP project, will be demonstrated and presenting for participant's hacking and learning pleasure. Pixi consists of vulnerable web services, and participants will be walked through how to exploit several of it's vulnerabilities so they can learn how to do better when they create their own web services and other types of APIs from now on.

What will be discussed?

  • API and Web Service Hacking & OWASP Project DevSlop

What will attendees learn from attending this session?

  • How to hack APIs and web services

Items attendees are required to bring with them

  • A laptop with a web proxy and modern web browser. Admin Priv on your machine.


Tuesday September 19, 2017 2:00pm - 5:00pm
Coronado N&P

6:00pm

OWASP Board Meeting
https://www.owasp.org/index.php/September_19,_2017

Tuesday September 19, 2017 6:00pm - 8:00pm
Monterrey 2
 
Wednesday, September 20
 

8:00am

Registration
Wednesday September 20, 2017 8:00am - 7:00pm
North Registration

9:00am

Advanced SQL Injection Exploitation (1-day)

SQL Injection (SQLi) vulnerabilities are the most common injection flaws found in web applications today, ranking number one in the OWASP Top 10 most critical web application security risks. When an attacker is able to find and exploit such a vulnerability, the end result is often disastrous: complete database download, application backdoor created or even remote code execution. Suffice to say that penetration testers need to find these vulnerabilities before the bad guys do.

 

But vulnerability scanners and automated exploitation tools like sqlmap can only do so much when it comes to finding and exploiting SQLi vulnerabilities. While they do a good job for regular or error-based SQLi vulnerabilities, their success rate lowers drastically when blind SQLi is encountered, especially when time-based attacks are required. And if you need to be quiet on the network, most tools are just insanely noisy…

 

This course is designed to help penetration testers who have been using these tools to get to the next level, where finding and exploiting SQLi is no longer easy. When only a browser and notepad are available to you or when being quiet is critical, you will be glad you know this stuff.

 

1) SQL crash course for hackers

 

2) Error-based SQL Injection

- Bypassing login (demo)

- UNION exploitation techniques (exercise)

 

3) Blind SQL Injection

- Splitting and Balancing

- Boolean exploitation techniques (exercise)

- Time-based exploitation techniques (exercise)

 

4) Using tools

- Exploiting error-based and blind SQLi using sqlmap (exercise)

Speakers
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 17 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm
Coronado E

9:00am

AppSec Fundamentals (1 of 1 day)

The Application Security Fundamentals is an in-depth, one-day course that teaches the foundational principles of application and product security. This course is aimed at beginners or those new to application security. In class exercises are included throughout the day to generate interaction and discussion amongst students. The course is modular, and covers application security vocabulary, attacks and attackers, data breaches, business myths, the threat Landscape, software supply chain, security culture and mindset, managing security resources, soft skills, secure development lifecycle, privacy, product incident response, and trusted knowledge sources. 

 


Speakers
avatar for Chris Romeo

Chris Romeo

CEO, Security Journey
Chris Romeo is CEO and co-founder of Security Journey. His passion is to bring security culture change to all organizations. Chris is first and foremost a security culture hacker, designing security training programs and building internal security community. He was the Chief Secu... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm
Coronado G

9:00am

Defensive Application Security Program (1 of 1 day)

Developing the Defensive Application Security Program

Creating your Websites and Web Applications inventory

Defining proper Software Security controls by Application Risk

Quick Test and Quick Wins with OWASP ZAP

Selecting and using proper Static Analysis tools

Finding insecure libraries using OWASP Dependency Check

Virtual Patching of legacy applications with Mod_Security

Applying Secure-Headers automatically

Detecting malicious behavior with OWASP AppSensor

Developing and presenting the Security Dashboard

 

The intended audience is very broad from developers to managers, beginners to advanced users.

 

The length is one-day.

The students will receive the class syllabus and book.

 

This course is a summarized version of a six-month class taught in 3 courses of our University.

 

The trainer is a PhD student in Cyber-Security and professor at IFC (Catarinense Federal Institute), (ISC)2's Certified Secure Software Lifecycle Professional (CSSLP),

ISSECO® Certified Professional for Secure Software Engineering (CPSSE), ISO/IEC 27002 Foundation Certified,

ISEB/ISTQB Certified Professional e ITIL F.

Worked as Security Consultant and implementing OWASP best practices for securing software in companies like DELL, EDS (HP) and Elavon/US Bank.

Published articles at international conferences and presented at OWASP AppSec Latam, FLISOL and RoadSec between others.



Speakers
avatar for Rafael Brinhosa

Rafael Brinhosa

Professor, Catarinense Federal Institute
Rafael is a PhD student in Cyber-Security and professor at IFC (Catarinense Federal Institute), (ISC)2's Certified Secure Software Lifecycle Professional (CSSLP), ISSECO® Certified Professional for Secure Software Engineering (CPSSE), ISO/IEC 27002 Foundation Certified, ISEB/IST... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm
Coronado F

9:00am

Hands On Hardened Web Service Development using ASP.NET (1 of 2 days)

Class Summary: This hands on, two (2) day class will help students learn how to write hardened ASP.NET based web services. Day one (1) will start off with the very basics of C# and Visual studio and slowly progress through a variety of topics as they pertain to web service hardening. On day two (2), students will dive into standard web service security, and end with trainees writing their own secure service for a fictional project. Individuals who meet the requirements and write a working hardened web service, are entered into a prize drawing.

 

Syllabus:

1. Day One (1) –Fundamentals

a. Visual Studio – Quick Rundown

i. IDE Basics

ii. C# Hello World

b. Basics of Object Oriented Programming

c. Useful 3rd Party Libraries

i. JSON.NET (Newtonsoft.Json)

ii. PushSharp

iii. BouncyCastle

d. Basic Web Service writing

i. Bindings

ii. Database design (quick tutorial)

iii. SOAP Services

iv. RESTful Services

e. Basic Service Security

i. Response Encapsulation

ii. Input validation and Sanitizing

iii. XXE, SQLi, and ‘XSS’ mitigation

f. Transport Security

i. SSL

ii. Binding Parameters

g. Message Security

i. Credential Types

ii. Encryption

iii. Certificates

2. Day Two (2) – Intermediate Service Security

a. Replay Attacks

b. Cross Site Request Forgery

c. WS-Security (SOAP Services)

d. Signature Based Security (RESTful Services)

e. Performance and usability vs Security

f. Afternoon Hardened Web Service Development

 

Experience: This would be the first class I’ve taught on a national scale. I’ve taught people individually on both coding, and penetration testing. I served as an adjunct teacher while in High School and in College.



Speakers
avatar for Kelly Correll

Kelly Correll

Security Consultant, NTT Security
I work as a security consultant in NTT Security's Threat Services group. As part of my duties, I perform penetration assessments and social engineering assessments. I also own my own business developing business applications using ASP.NET based technologies. | | When I'm... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm
Fiesta 10

9:00am

Hands-on Security in DevOps and Application Security Automation Workshop (2 of 2 days)

After immensely successful workshops in the Bay Area, Bangalore, AppSecEU 2017 and record, sold-out workshop at the OWASP AppSecUSA 2016 in Washington D.C., we bring to you a new avatar of the Hands-on Security in DevOps workshop, this time, with some focused content on Application Security Automation.  

 

Agile and DevOps have revolutionized the way we deliver apps to customers. Software products today demand rapid everything. Rapid Code Changes, Rapid Deployments and Rapid Delivery. In addition, you have embraced Agile Development Methodologies that stress on iterative product development and flexibility to changing environments. There is one major problem in this entire chain, and that is Application Security.

 

While your product may be rapidly delivered to customers, Application security still remains a massive bottleneck in your continuous delivery pipeline. Application security is critical because companies lose billions of dollars due to vulnerabilities in their applications. Apart from typical vulnerabilities like SQL Injection and Cross Site Scripting, vulnerabilities in authentication, authorization, business logic and cryptographic implementations are more prevalent and can cause massive damage to a software product company.

 

This is why you need SecDevOps. You need a practical, repeatable and scalable way to deliver Application Security to your product across the Agile and DevOps lifecycle. In this workshop you will receive powerful hands on training on how you can implement scalable and effective security for rapid-release applications. The workshop will be a hardcore hands-on workshop with coverage on the following, but not limited to:

 

¥ Static Application Security Testing - Integrated with Continuous Integration Services

¥ Rolling out Custom SAST – using Abstract Syntax Trees and Regular Expressions

¥ Customized Security Automation Scripting Framework with Continuous Integration

¥ Creating specialized Application Security Testing Scripts to be integrated with existing Test Suites

¥ Performing Automated, Authenticated and Parameterized Vulnerability Assessments against Web Apps and Web Services by hacking tools like ZAP and w3af

¥ Automation Scripting for Application Security Vulnerability Scanners – OWASP ZAP Custom Scripts – Active Scanning, HTTPSender, Proxy Scripts, with an introduction to Zest Scrits. MITMproxy Inline Scripting

¥ An Introduction to Behavior Driven Security Testing

¥ Parameterized Security Testing for Web Services using the OpenAPI Specification

¥ Security in Configuration management and Continuous Deployment

¥ Security Practices and Considerations for Docker Deployments

¥ Creating Security Configuration Management “Infrastructure as Code” and Validation Scripts – using Ansible

¥ Practical Threat Modeling in an Agile and DevOps world

 

 


Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Chief Technology Officer, we45
Abhay Bhargav is the founder and CTO of the we45, a focused Information Security Solutions Company. He has extensive experience with Information Security. He has performed security assessments for various enterprises in various domains like banking, software development, retail... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm
Acapulco

9:00am

Mobile App Attack (2 of 2 days)

This full-fledged hands-on training will get the attendees familiar with the various Android as well as iOS application analysis techniques and bypassing the existing security models in both the platforms.

 

The main objective of this training is to provide a proper guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.

 

The workshop will also include a CTF challenge designed by the trainer in the end where the attendees will use their skills learnt during the workshop to solve this challenge.

 

This training will mainly focus on the following :

 

> Arm basics and Android native code.

> Reverse engineer Dex code for security analysis.

> Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.

> Runtime analysis of the apps by active debugging.

> Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries , modify these binaries accordingly, resign the application.

> Runtime modification of code. Objective is to learn how the programs/codes can be changed or modified at runtime. we will learn how to perform introspection or overriding the default behavior of the methods during runtime and then we will learn how to identify if the methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc.

> Hooking an application and learn to perform program/code modification.

> By the end of workshop, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges. The workshop will begin with a quick understanding on the architecture, file system,permissions and security model of both iOS and Android platform.

 

NOTE:

The tools and techniques used in the workshop are all open source and no special proprietary tools need to be purchased by the attendees for analysis post the training. Some of the tools taught in the training will be helpful in analysis and automating test cases for security testing of the mobile apps:

 

Drozer

Introspy

Apktool

Dex2jar

Cycript

JD-Gui

SSL Trust killer


Speakers
avatar for Sneha Rajguru

Sneha Rajguru

Payatu Software Labs LLP, Payatu Software Labs LLP
India


Wednesday September 20, 2017 9:00am - 5:00pm
Fiesta 7

9:00am

Open Source Defensive Security (2 of 2 days)
Open Source Defensive Security Training is an Open Source IT Security laboratory dedicated for professionals who need close the gaps in Linux, Web application & Open Source Security knowledge. Very detailed and up to date course content with focus especially on defensive approach gives you the best opportunity for making stronger defensive layers inside your network infrastructures or/and Linux-based products. Delivering a real world scenarios in our Open Source Defensive Security hands-on labs provide a very practical knowledge you need for expand your Linux Security skills.

This is an extremely deep dive training on Open Source-based infrastructure security, Linux systems and network services hardening. We like details as attackers do and that details bring the differences - from offensive and defensive approach. That's how we see it works. Our high-tech workshop has a unique formula “protection vs attack”. This means that most of the security issues we are talking about will be effectively protected by the use of a suitable approach, sophisticated software and dedicated secure configuration. We focus on delivering a defensive content, but we understand that for being good in defense you have to also be good in offense. That way we are providing a kind of knowledge-mix in those fields using Open Source software. Except basic Linux skills and TCP/IP knowledge, most of the lab exercises required of candidate at least basic understanding of what attacker techniques are. We strongly believe that only a mix of broad, systematic Defensive and Offensive Security knowledge can guarantee secure solutions. As Sun Tzu said: "Know your enemy and know yourself and you can fight a hundred battles without disaster." 

The workshop has prepared the following examples of laboratory scenarios: 
● Web Application Security vs OWASP Top 10 attack techniques and others 
● Grsecurity/PAX/GCC hardening vs Linux kernel and userspace exploitation using vulnerabilities from the last past years (PERF_EVENTS, ptrace/sysret, memppodiper, semtex, sendpage, chroot() escape, dirty_cow, others) 
● Seccomp/capabilities/namespaces vs exploits 
● SELinux vs exploits (Redis Command Execution, Venom, Apache) 
● Volatility vs rootkits 
● Secure SSH relays and importance of low level privileges rule 
● System users accountability, including root 
● Linux Domain Controller 
● Using sysdig/SystemTAP for detecting deviations in the behavior of daemons and services ● Network packet filtering including TOR, ipsets, IP reputation, port knocking 
● Network honeypots vs scanning tools and obstruction of the process of enumeration 
● PCAP analysis and Deep Packet Inspection vs malware 
● Sandboxing for malware detection and deep analysis (cuckoo, yara) and others 

Target: 
● Linux administrators & System Architects 
● IT Security professionals 
● Penetration testers 
● IT Security consultants and Open Source specialists 

Thanks to this training you will: 
● learn techniques to protect your Linux systems against attacks used by modern attackers 
● find out how you can protect Linux servers and web applications against real attacks 
● learn how to use dozens of solutions and security tools for offensive and defensive scope 
● configure several advanced solutions to reduce the success of the attack or minimize the risk of the use of vulnerability 

True values: 
● real life, 100% pure lab-oriented defensive security scenarios 
● minimum theory, maximum hands-on 
● a lot of cumulated knowledge in one place 
● created by enthusiasts and professionals for professionals with enthusiasm 

Agenda: 

1. Threats are everywhere - introduction to technical Open Source Defensive Security program. 

2. Web application security -> hardened Reverse Proxy -> modsecurity vs HTTP security issues: 
● Analysis and practical use of exploits for popular web applications: Jenkins, Zimbra, PHPnuke, Joomla, Drupal, PHPmyadmin, OScommerce, Magento, Wordpress, dotProject and others 
● Authorization and authentication: CAS SSO, OAuth, SAML (ipsilon), Federation, Basic / Digest Auth, SSL authentication, LDAP authorization, SAML based - mod_auth_mellon, Kerberos based - mod_auth_kerb, Login-form based - mod_intercept_form_submit, Mod_lookup_identity, mod_pubcookie 
●HTTPS – how to achieve status A+?: 
○ Attacks: 
■ Heartbleed
■ Breach 
■ Drown 
■ Beast 
■ Poodle 
■ MiTM: sslstrip 
○ Mutual SSL 
● Security headers: Content Security Policy, Cross Origin Resource Sharing / Same Origin Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Fetch API, Service Workers, Sub_resource Integrity, Per-page sub-origins, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), Same Origin Policy (SOP) / Cross Origin Resource Sharing (CORS), HPKP, PFS 
● Cookies: Secure, Httponly, Domain, Path, Same_site, Clear Site Data Feature Policy, First-party cookies 
● HTTP header anomalies Virtual patching 
● Full HTTP auditing 
● LUA/OpenResty support 
● Sensor approach - OWASP Appsensor 
● Web application security using Modsecurity - creating dedicated WAF rules against: 
■ *Injections 
■ Null bytes 
■ Path/directory traversal 
■ LFI/RFI->Command Execution 
■ Cross Site Scripting (XSS)
■ Cross Site Request Forgery (CSRF) 
■ HTTP Parameter Pollution (HPP)
■ Open Redirect 
■ Insecure Direct Object Reference vs HMAC 
■ Forceful Browsing 
■ CSWSH - Cross Site Websocket Hijacking 
■ Session Security 
■ Brute force
■ Slow DOS 
■ GEO restrictions 
■ Error handling 
■ Leakage detection 
■ Secure file upload
■ Secure logout / forgot password form
■ Web honeypots 
■ Bot/scan protection 
■ AV protection 
■ PHP Security 
■ Tomcat Security 
■ Tools: 
● Sqlmap, sqlninja 
● Xsser 
● Dominator 
● Skipfish 
● ZAP / Burp 
● Wafdetect 
● Joomscan, wpscan 
● Dirbuster, dirb 
● Nikto 
● JSDetox 
● Brakeman 
● And others 

3. Hardened Linux vs exploits/rootkits: 
● Discretionary Access Control (DAC) vs Mandatory Access Control (MAC) 
● Grsecurity / PAX 
● SELinux / Multi Category Security / sVirt 
● Apparmor, Tomoyo, Smack, RSBAC 
● GCC hardening: SSP, NX, PIE, RELRO, ASLR vs attacks 
● Linux Containers - Docker/LXC 
● LKM-off / YAMA / enforcing 
● Linux capabilities vs SUID and others 
● System call restriction - seccomp 
● Integrity checking - IMA/EVM 
● Package mgmt security 
● Debuggers and profilers - gdb/strace/ldd/Valgring/Yara 
● Chroot/jail/pivot_root 
● Behavioral analysis - systemtap / LTTng / sysdig 
● Memory forensics - Volatility vs malware 
● PAM / 2FA 
● System update vs reboot 
● *privchecks 

4. Network security: 
● Vulnerability scanning: 
● Nmap NSE 
● Seccubus 
● OpenVAS 
● Metasploit 
● Linux Domain Controller - IdM/HBAC/SUDO 
● SFTP/SCP - Secure SSH Relay 
● Restricted shells/commands 
● SSH tips and tricks 
● Public Key Infrastructure – SSL/TLS 
● NFS Security 
● Database Security
● DNS Security 
● Mail Security 
● DOS / scanning / brute-force protection techniques 
● Advanced network firewall: iptables/nftables/ebtables 
● System honeypots 
● Network traffic analysis - wireshark, scapy / tcpdump / tcpreplay 
● Suricata / Bro IDS / Snort / SELKS vs known malware and attacks: 
     ○ Metasploit, 
     ○ PtH, 
     ○ Heartbleed, 
     ○ shellshock and others 
● Security by obscurity 

5. System Auditing, integrating & accounting: 
● *syslog 
● Auditd 
● OSSEC / Samhain / aide 
● SIEM: Splunk/ELK/OSSIM/osquery 

6. Summary: offense vs defense

Speakers
avatar for Leszek Mis

Leszek Mis

VP of Cyber Security / IT Security Architect, Collective Sense / Defensive Security
Leszek Miś has over 12 years of experience in IT security technology supporting the largest companies and institutions for implementation, consulting and technical training. Next to that, he has 8 years of experience in teaching and transferring a technical knowledge and experie... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm
Fiesta 8

9:00am

Practical DevOps Security and Exploitation (2 of 2 days)

Practical DevOps Security and Exploitation is a brand new and unique class by Attify. This class has been created as a result of our many pentest engagement experiences where we have exploited vulnerabilities in the various systems supporting CI/CD during DevOps transition of an organisation. The class covers hands-on techniques to both exploit as well as defend various systems that support the target CI/CD Architecture.

This class takes practitioner's approach in breaking, exploiting and securing systems owned by DevOps teams, thus enabling them to move towards DevSecOps. Some of the topics that we will cover are Exploiting Various tools from the CI/CD landscape like Jenkins, Git, Multiple Cloud instances, practical security issues in Docker instances and setting up your DevSecOps architecture.

This training covers different CI/CD tools with pentesters perspective and hence each tool will be covered as below:

  • Code Versioning Systems (Git, GitHub, Bitbucket etc.)
    • Exploiting the product features
    • Finding existing exploits or implementation loopholes
    • Identifying historically stored sensitive information
    • Hardening and Securing Guidelines
  • Orchestration Tools (Ansible, Saltstack etc.)
    • Exploiting the access rights and configuration mistakes
    • Use of Orchestration tools to mass deploy the exploits
    • Finding sensitive information
    • Guidelines to securely configure and organise the orchestration tools
  • Build Servers (Jenkins, Hudson etc.)
    • Pentesting and Vulnerability Assessment
    • Risk involved with Plugins
    • Exploiting most common configuration mistakes
    • Breaking the boundaries with superuser access rights
    • Scheduling vulnerability assessment reports for the CI/CD chain.
    • Guidelines to avoid security issues with integration of various CI/CD tools
  • Container Platform (Docker, Kubernetes etc.)
    • Pentesting and Vulnerability Assessment
    • Exploiting most common configuration mistakes
    • Guidelines with respect to microservices to avoid bloating containers with superuser access rights
  • Security in Cloud (AWS, Google Cloud etc.)
    • Configuration best practices for Identity & Access Management Portals
    • Planning right network architecture with use of VPC and VPN
    • Securing instances by running only the required services
    • Configuring instances at the boot time to remove unwanted softwares or upgrade to stable software versions with no known vulnerabilities.
    • Using access tokens and Cloud API’s to regularly rotate keys/passwords.

This is an action packed class with over 20+ labs covering a number of attacks, vulnerabilities and exploitation tactics.

Deliverables:

  • Lab handouts with readymade scripts for use
  • Printed commands cheatsheet
  • VM for pentesting and securing DevOps instances with pre-configured tools and vulnerable labs

After the training, attendees would be able to:

  • Identifying vulnerabilities in the implementation of the CI/CD instances.
  • Find and craft publicly available exploits to compromise the CI instance
  • Address configuration related vulnerabilities
  • Abuse Jenkins script console   
  • Create an attack surface map of the entire architecture
  • Implement usage of password vaults.
  • Write build jobs which can enable privileged access to the target system and steal sensitive values
  • Abuse Git history and fix/preventing the problems using git hooks
  • Create scheduled validation scripts to enforce security best practices
  • Perform docker breakouts  
  • Audit different tools used in CI/CD chain
  • Guidelines for centralized authentication and authorization
  • Design secure cloud architectures

Minimum Requirements:

  • Laptop with Windows/Linux/MacOS pre-installed
  • 8 GB RAM
  • 40 GB of free disk space.
  • Modern CPU 2.2GHz or more with Virtualization support
  • Wifi Enabled for network access
  • 1 USB 2.0 port
  • Capability to run VirtualBox/VmWare virtual machines
  • Administrative rights on the laptop to install required software packages.

 


Speakers
avatar for Amol Bhure

Amol Bhure

Security Researcher, Attify
Amol Bhure leads the Infrastructure Pentesting team at Attify. He has more than 5 years experience leading corporate pentests and has worked extensively on breaking CI systems, DevOps security, Log analysis and monitoring, and Mobile and Web Application Exploitation. | He is al... Read More →
avatar for Suraj Biyani

Suraj Biyani

Infrastructure Security Consultant, Attify
I have several years of experience with Integration of various tools. For last couple of years have been working at multiple small startups and established organisations to setup different CI/CD tools required to support DevOps transformation. Suggesting and implementing industry... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm
Cancun

9:00am

Practical Hands-on Internet of Things Hacking - 2017 Edition (2 of 2 days)

Practical Hands-on Internet of Things Hacking is an updated version of our previous year class ran at OWASP AppSec US. We received some great feedback with our class, and decided to take it a step further and redesign the course from the ground up and include tons of new material including medical utilities, smart locks, smart home systems, newer radio protocols, advanced exploitation techniques, new exercises on BLE and lots more

 

Practical Hands-on Internet of Things Exploitation is the course for you in case you would like to perform real-world pentest on IoT and smart devices. This “new version” of the course takes a practitioner approach, focusing on how to deal with the IoT devices in a real-world scenario, and not just from a research perspective.

 

Some of the things that we will perform (in an extremely hands-on nature) in this training are:

 

[+] Attacking IoT devices through hardware and embedded exploitation techniques

[+] Firmware reversing, emulation and binary exploitation

[+] Hands-on labs on serial interfaces - UART, SPI and I2C

[+] JTAG debugging, exploitation and advanced techniques for extracting data

[+] Sniffing BLE, Zigbee and other radio communications

[+] Writing own GNURadio processing blocks to decode radio information

[+] Taking over smart home systems

[+] Remote and Local Exploitation for IoT devices

[+] Attacking a smart home and smart enterprise network

And much more.

 

Want to learn how to attack an IoT infrastructure or individual devices? You will walk out of the 2-day class having learnt new skills which you could immediately apply in your job/research roles. Come join the course and experience the fast-paced, action-packed IoT Exploitation class.

 

Note: There is an additional $200 fee for the IoT hacking kit - which includes Attify Badges and custom vulnerable IoT device prepared by us, and an author signed copy of the IoT Hackers Handbook, and additional utilities for other IoT exploitation techniques.



Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile penetration testing and training firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm
Fiesta 9

9:00am

Whiteboard Hacking aka Hands-on Threat Modeling (2 of 2 days)

Toreon proposes a 2 day, trainer-led, on-site, Threat Modeling course. The training material and hands-on workshops with real live Use Cases are provided by Toreon. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:

• A hotel booking web and mobile application, sharing the same REST backend

• An Internet of Things (IoT) deployment with an on premise gateway and secure update service

• An HR services OAuth scenario for mobile and web applications

 

This edition also introduces a new section on privacy threats and privacy by design, including a hands-on privacy impact assessment of a face recognition system in an airport. Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)

 

This training is delivered successfully at OWASP Europe 2016 and is selected for OWASP Europe 2017 and Blackhat USA 2017. More details and the outline of the training are available in the attached syllabus.

 


Speakers
avatar for Steven Wierckx

Steven Wierckx

Consultant, Toreon
Steven Wierckx is application security expert and training at Toreon.com. He is also the project leader for the OWASP threat model project. Steven is a software and security Tester with 15 years of experience in programming, training, security testing, source code review, test au... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm
Baja

9:00am

Developer Summit Full Day Session
We are excited to announce that OWASP will once again be holding a two day Developer Summit at AppSecUSA 2017 on September 19 & 20, 2017. OWASP is providing a structured platform for Developers two days prior to the AppSec USA 2017 conference. The Developer Summit will consist of sessions geared toward learning about security vulnerabilities.

There is NO charge to attend the Developer Summit, so come join us!

We do ask that you SIGN UP so we have an estimated headcount to be sure we have enough space and food.

Full Day Session
Date: Wednesday, September 20, 2017

Time: 9am-5pm
Room: Coronado N&P

Presenter: Swaroop Yermalkar

Extreme iOS App Exploitation, Defense and ARM Exploitation

Detailed training contents: https://goo.gl/swp7F8 iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This training will show you how to conduct a wide range of penetration tests on iOS applications to uncover vulnerabilities and strengthen the system from attacks. Extreme iOS App Exploitation, Defense and ARM Exploitation is a 14 hrs session which will help you conduct end to end pentesting of iOS Applications and will also help you to understand the security measures which needs to be taken. This training will also have CTF challenge where attendees will use their skills learnt in session. To attend this hands-on session, all you have to do is bring your macbook with xcode installed on it.

What will be discussed?

Module 1: Introducing iOS App Security

  • iOS security model
  • App Signing
  • App Sandboxing
  • App Provisioning
  • Changes in iOS 8/9/10

Module 2: Setting up lab

  • Setting up iOS Simulators
  • Jailbreaking basics
  • App signing
  • Setting up jailbroken iDevices (we will provide you)

Module 3: Exploiting iOS Application

  • Exploiting Local Data Storage Flaws
    • Keychain Storage
    • Data Storage in SQLite
    • Data Storage in Core Data
    • Data Storage in Realm database
    • Data Storage in YAP database
    • Data Storage in NSUserDefaults
  • Attacking URL Schemes
  • Broken Cryptography attacks and challenges
  • Exploiting SQL Injection
  • Exploiting XSS Attacks
  • Sealing up side channel data leakage

Module 4: Exploiting Broken Cryptography

  • Exploiting flaws in payment gateways
  • Crypto challenges

Module 5: Exploiting Key Management

  • Hardcoded keys
  • Storing keys server side
  • Generating random keys
  • CTF challenge

Module 6: Runtime Analysis of iOS Application

  • Runtime analysis using cycript
  • Runtime analysis using gdb with ARM Basics
  • Runtime analysis using lldb
  • Runtime analysis using Snoop-it
  • Runtime analysis using Frida
  • Bypassing jailbreak detection
  • Bypassing piracy detection
  • CTF Challenge

Module 7: Reverse Engineering and binary analysis

  • Reversing encrypted binaries
  • Checking for PIE, ARC
  • Reversing un-encrypted binaries
  • Disassembling using Hopper
  • Disassembling using IDA
  • iOS App binary patching
  • String analysis
  • CTF Challenge

Module 8: Analyzing iOS Network traffic

  • Intercepting HTTP traffic
  • Intercepting HTTPS traffic
  • Bypassing SSL Pinning
  • Attacking Weak Server Side Controls
  • CTF Challenge

Module 9: Exploring iOS Pentest automation frameworks

  • Needle Framework
  • IDB

Module 10: iOS Secure Coding

  • 1. iOS Static Code review
  • 2. Understanding best practices for
    • a. Defending local data storage flaws
    • b. Preventing runtime protection
    • c. Key management
    • d.Defending crypto attacks
    • e. Defending side channel data leaks attacks

Module 11: iOS ARM Exploitation

  • ARM Assembly
  • Executing first ARM program on iDevice
  • ROP (Return Oriented Programming) Basics
  • Simple stack overflow on iDevices
  • Exploiting Heap Overflow exploit
  • Case studies of recent jailbreaks

What will attendees learn from attending this presentation?

  • End to end iOS App Pentesting
  • iOS Secure Coding
  • iOS reverse engineering, runtime analysis
  • Encryption key management, Defending crypto attacks
  • ARM Exploitation (basics)
  • Designing secure iOS applications

Items attendees will be required to bring with them

  • Macbook with root permission and Xcode (8.2 or above) Installed


Speakers
avatar for Swaroop Yermalkar

Swaroop Yermalkar

Senior Security Engineer, Philips
Swaroop Yermalkar works as a Senior Security Engineer at Philips. His work includes threat modelling, security research, assessment of IoT devices, healthcare products, web applications, networks, Android, and iOS applications. | | Swaroop is an OWASP iGoat Project leader (h... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm
Coronado N&P

9:00am

Project Summit & Project Reviews USA 2017

Join our our deep dive discussion on the following OWASP Projects ranging from Incubator to flagship projects. We welcome students and contributors to jump right in and work live with project leaders. Project Reviews will also be conducted throughout the Two Day Session of the Project Summit.

Current OWASP Projects Signed Up:

  1. Presenting on 9/20 @ 9:30 AM  - OWASP DefectDojo Project

  2. Presenting on 9/20 @10:00 AM  - OWASP ZAP Project & Project Reviews

  3. Presenting on 9/20 @1:00 pm OWASP Core Rule Set Project

  4. Presenting on 9/20 at 2:00 pm  OWASP Automated Threats Project

  5. Presenting on 9/20 @ 3:00 pm  - OWASP Virtual Village Project Resource

  6. Presenting on 9/20 at 3:45 pm OWASP ESAPI Project

Current OWASP Project Reviews Scheduled:

  1. OWASP Security Knowledge Framework Project

  2. OWASP Security Mobile Testing Guide Project

  3. OWASP Lab/Incubator Projects Deep Dive Health Checks

We would like your feedback and offer a unique opportunity to discuss hot topics.

Currently on the list of topics: (Open to more hot topics)

  • Resources for Projects

  • Reimbursement Form & Process

  • Discourse

  • Kickstarter Pilot Program

Please use our contact us form with any questions or concerns. Contacts at OWASP Foundation: Matt Tesauro and Claudia Aviles Casanovas will be onsite as well.


 


Moderators
avatar for Matt Tesauro

Matt Tesauro

Senior Technical Project Engineer, OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline... Read More →

Wednesday September 20, 2017 9:00am - 5:00pm
Coronado Q&R

5:00pm

OWASP Store
Wednesday September 20, 2017 5:00pm - 7:00pm
Veracruz C

5:00pm

Exhibit
Wednesday September 20, 2017 5:00pm - 8:00pm
Veracruz C

5:00pm

Pre-Conference Reception
Wednesday September 20, 2017 5:00pm - 8:00pm
Veracruz C

6:30pm

OWASP Leaders workshop
All OWASP Chapter and Project Leaders are invited to come to the Leader's Workshop to give input on your needs so that the OWASP Foundation can better support you.  Here you will also learn about ongoing efforts as well as be able to give insight into how better to tailor them.  Attendees will receive special edition OWASP Leader's shirts.

Wednesday September 20, 2017 6:30pm - 8:00pm
Cancun
 
Thursday, September 21
 

8:00am

Registration
Thursday September 21, 2017 8:00am - 6:15pm
North Registration

9:00am

Welcome Note
Thursday September 21, 2017 9:00am - 9:15am
Coronado L

9:00am

KeyNote - Discussion on Application Security: John Steven and Jim Manico will be discussing application security from a unique perspective.
Speakers
avatar for Jim Manico

Jim Manico

Author and Educator
Jim Manico is an author and educator of developer security awareness trainings. He is a frequent speaker on secure software practices and is a member of the JavaOne "rockstar hall of fame". He has a 17 year history building software as a developer and architect. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and several secure coding projects. Jim is currently working on a book with McGraw-Hill and Oracle-Press on Java Web Security. For more information... Read More →
avatar for John Steven

John Steven

Senior Director, Synopsys
John Steven is a Senior Director at Synopsys. His expertise runs the gamut of software security—from threat modeling and architectural risk analysis to static analysis and security testing. He has led the design and development of business-critical production applications for large organizations in a range of industries. Since joining Synopsys as a security researcher in 1998, John has provided strategic direction and built security groups for many multi-national corporations, including Coke, EMC, Qualcomm, Marriott and Finra. John's keen interest in automation continues to keep Synopsys technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security... Read More →


Thursday September 21, 2017 9:00am - 9:45am
Coronado L

10:00am

Morning Coffee Break
Thursday September 21, 2017 10:00am - 10:30am
Veracruz C

10:00am

Capture the Flag
This hands-on Capture The Flag (CTF) event will be held live during both days of the conference, and will be targeted towards beginner and intermediate level application hackers. 
Participants in this event will be required to find and exploit OWASP Top-Ten related vulnerabilities, as well as other common application security vulnerabilities. Mentors will be available to help get you started. Prizes (i.e. tech-friendly gadgets) will be awarded to the top individual performers (must be present to win).
Initial registration must be made in-person at the CTF area, where the mentors will be available.  After registering, you can continue to remotely access the challenges until the CTF scoreboard is closed on the 2nd afternoon of the conference.

What to bring:-
A laptop with working wifi
Make sure to download the ZAP proxy from OWASP.org or your favorite proxy (e.g. BurpSuite) and have it working properly

Speakers
avatar for Joaquin Fuentes

Joaquin Fuentes

Manager, Penetration Testing, Early Warning
Hosting the official AppSec CTF with @realn0j (Mike McCambridge), @dejandayoff (Dejan Zelic), and @realbruteforce1 (Amol Deshpande). Enjoyed it? Apply at securityjobs.earlywarning.com


Thursday September 21, 2017 10:00am - 11:30am
Coronado M&N

10:00am

Exhibit
Thursday September 21, 2017 10:00am - 5:00pm
Veracruz C

10:00am

Women in AppSec (WIA) Hangout room
Join us in the WIA Hangout room, where the Committee will hold discussions Thursday afternoon afternoon and keep the space open for you to stop by and connect with others throughout the conference.

Thursday September 21, 2017 10:00am - 5:00pm
Coronado P&Q

10:00am

OWASP Store
Thursday September 21, 2017 10:00am - 5:00pm
Durango 1

10:30am

An Investigation into the Differences Between Web Application Scanning Tools when Scanning for XSS and SQLi
Web Application Vulnerability Scanners are becoming increasingly automated and are facing more difficulties as web technologies change and evolve.

 

As is evident from the October 2015 “Talk-Talk hack”, where a 16-Year-old boy performed an easily exploitable SQL Injection attack which resulted in TalkTalk losing £60 million and where 157,000 customers had their detailsstolen, The effects of having insecure Web Applications can be utterly disastrous.

Web Application Scanning tools are used by Penetration Testers and Security folk alike in order to help identify vulnerabilities in a given web app. They come in many different forms and some cost a significant sum.



Scanners attempt to identify dangerous vulnerabilities like Cross Site Scripting (XSS) and SQL Injection among many others and these tools must be constantly improved and enhanced in order to keep up with the latest maliciou sattacker techniques but also contemporary development frameworks.

 

For example, architectural changes and improvements issues such as Anti-CSRF tokens, recursive links and JS dynamically generated URLS have a massive impact on a scanners ability to effectively identify, crawl, scan and analyse a target web application for vulnerabilities.  

 

This presentation addresses the problems that current web application scanners face in dealing with both traditional and contemporary web architectures and technologies. It suggests improvements and identifies pitfalls of using automation without applying intelligence and a contextual view of the target being assessed.

Speakers
avatar for Robert Feeney

Robert Feeney

SecOps Lead, Edgescan
Robert is currently the Operations Lead for the edgescan™ managed service. His main responsibility is ensuring the high technical quality of the service and managing a team of security analysts from a technical excellence standpoint. | | Rob is an experienced security cons... Read More →


Thursday September 21, 2017 10:30am - 11:15am
Coronado L

10:30am

Moving Fast and Securing Things

“Process” is often seen as a antithetical to the fast-moving nature of startups; security processes, in particular, can be regarded as a direct impediment to shipping cool features. On the other hand, the security of an organization and its users shouldn’t be disregarded for

the sake of speed. Striking a balance between security and nimble development is a vital aspect of a security (in particular, application security) team. At Slack, we have implemented a secure development process which has both accelerated development and allowed us to scale our small team to cover the features of a rapidly growing engineering organization.

 

In this presentation we will discuss both our Secure Development Lifecycle (SDL) process and tooling, as well as view metrics and provide analysis of how the process has worked thus far. We intend to open-source our tooling as a supplement to this presentation, and offer advice for others wishing to attempt similar implementations. We'll discuss our deployment of a flexible framework for security reviews, including a lightweight self-service assessment tool, a checklist generator, and most importantly a chat-based process that meets people where they are already working. We’ll show how it’s possible to encourage a security mindset among developers, while avoiding an adversarial relationship. By tracking data from multiple sources, we can also view the quantified success of such an approach and show how it can be applied in other organizations.



Speakers
avatar for Max Feldman

Max Feldman

Slack, Inc
Max Feldman works on the Product Security team at Slack, where he works on the bug bounty and security assessments of Slack features, as well as the development of security tools and automation. He was previously a member of the Product Security team at Salesforce.
avatar for Zachary Pritchard

Zachary Pritchard

Security Engineer, Slack
avatar for Fikrie Yunaz

Fikrie Yunaz

Slack, inc
Fikrie Yunaz is a Product Security Engineer at Slack. He is a security enthusiast and loves breaking web applications. He specializes in the areas of application security and security test automation. He was previously a Security Engineer at Oracle.


Thursday September 21, 2017 10:30am - 11:15am
Coronado J

10:30am

Securing C code that seems to work just fine

Fastly offers a content delivery network (CDN) that ubiquitous and high-profile web properties like GitHub, Pinterest, and The New York Times rely on for performance, reliability, and security of their web applications. Fastly edge nodes seamlessly execute customer app security controls, handle sensitive user session data, and act as a trusted man-in-the-middle for TLS traffic. Edge daemons in the Fastly CDN are largely implemented in C. C has many strengths — including flexibility and performance — but C programs are also susceptible to memory corruption bugs that can lead to catastrophic security issues.

Like any successful startup, Fastly has taken many informed risks without things going terribly wrong, building an implicit optimism around legacy codebases and the organization's ability to continually innovate safely on them. Jonathan Foote, senior security architect at Fastly, will discuss the real-world successes and failures that led to an effective strategy for designing and deploying application security hardening measures that balances industry best practices, limited AppSec resources, and startup culture that is conditioned to think about what is going right versus what could go wrong. This talk will describe a minimum-viable approach for implementing application security controls, using deployment of self-service continuous fuzzing of critical internal C codebases including edge HTTP/2 services and Fastly’s varnish-cache fork as a running example.



Speakers
avatar for Jonathan Foote

Jonathan Foote

Senior Security Architect, Fastly
Jonathan Foote is a senior security architect at Fastly, a content delivery network (CDN) that many ubiquitous and high-profile organizations rely on for performance, reliability, and security of their web applications. Previously, Jonathan attacked a range application and networ... Read More →


Thursday September 21, 2017 10:30am - 11:15am
Coronado K

10:30am

Test Driven Security in the DevOps pipeline

The myth of attackers breaking through layers of firewalls or decoding encryption with their smartphones makes for great movies, but poor real world examples. In the majority of cases, attackers go for easy targets: web frameworks with security vulnerabilities, out of date systems, administration pages open to the Internet with guessable passwords or security credentials mistakenly leaked in open source code are all popular candidates. The goal of Test Driven Security is to take care of the baseline: apply elementary sets of controls on applications and infrastructures, and test them continuously, directly inside the DevOps deployment pipeline.

 

A baseline of security controls defines the minimal requirements applications should match before being deployed to production. The controls are simple and specific, such as:

- All websites must implement a Content Security Policy

- Form submission must require CSRF tokens, unless explicitely whitelisted

- SSH Root login must require sudo on all systems

- The rules in firewalls and security groups must be tested at every deployment

- HTTP traffic is prohibited, HTTPS endpoints must use Mozilla's modern guidelines

- Outdated and vulnerable dependencies must be upgraded

 

The list of security best practices is established by the security team with the help of developers and operators to make sure everyone agrees on their value. A list of baseline requirements can be assembled quickly by collecting those best practices and adding some common sense. The controls themselves are simple and do not require particular expertise, the difficulty comes from testing and implementing them everywhere and all the time.

 

This is where Test Driven Security comes in. TDS is a similar approach to Test Driven Development (TDD) which recommends developers to write tests that represent the desired behavior first, then write the code that implements the tests. TDS proposes to write security tests first, thus representing the expected state, and then implement the controls that pass the tests.

 

The TDS approach brings several benefits:

 

1. Writing tests forces security engineer to clarify and document expectations. Engineers can build products with the full knowledge of the required controls rather than catching up post-implementation.

 

2. Controls must be small and very specific units which are easy to tests. Vague requirements such as “encrypt network communication” are avoided, instead we will prefer the explicit “enforce HTTPS with ciphers X, Y and Z or all traffic”, which clearly states what is expected.

 

3. Re-usability of the tests across products is high, as most products and services share the same base infrastructure. Once a set of baseline tests is written, the security team can focus on more complex tasks.

 

4. Security regressions are caught in real-time, prior to deployment, rather than periodically during manual reviews.

 

Let’s take an example. A good practice for web applications is to enforce the use of HTTPS on all traffic, which can be done using HTTP Strict Transport Security (HSTS). A website can set a HSTS header returned with HTTP responses to tell web browsers to always HTTPS when connecting to the site, never HTTP. It’s a simple control, trivial to configure at the web server or application level, that we can very easily test for by looking at the headers returned by a website.

 

The code sample below shows how a simple Bash script can check the value of HSTS on a local application (https://localhost:8080/). This test can easily be part of the integration pipeline, perhaps run automatically as part of a pull request. The test should be defined ahead of implementing HSTS itself. It will fail when the HSTS header is unset or when its value is lower than 90 days. As soon as the website returns an acceptable value, the test will succeed.

 

#!/usr/bin/env bash

hsts=$(curl -si https://localhost:8080 |

grep 'Strict-Transport-Security:' |

awk '{print $2}' |

cut -d '=' -f 2 | sed 's/\r//')

if [ "$hsts" != "" ] && [ "$hsts" -gt 7776000 ]; then

echo "HSTS test passes. value is $((hsts/86400))days"

exit 0

else

echo "Strict transport security is lower than the expected 90days value"

exit 1

fi

 

Tests in the TDS approach will fail initially. This is expected to verify their correctness once they pass after the feature is implemented. Security teams should help developers and operators implement controls in their software and infrastructure at first, taking each test one by one and providing guidance on implementation, and eventually transfer ownership of the tests to the DevOps teams. When a test passes, the teams are confident the control is implemented correctly and the test should never fail ever again.

 

An important part of TDS is to treat security as a feature of the product. This is achieved by implementing controls directly into the code or the systems of the product. Security teams that do not collaborate with developers, and implement security outside of the applications and infrastructure, instigate a culture of distrust that eventually puts organizations at risk. You should shy away from this approach. Not only does it create tensions between teams, it also provides poor security as controls are not aware of the exact behavior of the application and miss things. A security strategy that isn’t owned by the engineering teams will not survive very long, and will slowly degrade over time. It is critical for the security team to define, implement and test, but it is equally critical to delegate ownership of key components to the right people.

 

TDS adopts the DevOps principles of automating the pipeline and working closely with dev and ops teams. It forces security folks to build and test security controls within the environments adopted by developers and operators, instead of building their own separate security infrastructure.

 

In the presentation, I will show how we implement TDS using a variety of open source tools:

 

- OWASP Zaproxy takes care of the baseline scan of web applications. We have worked closely with the core team of ZAP to implement Test Driven Security. We run baseline scan in two ways: 1) In the CI pipeline, like Travis-ci or CircleCI, to give feedback on pull requests and 2) in Jenkins as part of the deployment pipeline of each service, to test staging endpoint every time they are deployed.

 

- Static analysis tools, like jshint or gas, are used to inspect the source code of applications in CI.

 

- Dependency management tools, like NSP (Node Security Project) or goreport, are used to check for issues in third party of the applications. We also use closed source platforms like requires.io or greenkeeper.

 

- Infrastructure auditing is done via tools like Pineapple, which is used to verify the state of security groups in AWS.

 

Over the past 18 months, we have implemented TDS over a hundred of applications, websites and services and successfully improved our security posture. In this presentation, I will describe the techniques we developed to integrate TDS deep into the DevOps pipeline. The tooling we created will be presented to the audience, with links to resources they can use freely. I will also discuss the human aspect of integrating security processes into development and operations workflows, and how to succeed without disrupting slowing down organization’s SDLC.

 



Speakers
avatar for Julien Vehent

Julien Vehent

Firefox Operations Security Lead, Mozilla
Julien leads the Firefox Operations Security team at Mozilla, tasked with defining, implementing and operating the security of Firefox's backend services and release engineering infrastructure. Julien's background is in web applications security, services architecture, cryptogra... Read More →


Thursday September 21, 2017 10:30am - 11:15am
Coronado H

10:30am

Federated Login CSRF

Login CSRF is a well-known vulnerability that allows an attacker to hijack a victim’s browser to login to an application using the attacker’s own credentials. This paper applies a similar concept on an application using federated identities. Specifically, we will walkthrough a CSRF issue that can creep into an application that uses OpenID Connect and Oauth 2.0, where more than one identities for a user needs to be linked together. We look at the conditions under which such a Federated Login CSRF may occur and mitigations for the same.



Speakers
avatar for Murali Vadakke Puthanveetil

Murali Vadakke Puthanveetil

Senior Security Engineer, Microsoft
Murali Vadakke Puthanveetil works as a Senior Security Engineer for windows services pentest team at Microsoft. He spends most of his time digging into code of web applications to find interesting patterns that could later be used for attacks. He is particularly interested in fig... Read More →


Thursday September 21, 2017 10:30am - 11:15am
Fiesta 6

11:30am

Bug Bounty Programs: Successfully Controlling Complexity and Perpetual Temptation
Speakers
avatar for Michael Gallagher

Michael Gallagher

Senior Manager Application Security, PayPal
Michael Gallagher has been with PayPal for over two years as Senior Manager Application Security. Mr. Gallagher leads the end-to-end life cycle for application vulnerabilities for all production environments, including web applications, mobile applications and APIs. This includ... Read More →
avatar for Cassio Goldschmidt

Cassio Goldschmidt

Vice Presidence, Cyber Resilience Practice, Stroz Friedberg, an AON company
Cassio Goldschmidt is an internationally recognized information security leader with strong background in both product and program-level security. Outside work, Cassio is known for his contributions to Open Web Application Security Project (OWASP) , Software Assurance Forum for E... Read More →
avatar for Sean Martin

Sean Martin

Editor-in-Chief, ITSPmagazine
Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP. Sean is the co-founder and editor-in-chief at @ITSPmagazine and the president of imsmartin, an international business advisory firm. Sean's articles have been published globally covering secu... Read More →
SM

Sean Melia

Senior Security Engineer, Gotham Digital Science
Charlotte, NC resident. One of the top bug bounty hunters on the HackerOne platform. Senior Security Engineer for Gotham Digital Science.
avatar for Michael Stoker

Michael Stoker

Partner, Baker and McKenzie LLP


Thursday September 21, 2017 11:30am - 12:15pm
Coronado L

11:30am

There’s a new sheriff in town; dynamic security group recommendations with Grouper and Dredge

At Netflix Security, we try our best to enable developers by removing roadblocks and providing systems with “sane” defaults that keep everyone from shooting themselves in the foot. When dealing with AWS security groups, not shooting yourself in the foot is important. VPCs, subnets, CIDR ranges, group membership, are all part of the security group vocabulary and essential in ensuring that applications can only talk to each other on an as-needed basis.

 

How many times have you heard fellow engineers mutter, “Well adding 0.0.0.0/0 seems to work. We will fix it later.” Grouper and Dredge together provide a solution for generating AWS security group rules based on current network data, ensuring that least privilege isn’t a future milestone. Both Grouper and Dredge are deeply integrated into our stack providing developer network insights that were previously unsurfaced. -- unsurfaced is an interesting word choice.

 

This talk will focus on the history of our security group infrastructure. The challenges of security groups in a large environment (limitations on the number of rules, multiple accounts, lack of cross region security groups, etc.,). Our current security group management and maturity strategy. How Grouper aligns with the freedom and responsibility culture at Netflix.

 

The Netflix cloud security team has a strong commitment towards open source. Given interest and maturity in these projects, we are open to open-sourcing them in the fu



Speakers
avatar for Kevin Glisson

Kevin Glisson

Senior Cloud Security Engineer, Netflix
When Kevin Glisson is not playing with security automation, new languages and python libraries he is an avid mountain biker and backpacker enjoying all parts of the Sierra's. Kevin is currently a Security Engineer at Netflix writing tools to help streamline security operations... Read More →


Thursday September 21, 2017 11:30am - 12:15pm
Coronado J

11:30am

Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong

According to the 2016 Verizon Data Breach Investigation Report, web application attacks are the top source of data breaches today. During the past decade, address space layout randomization (ASLR) has become a feature present in all major OS and a significant guard against buffer overflows and similar attacks by randomizing the location where system executables are loaded into memory.

 

While ASLR has been effective at the OS level, the principles have not been applied as a means of securing managed virtual machines and runtime environments. Traditional heuristic methods of protection are increasingly ineffective, requiring new approaches to application security. This talk will explore the past, present and future of Java-based application vulnerabilities before sharing a newly developed technology created as a runtime solution to specifically address code injection attacks as a class.

 

Name Space Layout Randomization (NSLR) is based on the same principle as ASLR, but applied for the first time as an application security feature for the Java runtime. NSLR hardens the Java virtual machine (JVM) by randomizing the JRE namespace (Java packages). Using NSLR inside the JVM, the ownership of bytecode loading is standardized and unvalidated bytecode fails to be executed. In effect, this makes bytecode tampering and a range of code injection exploits so difficult to execute that they become unfeasible, protecting against known and unknown vulnerabilities, including zero-day exploits.

 

The Problem

 

Current approaches for protecting against known code injection attacks in applications that run on managed runtime environments involve applying a patch, fixing the vulnerability or disabling the flawed functionality, if possible.

 

Alternatively, web application firewalls can mitigate some threats, but are often plagued by false positives.

 

Zero-day attacks are notoriously difficult to protect against since they are, by definition, unknown exploits.

 

The Solution

 

We will present a novel approach to dealing with unvalidated bytecode tampering and a range of code injection attacks. With NSLR enabled, JRE packages and classes such as the java.lang.System class are randomized and renamed. Therefore, any exploit that attempts to invoke java.lang.System will fail, because it will not know the new randomized package name. Since NSLR generates a unique package name every time the JVM boots, it is impossible for attackers to guess the new randomized names. Also, it is impossible to access the randomized host package name from the application, since this randomization is not visible to it.

 

The randomized host package names are transparent to the guest applications and cannot be viewed or accessed from the JRE. In addition, NSLR prevents brute force attacks by using customizable high entropy (96 to 1,024 bits), which would likely require several thousands of years to crack. Finally, NSLR identifies when a code injection attack is attempted, logs the event and throws a ClassNotFoundException that gracefully terminates the attack.

 

To summarize, NSLR hardens the JVM by randomizing the JRE namespace, which prevents unvalidated bytecode tampering and a range of code injections from executing regardless of the attack vector and the vulnerability (known or zero-day) that is being exploited.

 

This approach provides absolute protection against both known and unknown code injection vulnerabilities with zero false positives, and does not require any changes to the application code.

 

Attendee Takeaways

 

Unvalidated bytecode tampering and injection in the JVM is a type of code injection attack that was never addressed properly. Code injection attacks rank 6th among 2055 known vulnerabilities according to MITRE.

Currently, the most common approach to protecting against them is to identify and fix/patch those vulnerabilities. This is not ideal, and may or may not be feasible. A firewall, IPS or WAF can be used to try to mitigate code injection attacks, but they are often plagued by false positives. More importantly, all the mainstream JVMs lack the appropriate mechanisms to identify and protect against these types of code injection attacks.

Attendees will leave this presentation with a working knowledge of how the next generation of application security solutions will be used against code injections. In the future, web-based applications will be protected by highly accurate, easy to operate virtualized technology in the runtime.

 

Attendees will gain:

1. Exposure to recent advances in runtime protection in the application security space

2. Understanding of the most frequently employed unvalidated bytecode attacks in the JVM, where they occur and forms of mitigation

3. Working knowledge of the new, state-of-the-art application security technique neutralizing code injection attacks

4. Unique insight into how these types of solutions are designed and developed from the software architect himself



Speakers
avatar for John Matthew Holt

John Matthew Holt

CTO and Founder, Waratek
John Matthew Holt is the founder and CTO of Waratek. | | A JVM/JIT compiler engineer, John Matthew is a recognized expert in Java, virtualization and application security. | | John Matthew has been an expert speaker at a number of Java technical events including Red Hat Sum... Read More →


Thursday September 21, 2017 11:30am - 12:15pm
Coronado K

11:30am

Overcoming Mobile App Security Challenges with DevOps

As companies make the cultural shift towards DevOps, native mobile applications present a number of unique challenges. Results of a recent survey suggest that 81 percent of enterprises and 70 percent of small-to-medium businesses have adopted some form of DevOps. Yet another survey, though, reports that only 29 percent of mobile applications are undergoing security assessments. Why does this gap exist? I will examine the unique DevOps problems put forth by mobile app development, and discuss how implementing mobile DevSecOps practices can mitigate their effects.

The talk will focus on identifying and demonstrating the impact of mobile-specific DevSecOps challenges:

 

Broader mobile framework specialties: Examining a mobile app extends beyond the application code itself. A fully functional mobile security team must be able to forensically analyze data stored on the phone, examine APIs and communications protocols, perform server-side penetration testing, and reverse engineer an application to perform thorough assessments at scale.

 

Technology fragmentation: Not only are mobile apps deployed across a multitude of hardware devices, steps taken by Apple and Google to secure the iOS and Android platforms eliminate avenues security pros use to detect and respond to mobile security threats.

 

Mobile apps expose enterprise architecture: A mobile app is often an endpoint for a much deeper enterprise architecture, so a compromised app can have far reaching effects.

 

Faster time frames: Even in the fast paced DevOps world, mobile applications have even more accelerated timelines for release. In order to build - and maintain - a user base, mobile apps need to be deployed and updated more frequently. This shorter development cycle stresses systems that may already be in place.

 

Push vs. pull updating - the unique nature of app stores mean that users have to “pull” updates, rather than the developer “pushing” them to existing installations.

 

The talk will then focus on how to leverage the strengths of DevSecOps processes to mitigate each these challenges in mobile. I will discuss strategies connected to each of the problems above with a focus on leveraging automation, process, and culture. A particular focus will be making the case for early and automatic security testing and providing examples of practical solutions.



Speakers
avatar for Brian Lawrence

Brian Lawrence

Solution Engineer, NowSecure
At NowSecure, Brian helps enterprises design and implement solutions to secure their mobile transformations and develop higher quality, more secure mobile apps. Prior to a stint in the restaurant and hospitality industries, Brian instituted a managed services provider's SaaS deli... Read More →


Thursday September 21, 2017 11:30am - 12:15pm
Coronado H

11:30am

Top 10 Security Best Practices to secure your Microservices

I have worked on enterprise APIs being used by millions of users worldwide both as a Enterprise Security Architect and as a developer building these services. In this session, I will talk about Top 10 ways to design and build secure Microservices to protect your users and your reputation. This top 10 list includes:

 

1. Use the latest version of TLS

2. Designing a secure Infrastructure and Network whether on prem or in cloud

3. Best Practices in Authentication to authentication your clients or end users.

4. Authorization of your end users or clients so they get just the right access based on least privilege and need to know.

5. Protecting your APIs against Distributed Denial of Service by using patterns such as Rate Limiting, Throttling, Daily limits etc.

6. Alerting and Monitoring your APIs to detect abnormal patterns and security issues.

7. API resiliency that directly affects Availability of your Microservices.

8. Encrypting & Hashing sensitive data - at rest and/or in transit - in memory, in cache and in db, in transit, in UI

9. Key management security

10. Session Management best practices

 



Speakers
avatar for Chintan Jain

Chintan Jain

Director of Software Engineering, Consumer Identity, Capital One
Chintan Jain currently leads the development and delivery of next generation Consumer Identity products at Capital One. His main focus is delivering internet scale cloud hosted microservices with absolute security. | | He has over 18 years of experience in the information s... Read More →


Thursday September 21, 2017 11:30am - 12:15pm
Fiesta 6

12:30pm

Lunch
Thursday September 21, 2017 12:30pm - 1:30pm
Veracruz B

1:30pm

When Molehill Vulnerabilities Become Mountainous Exploits

Here’s a story: you have built the ultimate AppSec program for your organization, and you complete the vital step of scanning your code for vulnerabilities along the development process. Your policy was very clear and strict about high priority vulnerabilities while lower vulnerabilities are addressed when time permits. Having achieved a significant coverage, you’re left with only three medium-severity vulnerabilities. You are about to sign off on the release; what could go wrong?

Watch as a downloaded app is attacked through a live demo, and learn the real dangers of three of the most commonly found (and ignored) medium level vulnerabilities.

Join this session to

• Watch how, when leveraged properly, medium level vulnerabilities become serious attacks

• Understand why static source code analysis is vital to locate vulnerabilities that your pen tests are likely to miss

• Learn how to use static application security testing as an attack technique



Speakers
avatar for Matt Rose

Matt Rose

Global Director Application Security Strategy, Checkmarx
Matt has over 18 years of software development, sales engineering management and consulting experience. During this time, Matt has helped some of the largest organizations in the world in a variety of industries, regions, and technical environments implement secure software devel... Read More →


Thursday September 21, 2017 1:30pm - 2:15pm
Coronado L

1:30pm

Leveraging the ASVS in the Secure SDLC

Writing secure code is not as glamorous as releasing the next cool feature. However, we know that fixing security vulnerabilities in production is hard and costly. In order to have a more secure application it is important to consider what makes an application secure from the start during the design phase. But what security requirements make sense? How can a security organization track whether the multitude of applications are adhering to application security best practices and known secure states? How does a development team prioritize all the security requirements?

Driving uniformed security requirements across a large company can be no small task. Many development groups write security requirements guided by regulation or industry standards for their specific application that are not seen by other development teams or the security organization. Further difficulties arise from teams that are dispersed using different tools and processes. Acquired development organizations that are accustomed to different processes pose their own challenges. The sum of these items leads to a siloed approach to writing and tracing security requirements complicating efforts by the security organization to understand how applications are developing secure code.

With the OWASP ASVS, a set of verification statements can be used to create a list of functional and non-functional requirements and controls that an application can adhere to in order to maintain a secure posture for their risk tolerance. Our Application Security team used the verification statements from the ASVS and created a set of security requirements, controls, and technical design decisions that our applications can use in their normal Scrum process as they would for feature development. The Application Security team also provides a priority ranking on each of the work items in order to assist the application in prioritizing the work.

Our team developed a modified version of the open source Google VSAQ in order to present our applications with a questionnaire that determines the ASVS level that an application should strive toward. This questionnaire will ask questions related to the type of features and functions that the application may have in order to identify the tasks that the application needs to complete to meet that ASVS level. In some cases, the application may use a third party or another internal application to handle the functionality that is listed in the ASVS giving the development team the ability to opt out of some security requirements. For instance, the user authentication may be a module developed by another application as in the case of an SSO enabled application.

As with most projects, creating new processes and procedures for something specific like security requirements can create turmoil and outright revolt among the consumers of the new process. So bringing a set of uniformed security requirements to an established organization requires working within the existing process. To this end we are utilizing current internal requirements tracking, enhancement tracking and testing tools as a way to reduce reluctance to the new project. Through this already defined process security tasks can be viewed and treated as any other type of development tasks. This allows the security organization to see which applications are adhering to the controls, which ones are not, which controls are the most challenging across the application base, and follow the work through the lifecycle using standard reporting.

Test plans can be written using the ASVS verification statements as they are or as a guide to a more specific test plan. To verify that the requirements have been met by an application, the test plans will be mapped to the requirement in a requirements tracking tool.

Secure development does not need to be painful or difficult. In this talk I would like to show how an organization can apply the ASVS to their Software Security Life Cycle to create more secure applications. Working with a ready baked set of security requirements and methods of validation takes the ambiguity out of creating security requirements and makes them more consumable to development teams. The OWASP ASVS provides the guidance to that prepared set of requirements that can be used in an already established software development life cycle.



Speakers
avatar for Derek Fisher

Derek Fisher

Application Security Manager, Cerner Corp
I have nearly 20 years of experience in both hardware and software engineering. I have spent the last 5 years in an Enterprise Security role as a developer, an architect and an application security manager where my team provides security services to our development organization... Read More →


Thursday September 21, 2017 1:30pm - 2:15pm
Coronado J

1:30pm

Measuring End-to-End Security Engineering

This talk will introduce a new approach to SDL. At Twilio we call it End to End Security Engineering. It’s End-to-End because it covers the full product lifecycle, from Security Design to Monitoring and gives the ability to measure the state of security at each point.

 

The approach defines a ‘perfect secure system’ and produces metrics which tell us where we are relative to that perfect system.

 

The final state of the product’s security and risk depends on ‘collective understanding’ of threats and attacks as well as investments in building controls, tests and detections. Then we measure and adjust them to improve their effectiveness.

 

A perfect secure system is one for which:

- All products and features are threat modeled

- All possible attacks are identified

- All attacks are being monitored for

- All attacks are protected with controls

- All controls are covered with tests which check validity of implementation

- All controls are shown to be effective

 

To measure this we keep track of the following metrics:

- % of threat modeled products/features

- experience of threat modelers

- % of attacks being monitored

- % of attacks with implemented controls

- % of controls covered by full tests

- # of successful attacks

- # of prevented attacks after control has been put in place



Speakers
avatar for Davit Baghdasaryan

Davit Baghdasaryan

Principal Security Engineer, Twilio, Inc
Davit is a Principal Security Engineer at Twilio focusing on Product Security. He has been building security systems for more than 10 years, ranging from fingerprint sensors, mobile, web apps to backend systems. Davit is also one of the original designers of FIDO UAF protocols.
avatar for Garrett Held

Garrett Held

Head of Product Security, Twilio
Garrett is the Head of Product Security at Twilio. He has been working in Information Security for more than 12 years as a Managing Application Security Consultant, Instructor, Principal Product Security Engineer, and Director of Security. He has also led the information security... Read More →


Thursday September 21, 2017 1:30pm - 2:15pm
Coronado K

1:30pm

Making Vulnerability Management Less Painful with OWASP DefectDojo
DefectDojo was created in 2013 when one security engineer at Rackspace stupidly opened his mouth in front of his leadership team. Vulnerability management is traditionally tedious, time consuming, and mentally draining. DefectDojo attempts to streamline vulnerability management with automation centered around templating, report generation, metrics, scanner consolidation, and baseline self-service tools. DefectDojo is currently used by multiple large enterprises and has core contributors from five different companies. It has made several engineers' lives much easier, and it can help you too. Got a ton of findings to consolidate and report on? DefectDojo has you covered. Need to have a dashboard of your team’s work? DefectDojo has you covered. Tired of boilerplate report generation? DefectDojo does that for you. Come check out how to make vulnerability management less painful and speed up your appsec program in this talk with demo.

Speakers
avatar for Greg Anderson

Greg Anderson

Senior Security Engineer, Pearson
Greg Anderson is a security professional with diverse experience ranging from vulnerability assessments to intrusion detection and root cause analysis. Greg’s recent work has focused on advanced security automation to get the most out of application security programs... Read More →


Thursday September 21, 2017 1:30pm - 2:15pm
Coronado H

1:30pm

Leveraging Blockchain for Identity and Authentication in IoT is good for Security

Leveraging Blockchain for Identity and Authentication in IoT is good for Security

Since the beginning of the internet, attempts have been made to solve the problem of privacy and security. Every effort has had challenges of inconvenience, cost and insecurity.

How do we prove our identity?

Blockchain technology and its mutual distributed ledgers (MDL) cannot be altered and allow people and companies to record, validate and track transactions throughout a network of decentralized computer systems. These MDLs are databases with a time stamped audit trail.

 

By leveraging this technology, an app on our device will hash our identifying information and insert this into the public Blockchain. Anytime you need to authenticate to another service or user, you share the information which is then sent through the algorithm and checked against the Blockchain. Once authenticated, your information for identification is not needed again.

If the hashed information is decentralized and provides interoperability. Personal information never leaves the device and is not stored on a centralized server. Taking the personal data, hashing it and then discarding everything but the hashes of our personal data allows the network to accept the information in the same manner as our ID cards.

 

These Blockchains open the door to innovation and enables more interoperability connecting various distributed services.

 

There can be 2 unique MDLs; one to hold the encrypted documents and a separate ledger that will hold encryption key access which are folders encompassing our identity, health or other qualifying records. Driver’s license bureaus can provide us a digitally signed copy of our driver’s license that we control. We then offer controlled usage to entities that need to inspect the documents, the information recorded on the MDL.

This use of immutable ledger can become the accepted modality of the future.



Speakers
avatar for Donald Malloy

Donald Malloy

Chairman, OATH
Donald Malloy is the Chairman of OATH, The Initiative for Open Authentication. OATH is an industry alliance that has opened the authentication market from proprietary systems to an open source standard based architecture promoting ubiquitous strong authentication.Malloy has more... Read More →


Thursday September 21, 2017 1:30pm - 2:15pm
Fiesta 6

2:30pm

iGoat – A Self Learning Tool for iOS App Pentesting and Security

OWASP iGoat is an open source self-learning tool for iOS developers, mobile app pentesters. The best thing about iGoat is that it follows client-server architecture and supports all iDevices including iPad, iPhone, iPod and Macbook simulator for iOS 8/9/10. It was inspired by the WebGoat project, and has a similar conceptual flow to it.

As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.

The lessons are laid out in the following steps:

Brief introduction to the problem.

Verify the problem by exploiting it.

Brief description of available remediations to the problem.

Fix the problem by correcting and rebuilding the iGoat program.

This talk is all about how iOS developers, security analysts can dive deep into iOS App Security using iGoat tool. This talk will start from setting up iGoat to exploiting latest exploits in iOS app. I’ll also release a new version of iGoat with tons of new exercises at Appsecusa 2017.


 


Speakers
avatar for Swaroop Yermalkar

Swaroop Yermalkar

Senior Security Engineer, Philips
Swaroop Yermalkar works as a Senior Security Engineer at Philips. His work includes threat modelling, security research, assessment of IoT devices, healthcare products, web applications, networks, Android, and iOS applications. | | Swaroop is an OWASP iGoat Project leader (h... Read More →


Thursday September 21, 2017 2:30pm - 3:15pm
Coronado L

2:30pm

Application Security “Built from Scratch”

Description:

The Home Depot, the world’s largest home improvement retailer, has been providing hammers, saws, nails, lumber, and paint to Do-It-Yourselfers and Pros alike since 1978. In the same spirit, the Product Security team offers self-service tools and materials to help software developers analyze their source code and deployed applications at scale and speed, matching the pace of agile.

 

Key Takeaways:

• Build tooling using the same technologies and methods developers use

• Ensure tooling is available when and how developers want it

• Eliminate friction by providing meaningful results and teaching developers how to interpret them

• Empower developers to determine a path toward issue resolution



Speakers
avatar for Matt Stanchek

Matt Stanchek

Application Security Architect, The Home Depot
Matt Stanchek has been pursuing his passion for software engineering and security for nearly two decades. Having worked in multiple industries, Matt has been responsible for the design, development, and security of enterprise web technologies, financial systems for top banks, an... Read More →
avatar for Mindy White

Mindy White

Application Security Manager, The Home Depot
Mindy White is an IT security professional specializing in secure software development lifecycles. Over the past decade, she has led diverse IT infrastructure and software engineering initiatives in both the public and private sectors, including enterprise architecture, site reli... Read More →


Thursday September 21, 2017 2:30pm - 3:15pm
Coronado J

2:30pm

Embedding GDPR into the SDLC

We will map the GDPR requirements to the typical software security activities as part of a Secure Development Lifecycle. This will cover:

• How to include the DPO as part of the software security governance?

• Providing privacy awareness training to developers

• Including privacy in secure coding guidelines

• Including a Privacy Impact Analysis as part of software risk analysis.

• Mapping the GDPR to software security requirements

• Applying privacy by design on software architecture

• Including privacy threats in software threat modeling

• Including a privacy security checklist as part of software security testing

• Applying GDPR specific breach notification requirements on the vulnerability and incident management processes

The talk will focus on practical implementation aspects and demonstrations of real life use cases encountered in our software security and privacy projects.

More details can be provided in a detailed submission.



Speakers
avatar for Steven Wierckx

Steven Wierckx

Consultant, Toreon
Steven Wierckx is application security expert and training at Toreon.com. He is also the project leader for the OWASP threat model project. Steven is a software and security Tester with 15 years of experience in programming, training, security testing, source code review, test au... Read More →


Thursday September 21, 2017 2:30pm - 3:15pm
Coronado K

2:30pm

Juggling the Elephants – Making AppSec a Continuous Program

As security professionals charged with protecting large enterprise application portfolios, we continually find ourselves managing a wide array of disparate security initiatives, each of which demands to be treated as a top priority. Few of these initiatives ever achieve full coverage across the application portfolio. So we’re left to prioritize on the fly and try to keep everything we’re juggling in the air. Inevitably some will get dropped.

 

What if we could develop an AppSec program that ties those disparate initiatives together into a repeatable and continuous program that not only addresses coverage of the entire portfolio but acts as an enabler of high-paced development paradigms such as DevOps and CI/CD? In this presentation we’ll discuss a model for deploying AppSec programs that addresses these goals. A strategy for tying together various security activities including threat modeling, code reviews, and penetration tests, with business and risk processes in a way that actually makes development more efficient. We’ll discuss how an organization can tailor their own program based on the model but addressing the unique challenges and business goals of the individual firm.

 

You’ll see how the Continuous AppSec Model leverages the key principles of the latest OWASP SAMM to break down and unify your security activities. You’ll learn how an Application Security Program can be designed to enable continuous improvement within the program itself. You’ll discover how this continuous improvement allows for implementation of a program based on this model in an easily digestible and incremental fashion. You’ll understand how a truly continuous program allows you to better prioritize your security initiatives by providing you a clearer picture of the risks across your environment. You’ll leave with a better strategy for enabling your application teams to not only support but actually advocate for the security practices already employed within your enterprise as well as those perhaps thought too advanced for your organization.



Speakers
avatar for Tony Miller

Tony Miller

Practice Leader, Aspect Security
Tony Miller is a highly experienced application security leader. Tony heads the Program Services practice at Aspect Security where he assists security and business leaders in global fortune 500 companies with strengthening their strategic approach to application security. Prior... Read More →


Thursday September 21, 2017 2:30pm - 3:15pm
Coronado H

2:30pm

An Overview of API Underprotection

The OWASP 2017 top ten is adding a new category of underprotected APIs. This reflects how RESTful Web APIs are rapidly becoming the backbone of communication on the modern web. A whole series of new challenges are thus presented for dealing with security and access authorization issues. These are not well covered by existing tools or techniques. This talk will cover some of the potential threats that result from failure to secure Web APIs sufficiently and discuss some of the emerging security technologies in the field. In this API driven world there are a more complex set of API consuming clients, some of which may need to embed access credentials such as API keys. We will discuss the differences between software authorization via static API keys and user authorization via OAuth2 and the interplay between them. We will pay particular attention to API consumers such a mobile apps where the code must be published in the public domain. We will look at the typically poor level of practice in concealment of access credentials such as API keys in these apps. Some practical advice with code examples will be provided about how to improve the security posture of mobile apps accessing an API. We will cover the use of TLS and how it is not an effective countermeasure to credentials being extracted unless certificate pinning is also used to prevent Man-in-the-Middle attacks against the app. There will be some practical advice on how to implement TLS pinning with code examples. Finally we will look at more advanced techniques such as app hardening, white box cryptography and software attestation for mobile applications where security is crucial. Attendees should gain a good understanding of the underprotected API problem, some short term practical tips to improve their API security posture with minimal effort and an appreciation of emerging tools and technologies that enable a significant step change in security.



Speakers
avatar for Richard Taylor

Richard Taylor

CTO, Critical Blue Ltd
Richard Taylor co-founded CriticalBlue in 2002 to commercialise new techniques for code performance analysis and optimization. CriticalBlue has consulted for various OEMs improve software performance for Linux and Android system. For the past two years, he has been focused on a... Read More →


Thursday September 21, 2017 2:30pm - 3:15pm
Fiesta 6

3:30pm

Black-Box Approximate Taint Tracking by Utilizing Data Partitioning

The information security industry has a long history of challenges when it comes to ensuring the safety of user input data. User input must be escaped when using a template to build a string. Whether in HTML, SQL, or shell commands it is best practice to escape data from untrusted sources. Most of the time this is done by having the developer think through all possible code paths the string could have taken. This requires heroic effort and is still error-prone. Far more reliable is using a type or metadata system to tag the data and track it through the system, but this requires the designer of the system to consistently use the tagged string types, or have some additional runtime support to provide a tracking mechanism. Further, such techniques (explored extensively in academic research) have invariably encountered severe performance impacts, making them unpractical for runtime protection.

 

We propose a black-box taint tracking system in which we observe only the user inputs (http parameters) and system outputs (commands and SQL queries). By parsing the input and the output commands we can determine if an input data partition straddles an output data partition. This would indicate that the input data partition had injected information from the data portion of the input to the command portion of the output. Since we look only at the input and output of the application code, code complexity is arbitrary. Previously, if a system was not designed from the beginning to have taint tracking, introducing taint tracking was cost prohibitive. “Approximate taint tracking” allows after-the-fact introduction of these protections in a way that is cost-effective, and performant.



Speakers
avatar for Boris Chen

Boris Chen

VP of Engineering, tCell.io, Inc.
Boris is co-founder and VP of Engineering at tCell, a security startup based in San Francisco. tCell's solution is the next generation of runtime attack monitoring and protection for web applications, covering the OWASP Top 10 and more. Boris's interest lies in the intersection o... Read More →


Thursday September 21, 2017 3:30pm - 4:15pm
Coronado L

3:30pm

“Capture the Flag” for Developers: Upping your Training Game

Getting developers to care about security is tough, but turning your developer training into a hands-on puzzle game with a Capture the Flag (CTF) event can create excitement while effectively accomplishing the real goal of the training. Permanently open their eyes to what goes wrong when security controls are left out and give them the attacker’s perspective to look critically at their code moving forward. Consider that students remember 20% of what they hear – and 90% of what they do. Hands-on training is radically more effective.

 

This presentation will discuss the pedagogical underpinnings to the technique (so management will approve it), and practical recommendations on implementing an event (so that the participants will have a good time). After several years of running events in a variety of contexts, I’ll share some success stories and admit to some failures that will help put you on the right path for your own event.

 

Topics will include:

• Designing your event infrastructure to minimize risk and satisfy IT policies.

• Preparing difficult, but solvable challenges.

• Managing players while encouraging them to break the rules.



Speakers
avatar for Mark Hoopes

Mark Hoopes

Senior Application Security Engineer, Aspect Security
Mark Hoopes has been working in enterprise IT delivery for nearly 20 years in an assortment of roles including development, project management, and major incident management. He found his niche in application security and has been effectively on vacation ever since. Throughout hi... Read More →


Thursday September 21, 2017 3:30pm - 4:15pm
Coronado J

3:30pm

DASTProxy: Don’t let your automated security testing program stall on crawl. Instead focus on business context.
Many automated security programs look at crawling through a website before testing as a measure to build security automation. However, such an approach has limited success when you are dealing with huge applications that have numerous teams working on modular components or subsections. At eBay, it was instantly clear that such an approach was doomed to fail. Instead the Secure Development Life Cycle Team leveraged the knowledge and business context that our product development teams had built into functional testing, to enhance our dynamic security testing automation. This let us further our goal to make security a responsibility of every product development team at eBay. This talk is about our journey and the open sourced automation framework (https://github.com/eBay/DASTProxy) that we built to make our dreams and goals a reality.

Speakers
avatar for Srinivasa Rao Chirathanagandla

Srinivasa Rao Chirathanagandla

Senior Software Engineer, eBay
Srinivasa Rao is an Information Security Engineer in AppSec at eBay, responsible for developing applications and tools for Secure Product Life Cycle (SPLC) and SecDevOps. He is a full-stack developer who enjoys coding using java, grails/groovy, angularJS and interacting with rela... Read More →
avatar for Kiran Sharadkumar Shirali

Kiran Sharadkumar Shirali

Senior Security Engineer, Red Team, eBay
Kiran Shirali is a Senior Security Engineer in eBay’s Red Team. During the day, he is scouring eBay’s networks and applications for flaws that could lead hackers get access to critical assets. He is also involved in various other initiatives that help on the defensive side of... Read More →


Thursday September 21, 2017 3:30pm - 4:15pm
Coronado K

3:30pm

WAFs FTW! A modern devops approach to security testing your WAF

Although Web Application Firewalls (WAFs) are recognized as an effective aspect of a defense in depth strategy, there are few tools that attempt to objectively review their effectiveness. Research companies like NSS or Gartner perform benchmarks of WAFs, but their methodologies are rarely disclosed. With the advent of site reliability and devops cultures, infrastructure as code has been a strategy to verify functionality of products. This talk brings that same mentality to WAFs; not only do we verify WAF functionality within deployments, but we also provide a method to verify WAF defenses against new exploits and attacks. We do this with our project FTW - Framework for Testing WAFs.

 

We achieved two outcomes from this project. The first was to design a framework that is extendable to test arbitrary WAF implementations. This would allow engineers to compare WAFs to help them make an informed purchase decision for their organization instead of relying on reports and literature that do not disclose their testing methodologies. Secondly, we want to have the ability to develop new tests without the need for development experience. This allows rapid prototyping of attack payloads without the need of a scripting language. These payloads are then executed against various WAF implementations to see how the WAF responds. Once tested, new rules can be deployed within the WAF and then the attack is added to a corpus of attacks for continuous testing.

 

We will first review the design of the tests. We use the OWASP Core Ruleset Version 3 (CRSv3) as our benchmark for web attacks and defenses, so the first task was to translate the CRS and write attacks to make sure the rules trigger. This resulted in a corpus of 1000s of attacks provided for end users at no cost. Tests are written in YAML format, and we will go into detail on how the format is developed to include both basic HTTP attacks as well as more advanced multi-stage attacks.

 

Next, we will review the architecture of the code. Py.test is used as the testing foundation due to the wide adoption within industry it enjoys, its ability to parametrize the YAML test files, as well as its ease of use in continuous integration environments. We show how an individual can set up an FTW testing environment and start writing or editing tests, as well as creating new ones. We will then show continuous integration strategies to test and deploy new WAF rules. We use Travis-CI as the continuous integration technology, but traditional CI or deployment tech can also be used.

 

We then will move into the crux of our presentation where we highlight the results. We plan to discuss how this project is being used throughout the community. The ModSecurity team used FTW extensively for regression testing in the CRS. We will show lessons learned and how regression testing in security is extremely important. We will also show a use case for how an origination uses FTW to ship WAF rules for their customers on the edge. Strategies to ship WAF rules include continuous integration and applying security to the SDLC of these deployments. Lastly, we highlight a journaling feature that allows security engineers and red teamers issue a battering ram of web attacks and log responses into a local database for pentest reports.

 

The Current Code

https://github.com/crs-support/ftw to check our code

https://github.com/fastly/waf_testbed for a VM that spawns the latest CRS w/ the latest FTW to start running tests

https://github.com/SpiderLabs/OWASP-CRS-regressions/tree/master/tests for CRS attacks

https://github.com/SpiderLabs/owasp-modsecurity-crs/ latest CRS



Speakers
avatar for Zack Allen

Zack Allen

Manager, Threat Operations, ZeroFOX
Threat Intelligence, Data Science, Web Security, SecDevOps and if you want a job!


Thursday September 21, 2017 3:30pm - 4:15pm
Coronado H

3:30pm

Androsia: A tool for securing in memory sensitive data

Each Android app runs in its own VM, with every VM allocated a limited heap size for creating new objects. Neither the app nor the OS differentiates between regular objects and objects that contain security sensitive information like user authentication credentials, authorization tokens, en/decryption keys, PINs, etc. These critical objects like any other object are kept around in the heap until the OS hits a memory constraint and realizes that it needs more memory. The OS then chooses to invoke garbage collector in order to reclaim memory from the apps. Java does not provide explicit APIs to reclaim memory occupied by objects. This leaves a window of time where the security critical objects live in the memory and wait to be garbage collected. During this window a compromise of the app can allow an attacker to read the credentials. This is a needless risk every Android application lives with today. To exacerbate the situation, apps today heavily make use of Identity providers to implement Open ID/OAuth based authentication and authorization.

 

In this paper we propose a novel approach to determine at every program statement, which security critical objects will not be used by the app in the future. An Android application once compiled, has all the information needed to determine this. Using results from our data flow analysis [1] we can decide to flush out the security sensitive information from the objects immediately after their last use, thereby preventing an attacker who has compromised the app from reading security critical information. This way an app can truly provide defence in depth, protecting sensitive data even after a compromise.

 

We propose a new tool called Androsia, which uses static program analysis techniques to perform a summary based [2] interprocedural data flow analysis to determine the points in the program where security sensitive objects are last used (so that their content can be cleared). Androsia then performs bytecode transformation of the app to flush out the secrets resetting the objects to their default values. The data-flow analysis associates two elements with each statement in the unit control flow graph called flow sets: one in-set and one out-set. These sets are (1) initialized, then (2) propagated through the unit graph along statement nodes until (3) a fixed point is reached.

 

 

We leverage the power of Soot [3], a static Java-bytecode analysis framework, to identify the points in the program where an object is last used (LUP). The detection of Last Usage Point (LUP) of objects, requires analysis of methods in a reverse topological order of their actual execution order; which means that the callee method will be analyzed before the caller method. We construct flow functions for the analysis and use them to propagate the data flow sets [4]. The flow functions are as follows:

 

Out(i) = φ if S(i) is exit node in CFG

= ∪ {In(j)} | where S(j) is the set of all successor statements of S(i) | otherwise

 

In(i) = Out(i) ∪ Gen(i); where

 

Gen(i) = {var(y)} | if S(i) is of the form: x = y

= {var(y)} | if S(i) is of the form: x = if(y)

= {var(y)} | if S(i) is of the form: x = while(y)

= {p(i)} | if S(i) is of the form: x = f(p)

= {φ} | otherwise

 

(In the interest of space: pls. refer [1] to know more about how the flow functions work in a data flow analysis)

 

In our analysis, the flow sets are propagated backwards in the Unit graph [5]. The analysis result corresponding to a method is kept as a summary for that method and is propagated to caller methods at the method call site. Hence giving rise to an inter-procedural summary based analysis.

 

Using the results from this analysis we then perform bytecode transformation on the target app to remove sensitive information from the objects at the identified program points from our analysis. As a case-study, we take Android apps and manifest the security that Androsia has to offer.

 

[1] Data flow analysis, https://en.wikipedia.org/wiki/Data-flow_analysis

 

[2] D. Yan, G. Xu, and A. Rountev. Rethinking soot for summary-based wholeprogram analysis. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program Analysis, SOAP ’12, pages 9–14, New York, NY, USA, 2012. ACM

 

[3] Soot: a Java Optimization Framework. http://www.sable.mcgill.ca/soot/

 

[4] Implementing an intra procedural data flow analysis in Soot. https://github.com/Sable/soot/wiki/Implementing-an-intra-procedural-data-flow-analysis-in-Soot

 

[5] UnitGraph. https://www.sable.mcgill.ca/soot/doc/soot/toolkits/graph/UnitGraph.html



Speakers
avatar for Samit Anwer

Samit Anwer

Software Engineer II, Citrix R&D
Samit Anwer is a Web and Mobile Application Security researcher and penetration tester. He has been active in the security community since the last 3 years soon after completing his Master's degree from IIIT, Delhi in Mobile and Ubiquitous Computing. He is an active member of the... Read More →


Thursday September 21, 2017 3:30pm - 4:15pm
Fiesta 6

4:30pm

Afternoon Coffee Break
Thursday September 21, 2017 4:30pm - 5:00pm
Veracruz C

5:00pm

KeyNote - Runa A. Sandvik: Building a Culture of Security at The New York Times
The traditional approach for security teams has involved the existence
of a siloed department, slow gatekeeping controls designed in a world of
Waterfall development, and processes that aren't nearly as agile as they
should be.

The New York Times has staked its future on being a destination for
readers; the way we gather and report news is changing, so is the way we
develop products. We, the security team, need to re-examine whether
we're living up to our responsibilities and potential.

This talk will share practical lessons learned at The New York Times on
how to build and foster a culture of security across the organization.
As part of this, the talk will also explore how we can adapt to better
confront the new challenges we face as security practitioners.

Speakers
RA

Runa A. Sanvik

Runa Sandvik is the Director of Information Security at The New YorkTimes. Her primary focus over the past year has been the newsroom andhelping reporters better understand the challenges they are facing. Runaloves to travel and has spoken at numerous conferences around the world... Read More →


Thursday September 21, 2017 5:00pm - 5:45pm
Coronado L

6:00pm

WASPY Award Ceremony

2017 WASPY Awards

Each year there are many individuals who do amazing work, dedicating countless hours to share, improve, and strengthen the OWASP mission. Some of these individuals are well known to the community while others are not. 

The purpose of these awards is to bring recognition to those who "FLY UNDER THE RADAR". These are the individuals who are passionate about OWASP, who contribute hours of their own free time to the organization to help improve the cyber-security world, yet seem to go unrecognized. 


Come and join us as we recoginze the winners of the 2017 WASPY Awards!

Best Community Supporter - 3 way tie
Nicole Becher
Dinis Cruz
Jeremy Long

Best Mission Outreach
Mark Miller

Best Innovator
Seba Deleersnyder

https://www.owasp.org/index.php/WASPY_Awards_2017

Speakers
avatar for Dave Ferguson

Dave Ferguson

Dave Ferguson is a Solution Architect with Qualys and has been a specialist in Application Security since 2006. After writing tons of Java and C++ code as an application developer for over a decade, he joined FishNet Security (now Optiv) and pen tested countless applications and... Read More →



Thursday September 21, 2017 6:00pm - 6:45pm
Coronado L

6:45pm

Conference Dinner
https://2017.appsecusa.org/conference-dinner/

At 6.45pm Conference buses will be leaving from the conference venue to the Epcot.
Social evnet begins at 7.15pm and ends at 10pm
From 9.30pm to 10.30pm Conferences buses will be leaving from Epcot.


Thursday September 21, 2017 6:45pm - 9:30pm
Epcot
 
Friday, September 22
 

8:00am

Registration
Friday September 22, 2017 8:00am - 5:00pm
North Registration

9:00am

Passive Fingerprinting of HTTP/2 Clients

HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a fundamental change from HTTP/1.x to HTTP/2, means that client-side and server-side implementations have to incorporate completely new code in order to support new HTTP/2 features. This introduces nuances in protocol implementations, which, in return, might be used to passively fingerprint web clients.

 

Our research is based on more than 10 million HTTP/2 connections from which we extracted fingerprints for over 40,000 unique user agents across hundreds of implementations.

 

In the presentation, I intend provide the following:

• HTTP/2 Overview

- Introduction into the basic elements of the protocol

- a review the different components chosen for the fingerprint format (alongside a discussion on those left out)

- Potential use cases of the proposed fingerprint

- Usage Statistics - prevalence of HTTP/2 usage on Akamai’s platform

• Examples of common HTTP/2 Implementations & Client fingerprints collected during the research

• HTTP/2 support (or the lack of) among common web security tools (Burp suite, sqlmap, etc.)

• Review of attacks over HTTP/2 observed on Akamai’s platform

 

References:

http://akamai.me/2qWIqON  - whitepaper published by Akamai’s Threat-Research Team.



Speakers
avatar for Elad Shuster

Elad Shuster

Security Data Analyst, Akamai
CPA(il), MBA, Security Data Analyst at Akamai, with over 10 years of experience in data analysis across different industries. | At Akamai I'm part of the Threat Operations team, exploring new trends in the web security and responsible for maintaining the defensive protections... Read More →


Friday September 22, 2017 9:00am - 9:45am
Coronado L

9:00am

Cookie Security – Myths and Misconceptions

Cookies are an integral part of any web application and secure management of cookies is essential to web security. However, during my years as a security consultant I've often encountered various myths and misconceptions regarding cookie security from both developers as well as other security professionals. This talk will dive into the details of cookie security and highlight some of the lesser known facts about well-known cookie attributes. For example, we will see why the ‘Secure’ attribute doesn’t make a cookie immune against active man-in-the-middle attacks, how JavaScript can manipulate cookies marked with ‘HttpOnly’, why setting the ‘Domain’ attribute to the origin host may make it less secure and how other applications on the same host still can access cookies scoped to a path outside their application. This talk will also cover many of the recent improvements to cookie security implemented in modern browsers, such as ‘Strict secure cookie’, ‘Cookie prefixes’, and the ‘SameSite’ attribute. This talk will give you a solid understanding of the pitfalls affecting cookie security, the risks associated with these, and how you can leverage modern security specifications to enhance the protection of cookies in your web application.

 

Tentative outline (subject to change):

-Cookie Basics

-Cookie Lifetime

o Persistent vs. non-persistent cookies

o Expires and Max-Age Attribute

o Security implications

-Cookie Scope vs. Same-origin Policy

-Secure Attribute

o What it protects against

o What it doesn’t protect against

o Targeting ‘Secure’ cookies in MiTM attacks

o Demo

-HttpOnly Attribute

o What it protects against

o What it doesn’t protect against

o Attacking ‘HttpOnly’ cookies from JavaScript

o Demo

-Path Attribute

o Isolating cookies between applications on same domain

o Compromising cookies scoped to another application’s path

o Demo

-Domain Attribute

o Broadly scoped domains

o Narrowly scoped domains

o Risks with setting the domain attribute

-Modern Cookie Protections

o SameSite Attribute

o Cookie Prefixes

o Strict Secure Cookie

-Summary

o Is there an ultimate cookie configuration?



Speakers
avatar for David Johansson

David Johansson

Associate Principal Consultant, Synopsys
David Johansson has 10 years of experience in software security, working as a consultant for several different companies. A large part of his work has been focused on secure software development in general and web security in particular. He has trained hundreds of developers and... Read More →


Friday September 22, 2017 9:00am - 9:45am
Coronado J

9:00am

What We Learned Remediating XSS in GitHub Open Source Projects

Our goal was to fix as many high-risk vulnerabilities throughout the GitHub Open Source project portfolio as we could with a minimum of effort. The intent was to simulate portfolio wide remediation in a large and diverse organization within a context that allows sharing concrete statistics and experiences.

 

Fixing XSS throughout a portfolio of applications is more challenging than fixing a single application. In addition to the remediation work required for a single application, fixing a portfolio requires getting developer buy in, complying with various coding style guides, integration with each project’s existing processes, testing, metrics, and more.

 

This presentation will discuss how we did it, lessons learned, as well as some alternatives. Three things that made our scaling approach unusual was:

1) Focusing on risk broadly across application portfolios instead of a single application.

2) Focusing on adding missing security controls instead of the exploitability of vulnerabilities.

3) Automating JSP source code modification

 

We will compare the approach that we used on this project to more traditional manual and automated techniques that focus on vulnerability detection, as well as scaling through training, and scaling through building offshore capabilities.



Speakers
avatar for Mike Fauzy

Mike Fauzy

Founder, CTO, FauzyLogic
Mike Fauzy has been writing and assessing web applications since 1997. He helped write components of OWASP ESAPI, as well as minor contributions to Scrubbr, JavaSnoop, and other web app security projects. He also builds, trains, and expands automated web application security team... Read More →
avatar for Demetria Robertson

Demetria Robertson

COO, FauzyLogic
Demetria Robertson's background straddles data science, applied analytics, and software product management. She has held leadership roles in building analytics programs ranging from Fortune 500 to startup companies. Her credentials include data science certificates from Johns Hop... Read More →


Friday September 22, 2017 9:00am - 9:45am
Coronado K

9:00am

Building a Secure DevOps Pipeline
Is software development outpacing your ability to secure your company’s portfolio of apps?  You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster.  And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business.  This isn’t a theoretical talk.  It covers the results of  successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees.  Yes, real stats on improvements seen will be provided. By changing focus from a point in time security testing and assessments to automation, continual health checks and event-based security, your AppSec program can start to keep pace with the increasing speed of delivery your business is trying to obtain.  By embracing the same methodologies, you can turn Docker from a problem to how you horizontally scale your security work.  Don't swim against the current of DevOps, Agile software development and Continuous Delivery.  Instead use those movements to speed your AppSec program to new levels.

Speakers
avatar for Matt Tesauro

Matt Tesauro

Senior Technical Project Engineer, OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is broadly experienced information security professional of 15 years specializing in application and cloud security. He is a former board member of the OWASP Foundation and project lead for OWASP AppSec Pipeline... Read More →
avatar for Aaron Weaver

Aaron Weaver

Application Security Manager, NA Bancard
Aaron Weaver is the Application Security Manager at NA Bancard. Prior to that he was at Cengage Learning and Protiviti where he built out their secure coding practice. Aaron has managed application security programs at large organizations and leads OWASP Philadelphia. Aaron speak... Read More →


Friday September 22, 2017 9:00am - 9:45am
Coronado H

9:00am

This Old App, a guide to renovating apps for the cloud

Most businesses have at least one old clunker app kicking around, and the longer it has been around and more clunky it is, the more likely it is to be vital to your business (otherwise you’d have gotten rid of it, right?). So how do you approach getting an old clunker migrated to the cloud? Think you can put it off? You’ll probably discover that there is a compelling business reason to get it migrated lurking just around the corner that will force your hand. Whether it is as mundane as a data center consolidation effort, of as aspirational as a push to transform the business to be more agile and customer focused, the cloud has your app in its sights and will not rest until your app has made the leap.

 

There are a variety of approaches touted for app migration, from decomposition into micro-services, to blatant lift-and-shift, so how can you tell which migration pattern is most likely to succeed and meet business objectives? Much like approaching a renovation of an old house, how can you tell which apps are the ‘scrapers’ where refactoring might as well mean rewriting, and which ones ‘have good bones’ and might successfully make the transition without much more than basic updates? Cloud purists will promote a refactoring pattern where an apps decomposed into a collection of cloud-native micro-services. Others will promise that you can forklift the app into a cloud with almost no change. But do you understand the benefits and pitfalls of the various approaches? Is there a middle path?

 

Many questions arise, such as: Should the app be migrated to a public or private cloud? Would an IaaS or PaaS be a better fit? Can it be outsourced to a SaaS, essentially replacing the app with a cloud native offering and avoiding migration of the app itself? What are the security implications of each app migration pattern combined with the target cloud environment? Does my legacy app have inherent design assumptions that conflict with the design assumptions of the target cloud environment? Are there the necessary supporting organizational capabilities (DevOps, Agile, DevSecOps, Test Driven Design, etc.), and technologies (continuous integration/continuous deployment, configuration management automation, etc.) to support cloud migration success?

 

This presentation will explore these topics and more to provide a roadmap to making both good security decisions and good decisions overall in planning your app’s migration to the cloud.



Speakers
avatar for Christian Price

Christian Price

Christian Price has over a decade of experience in various information security domains and is passionate about transforming how security teams contribute value and unlock innovation. He is currently a cloud security architect, has led 2-pizza teams to develop security services f... Read More →
avatar for Chris Wells

Chris Wells

Chris Wells has deployed security solutions for major healthcare, online retail, telecommunication, and financial industries. He is an accomplished application security architect with over 15 years of application security experience. Chris holds multiple security certifications i... Read More →


Friday September 22, 2017 9:00am - 9:45am
Fiesta 6

9:00am

Capture the Flag
This hands-on Capture The Flag (CTF) event will be held live during both days of the conference, and will be targeted towards beginner and intermediate level application hackers. 
Participants in this event will be required to find and exploit OWASP Top-Ten related vulnerabilities, as well as other common application security vulnerabilities. Mentors will be available to help get you started. Prizes (i.e. tech-friendly gadgets) will be awarded to the top individual performers (must be present to win).
Initial registration must be made in-person at the CTF area, where the mentors will be available.  After registering, you can continue to remotely access the challenges until the CTF scoreboard is closed on the 2nd afternoon of the conference.

What to bring:
A laptop with working wifi
Make sure to download the ZAP proxy from OWASP.org or your favorite proxy (e.g. BurpSuite) and have it working properly

Speakers
avatar for Joaquin Fuentes

Joaquin Fuentes

Manager, Penetration Testing, Early Warning
Hosting the official AppSec CTF with @realn0j (Mike McCambridge), @dejandayoff (Dejan Zelic), and @realbruteforce1 (Amol Deshpande). Enjoyed it? Apply at securityjobs.earlywarning.com


Friday September 22, 2017 9:00am - 5:00pm
Coronado M&N

9:00am

Women in AppSec (WIA) Hangout Room
Join us in the WIA Hangout room, the space open for you to stop by and connect with others throughout the conference.

Friday September 22, 2017 9:00am - 5:00pm
Coronado P&Q

10:00am

Morning Coffee Break
Friday September 22, 2017 10:00am - 10:30am
Veracruz C

10:00am

Members Lounge
OWASP Members Lounge
AppSec USA 2017
Friday, Sept. 22 10am-3pm
Room: Durango 2


Looking for a place to recharge?  
Feeling a bit hungry or thirsty?  
Or just looking to take a break from the hectic conference atmosphere? 

Well....head on over to the Members Lounge 

Here you can grab a snack, a cup of coffee, recharge your electronics, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.

Not an OWASP Member?  No problem!  Swing on over to the lounge, and you can sign up on the spot!

Look for the signs or ask a volunteer how to find us!

Friday September 22, 2017 10:00am - 3:00pm
Durango 2

10:00am

Exhibit
Friday September 22, 2017 10:00am - 5:00pm
Veracruz C

10:00am

OWASP Store
Friday September 22, 2017 10:00am - 5:00pm
Durango 1

10:30am

HUNT: Data Driven Web Hacking & Manual Testing

What if you could turbocharge your web hacking without having to sacrifice efficiency? Since pure automation misses so much important information, why not use powerful alerts created from real threat intelligence? What if you had these powerful alerts in as a plugin in a tool that that is so ubiquitous in web hacking that it’s synonymous to its very definition? What if this plugin not only told wyou where to look for vulnerabilities, but also gave you curated resources for additional exploitation and methodology? What if you could organize your web hacking methodology inside of your tool? Well, dream no more! HUNT is a new Burp Suite extension that aims to arm web hackers with parameter level suggestions on where to look for certain classes of vulnerabilities such as SQL Injection, Command Injection, Local/Remote File Inclusion, and more! The data that drives this plugin are parsed from hundreds of real-world assessments which provide the user with the means to effectively root out critical issues. Not only will HUNT help you assess large, hard targets more thoroughly, but it also aims to organize common web hacking methodologies right inside of Burp Suite. As an open source project, we will go over the data driven design of HUNT and its core functionality.

 

Detailed Outline

HUNT's core idea is to parse large data sets of web application flaws and transforming the results into a meaningful testing tool. We've taken one of the largest known vulnerability data sets, the bounty data at Bugcrowd, and scrubbed it all down to vulnerability class and parameter name. With this data, we can infer patterns in web application vulnerability locations.

Today, one of the things we struggle with as an industry is manual testing for large, complex applications. With the amount of surface area to cover on assessments, we are forced to rely on automation. And while automation is great, it fails to apply the years of experience we have as pentesters in identifying edge-cases in web vulnerabilities that cannot be easily found by anything other than a human.

 

HUNT will log and alert commonly vulnerable areas for manual testers to look at based on the collective knowledge of hackers all over the world. This will help break down complex applications into meaningful and testable areas. We are not aiming to replace scanners in this fashion, but instead, we are making sure web hacking gets the manual tester love that it truly deserves.

 

The tool covers critical vulnerability classes that can be meaningfully parsed at the moment:

 

SQL Injection

Local/Remote File Includes

Directory Traversal

OS Command Injection

Server Side Request Forgery

File Upload Vulnerabilities

Insecure Direct Object References

Server Side Template Injection

 

Sections of the Talk

The Problem

Web hacking training lacks detailed tribal knowledge of vulnerability location

Sites are larger and more complex than ever and even harder to test thoroughly with current manual testing techniques and methodologies

No in-tool workflow for web hacking methodologies

The Data

Understanding the data set

Learning about data and patterns discerned

Give examples of the data of vulnerable parameters

Examples: file, document, folder, style, pdf

The Tool

Explore HUNT's install and GUI

Explore some sample alerts live

Explore HUNT's methodology and tester references

Explore HUNT's methodology organization tab

Talk about the future and contribution



Speakers
avatar for JP Villanueva

JP Villanueva

Trust & Security Engineer, Bugcrowd
JP Villanueva is a Trust & Security Engineer at Bugcrowd. Before Bugcrowd, JP spent 2 years as an Application Security Engineer and another 2 years as a Solutions Architect at WhiteHat Security helping customers become more secure. JP has also presented at local OWASP chapters, I... Read More →


Friday September 22, 2017 10:30am - 11:15am
Coronado L

10:30am

Supply Chain Anarchy – Trojaned Binaries in the Java Ecosystem

In 1984, Ken Thompson wrote, “You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)” [1] Yet modern software applications are 80% open source components.[2] The supply chain is total anarchy.

 

All this third-party code runs with the full privileges of the application, essentially granting full access to host, backend, datacenter, and possibly intranet. Obviously, if a popular component, like Log4j or Apache Commons, were trojaned, it would give an attacker a hall pass to most of the datacenters in the world. Much of our trust in open source components comes from the fact that the source is public and “given enough eyeballs, all bugs are shallow.” [3] Unfortunately, in the Java ecosystem (and most other environments), there is literally no assurance that a given binary matches the source.

 

This talk reports on the results of a large-scale experiment to search the universe of Java libraries for malicious discrepancies between source code and binaries. We created an automated security pipeline that automatically matches repositories, builds code, performs a “security diff” of the bytecode instructions, and generates human-readable reports for analysis. Our “security diff” tool ignores inconsequential differences between compilers, flags, and versions, so that only truly different code gets flagged. The experiment is currently underway and hundreds of libraries have been analyzed.

 

Of course, source-to-binary traceability is not everything, a malicious developer could hide attacks in the source code [4]. A crafty malicious developer would intentionally introduce vulnerabilities that look like accidents to establish some plausible deniability. So, given the trust that these libraries have been granted, and the potential attractiveness to an attacker (particularly nation-sponsored or financially motivated hackers), we absolutely have to know if public source code matches the binaries we blindly trust.

 



Speakers
avatar for Jeff Williams

Jeff Williams

CTO, Contrast Security
Jeff Williams is a co-founder and CTO of Contrast Security, the world's first unified application vulnerability assessment *and* attack protection platform. Jeff has over 20 years experience in security leadership roles, including the first Global Chairman of the OWASP Foundatio... Read More →


Friday September 22, 2017 10:30am - 11:15am
Coronado J

10:30am

Where we’re going… we won’t need passwords…

This session will cover a real-word approach to an enterprise wide, multi-factor authentication deployment at a fortune 500 financial services company with 30,000+ workforce. We’ll discuss the technical challenges we faced in adapting modern passwordless authentication protocols such as SAML and Kerberos to a wide range of client computing devices and legacy technologies. We’ll also discuss the critical user experience decisions and lessons learned during the implementation to enable workforce authentication any time, any place, and any device.



Speakers
avatar for Matt Hajda

Matt Hajda

Security Architect, USAA
Matthew Hajda is a Security Architect at USAA, focusing on oversight and roadmap of Identity and Access Management technologies. His background includes roles as an Active Directory Security Analyst, Penetration Tester, SOC Analyst, IT Systems Engineer, and Security Architect... Read More →
avatar for Michael Stewart

Michael Stewart

Executive Director, IAM, USAA
Michael Stewart is the Executive Director, Information Security Access Operations for USAA. In this role, Michael has responsibility for workforce identity and access management and mainframe and database security. | Prior to USAA, Michael spent fifteen years at the Federal Res... Read More →


Friday September 22, 2017 10:30am - 11:15am
Coronado K

10:30am

Monitoring Application Attack Surface and Integrating Security into DevOps Pipelines
A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities. This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 comp... Read More →


Friday September 22, 2017 10:30am - 11:15am
Coronado H

10:30am

R2-D2: ColoR-inspired Convolutional NeuRal Network (CNN)-based AndroiD Malware Detections

Machine Learning (ML) has found it particularly useful in malware detection. However, as the malware evolves very fast, the stability of the feature extracted from malware serves as a critical issue in malware detection. The recent success of deep learning in image recognition, natural language processing, and machine translation indicates a potential solution for stabilizing the malware detection effectiveness. We present a color-inspired convolutional neural network-based Android malware detection, R2-D2, which can detect malware without extracting pre-selected features (e.g., the control-flow of op-code, classes, methods of functions and the timing they are invoked etc.) from Android apps. In particular, we develop a color representation for translating Android apps into rgb color code and transform them to a fixed-sized encoded image. After that, the encoded image is fed to convolutional neural network for automatic feature extraction and learning, reducing the expert’s intervention.We have run our system over 800k malware samples and 800k benign samples through our back-end (60 million monthly active users and 10k new malware samples per day), showing that R2-D2 can effectively detect the malware. Furthermore, we will keep our research results on http://R2D2.TWMAN.ORG if there any update.


Speakers
avatar for TonTon Huang

TonTon Huang

Cyber-Security/Deep Learning Research, Leopard Mobile Inc.
Hsien-De Huang (a.k.a. TonTon) is working for Leopard Mobile (Cheetah Mobile Taiwan Agency). His current major research interests include Deep Learning, Malware Analysis, Android Reverse Engineering, Type-2 Fuzzy Logic, and Ontology Applications. He also is a Ph. D. candidate (IK... Read More →
avatar for Hung-Yu Kao

Hung-Yu Kao

Professor, National Cheng Kung University
Hung-Yu Kao received the B.S. and M.S. degree in Computer Science from National Tsing Hua University in 1994 and 1996 respectively. In July 2003, he received the PhD degree from the Electrical Engineering Department, National Taiwan University. He is currently the Director of In... Read More →
avatar for Chia-Mu Yu

Chia-Mu Yu

Enjoy the intersection between AI, security, and privacy


Friday September 22, 2017 10:30am - 11:15am
Fiesta 6

11:30am

Friday the 13th: Attacking JSON

2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution (RCE from now on) gadget finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues.

One of the most suggested solutions for avoiding Java deserialization issues was to move away from Java Deserialization altogether and use safer formats such as JSON. In this talk, we will analyze the most popular JSON parsers in both .NET and Java for potential RCE vectors.

We will demonstrate that RCE is also possible in these libraries and present details about the ones that are vulnerable to RCE by default. We will also discuss common configurations that make other libraries vulnerable.

In addition to focusing on JSON format, we will generalize the attack techniques to other serialization formats. In particular, we will pay close attention to several serialization formats in .NET. These formats have also been known to be vulnerable since 2012 but the lack of known RCE gadgets led some software vendors to not take this issue seriously. We hope this talk will change this. With the intention of bringing the due attention to this vulnerability class in .NET, we will review the known vulnerable formats, present other formats which we found to be vulnerable as well and conclude presenting several gadgets from system libraries that may be used to achieve RCE in a stable way: no memory corruption -- just simple process invocation.

Finally, we will provide recommendations on how to determine if your code is vulnerable, provide remediation advice, and discuss alternative approaches.



Speakers
avatar for Oleksandr Mirosh

Oleksandr Mirosh

Security Research QA Engineer, HPE
Oleksandr Mirosh is working for HPE Software Security Research team investigating and analyzing new threats, vulnerabilities, security weaknesses, new techniques of exploiting security issues and development vulnerability detection, protection and remediation rules.
avatar for Alvaro Muñoz

Alvaro Muñoz

Principal Security Researcher, HPE
Alvaro Muñoz (@pwntester) works as Principal Software Security Researcher with HPE Security Research (HPSR). His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the HPSR team... Read More →


Friday September 22, 2017 11:30am - 12:15pm
Coronado L

11:30am

Handling of Security Requirements in Software Development Lifecycle

The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and traceable way for all of them.

 

After a short introduction of a unified process for handling security requirements in a large company, the main part of the talk is going to focus on a tool called SecurityRAT which we developed in order to support and accelerate this process.

 

The goal of the tool is first to provide a list of relevant security requirements according to properties of the developed software (e.g. type of software, criticality), and afterwards to handle these in a mostly automated way - integration with an issue tracker being used as a core feature.

 

Work in progress (currently targeting mainly integration to other systems, automated testing of requirements and reporting) as well as future plans will form the last part of the talk.



Speakers
avatar for Daniel Kefer

Daniel Kefer

Head of Application Security, 1&1 Mail & Media Development & Techhnology GmbH
Daniel Kefer has been working in the application security field since 2007. Having started as a penetration tester, he soon became passionate about proactive security efforts and working closely with developers. Since 2011 he has been working for 1&1 where he currently leads an i... Read More →
avatar for Rene Reuter

Rene Reuter

IT Security Consultant, Robert Bosch GmbH
René Reuter is a security engineer with over 6 years of experience in the application security field. At Robert Bosch GmbH, he works as an IT Security Consultant responsible for identifying vulnerabilities and design flaws that may impact Robert Boschs' applications and infrastr... Read More →


Friday September 22, 2017 11:30am - 12:15pm
Coronado J

11:30am

Enhancing Physical Perimeter Defense Using SDR

Part One: The Problem

The current solutions of sensor based perimeter defense have their limitations. Taking home defense as an example, sensors are located at all possible breach points of the perimeter (windows, doors, etc). The alarm is triggered only when there is an actual perimeter breach. It takes time for the alarm company to report to local police and more time for police to send patrol cars. If the attackers are determined to finish the task quickly and take off before police can arrive, the chance of getting away is very high.

 

There is one important additional weakness: this traditional method is limited to what information the sensors pick up. The old methods have no capability of identifying the reconnaissance, which happens very often before potential breaches.

 

Part Two: The Solution

Most attackers carry cell phones during reconnaissance and the actual breach. This means the chances that a new cellular device will show up near the (potential) breach site is very likely.

 

I propose a solution of using software-defined radio to simulate cell tower signals within a short range, near the protected perimeters of a site. Through the analysis of abnormal devices within a certain range of the perimeter, we can:

* Identify potential threats (reconnaissance, following, etc).

* Post-breach investigation (by providing cellular device info).

* Conviction (crime scene presence through the location of the device).

 

Part Three: Technical Implementation Details

SDR Configuration

* (The following SDR config is done only to a short range around the protected perimeter.)

* Use SDR to simulate the cell tower within a short range.

* SDR will force cell phones to downgrade to 2G for information gathering.

* Frequency to power on the SDR. The SDR will NOT always be powered on. It only powers on every 30 minutes, for 1 minute.

* SDR will capture the phone number, active time, and location (directions related to the SDR).

 

Data Storage

The following data will be stored and encrypted:

* Phone number

* Active time

* Location (relative to the SDR)

 

Data Analysis

* Normal pattern (learning process): 1) Devices frequently showing up near perimeter (neighbours). 2) Devices only showing up at certain times of the day (mail delivery, garbage pickup, etc).

* Exception pattern: Devices near perimeter that have never show up before (potential reconnaissance).

Identify intrusion: Devices inside the perimeter that have never show up before.

* Correlating the exception pattern with intrusion: identify and note the reconnaissance activity.

 

Part Four: Limitations and Thoughts

Limitations

* The solution assumes attackers carry cellular device during the recon or breach.

* The location and direction of the device is based on signal strength and is therefore not guaranteed to be accurate.

 

Integrate with Other Solutions

* Integration with existing perimeter defense solutions

* Trigger the action of drones for 1) vehicle identification 2) real time images

 

Part Five: Video Demo

 

Disclaimer:

This article and any related technical detail was prepared or accomplished by the author in his personal capacity. The opinions expressed in this article are the author's own and do not reflect the view of author’s employer

 



Speakers
avatar for Yitao Wang

Yitao Wang

Attacklytics
Yitao Wang has over 10 years of experience in information security. Coming from the other side of the GFW he has great passion for internet and computer security since the wild 90s. Yitao is currently working on his own startup security company where he drives the products and pr... Read More →



Friday September 22, 2017 11:30am - 12:15pm
Coronado K

11:30am

Core Rule Set for the Masses

Everyone who has used, or attempted to use, OWASP ModSecurity Web Application Firewall knows something about fine-tuning rules. ModSecurity Core Rule Set (CRS) was designed to catch more, show more and let you decide what to do with security alerts. It is a time consuming -- and often frustrating -- exercise to analyze alerts, separating the wheat from the chaff, and determine which are candidates for blocking.

 

With thousands of servers at more than 100 locations, Verizon Edgecast CDN is one of the world’s largest deployment of OWASP Core Rule Set. We will share our experience in fine-tuning the CRS for a large number of customers, adjusting to their taste in risk and attitude toward false positives. We will discuss lesser used features of ModSecurity to cut down noise levels in alerts, sometimes as much as 90%. We will also discuss our experience in moving from CRS 2.2.9 to 3.0 which was released in late 2016.

 

We hope that the audience will walk away with understanding benefits of using the venerable web application firewall with the latest enhancements and issues to consider to get the most out of it. Ultimately, we hope that our experience will make your task of fine-tuning the CRS a little easier.



Speakers
avatar for Robert Whitley

Robert Whitley

Security Solutions Architect, Verizon Digital Media Services
Robert Whitley started out his career as a customer facing SOC analyst that allowed him to explore the breadth of the information security field. After working closely on incident response and threat intel, Robert now spends his day to day on consulting users on WAF and rate limi... Read More →
avatar for Tin Zaw

Tin Zaw

Volunteer, OWASP
Tin Zaw currently co-leads the OWASP project on Automated Threats to Web Applications, along with Colin Watson. At his day job, he leads a global practice to help Verizon customers secure web properties at Verizon Digital Media.  | He started his career programming network pro... Read More →


Friday September 22, 2017 11:30am - 12:15pm
Coronado H

11:30am

SPLC as a Service

A Secure Product Lifecycle (SPLC) is integral in ensuring software is written with security in mind, but companies struggle to create a successful process with limited security resources and minimal impact to engineering teams. This session will discuss lessons learned, soup-to-nuts, through the process of designing, rolling out, and measuring a scalable SPLC.

 

In Adobe’s Digital Marketing business unit, two security analysts created a successful program that has scaled to support thousands of engineers. Defining security requirements and KPIs for engineering teams is just the first step in creating the SPLC. In order to make the design a reality for several products, thousands of engineers, and millions of lines of code, we organized our team into an ‘as a service’ model and utilized automation to scale to meet this demand. Establishing a strong security ambassador program helped ensure the success of the SPLC. The centralized ambassador network has been crucial to the success all product security initiatives throughout the business unit. We will give examples of how ambassadors have assisted with incident response, driven training and security culture initiatives, and have championed security-related projects on their individual team.

 

We will explore a case study of one of our most successful SPLC-driven programs - static code analysis. By fully automating the process from code check-in to delivery of results, we achieved 100% buy-in from all engineering teams in the Digital Marketing business unit. The process was designed to have minimal impact on the engineering teams, and to be integrated into their existing workflows, allowing for a very low-overhead program that adds value. The engineers code and commit as they normally would. On the backend, our static code analysis engine is scanning and will inject any findings into their existing bug-tracking system.

 

You will walk away from this talk with on-the-ground knowledge to establish an effective SPLC by establishing and utilizing security ambassadors and providing seamless automation to support these key initiatives.



Speakers
avatar for Julia Knecht

Julia Knecht

Manager, Security & Privacy Architecture, Adobe
Julia Knecht manages Product Security and Privacy Architecture at Adobe. She created and is responsible for the Secure Product Lifecycle of Adobe’s Experience Cloud Business. An integral and invaluable piece of the Secure Product Lifecycle is her Security Champions program, whi... Read More →
avatar for Taylor Lobb

Taylor Lobb

Manager, Security and Privacy, Adobe
Taylor is responsible for vulnerability detection and remediation for Adobe’s Digital Marketing Business. In addition to leading a team of penetration testers, Taylor has designed and successfully automated vulnerability detection systems that support all of Digital Marketing e... Read More →


Friday September 22, 2017 11:30am - 12:15pm
Fiesta 6

12:30pm

Lunch
Friday September 22, 2017 12:30pm - 1:30pm
Veracruz B

1:30pm

ReproNow: Save time Reproducing and Triaging Security bugs

Crowdsourcing security aka Bug Bounty Programs are adapted by almost all companies today: big, small, mid size. While companies reap a lot of benefits, the challenge is to have a security engineer/engineers reproduce each of the bug, understand the replication method and spend time recreating the security bug that the researcher reported. And sometimes (read all the time) it may also require a lot of going back and forth with the researcher to reproduce the vulnerability. As security engineers we felt the pain as well and we created a tool that solves this challenge and helps organization focus their resources on resolving these vulnerabilities and strengthening their security posture.

Our tool is an open source software and an easy to install chrome/firefox extension. A researcher can install this extension on their browser and record the entire walkthrough of the vulnerability. Our tool captures not only the screen but even Network requests. So, a researcher can capture the entire session and submit this video to the organization. Then the security engineers who validate this can play the video on the tool and see the exploit in action. This makes triaging much easier, saving engineers valuable time. We will be releasing this tool to the community.


Speakers
avatar for Vinayendra Nataraja

Vinayendra Nataraja

Senior Product Security Engineer, Salesforce
Vinayendra Nataraja is a Senior Product Security Engineer at Salesforce and an independent security researcher. He has been in the security industry for 5 years now and holds a Masters degree in Information Security from Northeastern University. He leads the bug bounty efforts fo... Read More →
avatar for Lakshmi Sudheer

Lakshmi Sudheer

Security Researcher, Adobe
Lakshmi Sudheer is a Security Researcher at Adobe. She holds a Master of Science in Information Security from Northeastern University and has been in the security industry for about 4 years now. At Adobe, she works on solving challenging security issues across products and the or... Read More →


Friday September 22, 2017 1:30pm - 2:15pm
Coronado L

1:30pm

Common Developer Crypto Mistakes (with illustrations in Java)

During the past 7 years, I have examined how cryptography has been used in 200+ different projects from a security risk perspective. This includes 85+ design reviews well over 100 secure code reviews (mostly Java with some C/C++ and C# thrown in for good measure) performed for two different companies. That includes both proprietary code of these 2 companies, proprietary vendor code reviewed under NDAs, as well as some FOSS code. This talk explores the most commonly observed applied cryptography mistakes made by developers during that 7 year window, how you can spot those mistakes, and finally describes how to correct them.

 



Speakers
avatar for Kevin Wall

Kevin Wall

Information Security Engineer, Wells Fargo
Kevin Wall has been involved in application security for the past 15+ years, but he still considers himself a developer first and an appsec engineer second. During most of those 15+ years, Kevin has specialized in applied cryptography and web appsec. Before transitioning to apps... Read More →


Friday September 22, 2017 1:30pm - 2:15pm
Coronado J

1:30pm

How to detect CSRF vulnerability, reliably?

CSRF vulnerability is one among the OWASP top 10 and detection of this vulnerability in web applications has proved to be a difficult problem. Most dynamic application security testing tools provide the option of scanning for CSRF vulnerability, however their reports are often plagued with either false positives or false negatives making them quite unreliable. In this presentation we will analyze the general approach taken by the tools for CSRF vulnerability detection and identify the reasons behind their failures. Then we propose a new programmatic approach to scan for CSRF vulnerability that overcomes these shortcomings. We will demonstrate that this approach is not only simple and reliable but also can easily be integrated with automated testing for application security.



Speakers
avatar for Umesh Salian

Umesh Salian

Umesh Salian is part of Cybersecurity Architecture team of Discover Financial Services, currently focused on automation of (Static and Dynamic) Application Security Testing in CI/CD pipeline. He has prior experience of 15 years as Java/J2EE developer before joining Cybersecurity... Read More →


Friday September 22, 2017 1:30pm - 2:15pm
Coronado K

1:30pm

DevSecOps is real - What we learned by matching our appsec testing to our continuous release cycles

SaaS-first businesses like Salesforce, Box, Hubspot, Wix, ServiceNow, and Workday are taking over. It’s actually becoming risky for enterprise software companies NOT to adopt the SaaS technology and business model. There’s a real fear of being left behind. Over the next 10–20 years, every software company will be a SaaS company.

 

As a software-as-a-service company, Egnyte is innovating fast. It’s all about speed of innovation, design, and usability. The faster you can go, the less you spend on product development, and the fewer person hours are required to deliver a complete solution. Every iteration is an opportunity to deliver greater business value.

 

The problem with buying a SaaS solution from someone you don’t know is trust. When you don’t have a long-term, heavily invested relationship with your customers (as in the old-school IT-driven, on-premise local data center implementation model), how do you signal quality? Elements like security and regulatory compliance must be maintained, but the way they are implemented can’t slow the business down.

 

At Egnyte, we publish new software updates, features, and enhancements every two weeks. Secure software is business critical, and application security is what really matters. When it comes to software security, I am reasonably confident in our internal release criteria, which includes quality assurance and regression tests, automated security checks, as well as regular periodic software security assessment scans on our public-facing and production applications. But automated tools can’t find everything. Human powered security testing is necessary, and on-demand specialization wins.

 

Join Kris Lahiri, CISO of Egnyte, for an in depth discussion of the evolution of his software security program - what he tried, what worked, what didn’t, and how he’s planning to move forward. This session is a must-see for any security leader responsible for application security at a Saas company.



Speakers
avatar for Kris Lahiri

Kris Lahiri

Chief Security Officer, Egnyte Inc
Kris is a co-founder of Egnyte. He is responsible for Egnyte's security and compliance, as well as the core infrastructure, including storage and data center operations. Prior to Egnyte, Kris spent many years in the design and deployment of large-scale infrastructures for Fortune... Read More →


Friday September 22, 2017 1:30pm - 2:15pm
Coronado H

1:30pm

Beyond End-to-End Encryption: Threats Models For Secure Messaging

In an age of ever more sophisticated cybercrime and mass surveillance secure communication is an increasingly rare premium commodity. In this talk we take a look at how the threat model for secure messaging applications has evolved beyond the traditional man-in-the-middle attacker.

 

We will cover new goals and capabilities of attackers targeting modern communications networks. We will also look at several classes of attacks many of which are already being used effectively in the wild. For these, we will cover the capabilities needed to launch the attack, the effects successful execution can entail.

 

Some of the real world attacks/vulnerabilities we will touch upon are:

- The account enumeration and hijacking of Telegram accounts in Iran.

- Detecting the language in encrypted text messages.

- Recovering the content of encrypted VoiP conversations.

- HipChat server compromise leading to leak of meta-data and chat logs.

- Invisible rekeying on WhatsApp.

- Widespread lack of even basic privacy in the face of future quantum attacks.

- Browser based attacks on WhatsApp and Telegram.

- iMessage protocol attack



Speakers
avatar for Joël Alwen

Joël Alwen

Cryptographer, Wickr
A widely published cryptographer with over 10 years of research experience spanning topics such as post quantum, game theoretic and leakage-resilient crypto, blockchain technology and memory-hard cryptography. | Current positions: Cryptographer at Wickr, a secure collaboration... Read More →
avatar for Tom Leavy

Tom Leavy

VP Engineering, Wickr Inc
Employee #0 and mobile application and secure communications architect at Wickr, a secure communications company building end-to-end encrypted ephemeral collaboration tools. Co-designer and lead engineer of the open source initiative “Wickr Secure Messaging Protocol.”


Friday September 22, 2017 1:30pm - 2:15pm
Fiesta 6

2:30pm

NoSQL Is Not NoVulnerable

SQL Injection has long been a common dangerous vulnerability found in many web applications. But many modern web applications forgo the use of SQL in favor of more modern databases commonly referred to as “NoSQL” databases. These databases don’t just use different storage engines, but also provide different query language. Some of the limitations imposed by the query language make traditional injection attacks less likely. But with different query languages and probably even more importantly different more complex datatypes come new classes of vulnerabilities which in the end can be as dangerous and exploitable as SQL injection. In addition, many of these new databases lack some of the more granular security and access controls developers are accustomed to from traditional SQL databases. In this talk, we will survey popular NoSQL databases to compare different threats an application may be exposed to by using these databases. We will also demonstrate some new attacks that instead of focusing on injection of query language commands take advantage of new complex data types like JSON and how they can be manipulated to bypass application level access controls to access or manipulate data.



Speakers
avatar for Johannes Ullrich

Johannes Ullrich

Dean of Research and a faculty member, SANS Technology Institute
Johannes Ullrich, dean of research at the SANS Technology Institute, is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. His research interests include IPv6, network traffic analysis and secure software development. In 2004, Network World... Read More →


Friday September 22, 2017 2:30pm - 3:15pm
Coronado L

2:30pm

Automating TLS Configuration Verification on the Back-End of the Web Application Stack

Best practices for HTTPS deployment have been steadily improving over the past decade. TLS usage on web servers has been steadily increasing and there are dozens of tools (O-Saft being the most popular) now available to test the correctness of the TLS configuration of a front-end web server. All good news. But what about the other services and protocols used in a web application stack? What about the connection between the web application server and the backing data store? Unfortunately, the state of the art regarding proper TLS configuration in popular databases has not progressed as quickly as it has for HTTPS.

 

Virtually all important data sent between a client and a web application, will also be sent between the application server and its backing data store. The network IS hostile and any connection to the backing data store of a web application needs to have the same level of network confidentiality and integrity as the front-end client.

 

This talk will look at the current TLS capabilities of popular web application data stores (MySQL, PostgreSQL, and MongoDB), including both the most recent versions as well as the most widely deployed versions. We’ll discuss best practices for defining TLS configuration within these data stores, which are somewhat different from HTTPS, and improvements in tools made by the presenter, to help verify proper server configuration of TLS. Finally, with these new tools we’ll survey actual TLS configurations of publicly connected data stores to determine adherence to best practices in the wild.



Speakers
avatar for Steven Danneman

Steven Danneman

Security Engineer, Security Innovation
Steven Danneman is a Security Engineer at Security Innovation in Seattle, WA, making application software more secure through targeted penetration testing. Previously, he lead the team responsible for all authentication and identity services development within the OneFS operating... Read More →


Friday September 22, 2017 2:30pm - 3:15pm
Coronado J

2:30pm

A Static Tainting Analysis Method for Aspect-Oriented Programs

Many web applications contain security vulnerabilities that enable attackers to access sensitive data or gain control of client computers or the servers on which those applications are running. These vulnerabilities are caused by web applications failing to correctly sanitize input data and to safely format output data. Many tools and techniques have been created to detect and correct these problems in web applications written using widely-used programming languages such as PHP and Java but little has been done to address vulnerabilities in web applications written using aspect-oriented languages such as AspectJ. This presentation will introduce a new method of detecting potential vulnerabilities in aspect-oriented web applications.



Speakers
avatar for Evan H. Dygert

Evan H. Dygert

President, Dygert Consulting, Inc.
Evan Dygert is a consultant (Dygert Consulting, Inc.) with over 30 years of experience in software development in areas including compilers, databases, finance, insurance, computer networking and security, and software security. He is experienced in many computer languages includ... Read More →



Friday September 22, 2017 2:30pm - 3:15pm
Coronado K

2:30pm

How to stop worring about application Container security

 

Containers make it easier to deploy the applications that drive business value, but also profoundly challenge existing security models. Learn from our journey as a security team that went from not knowing what containers were to championing their adoption in our production sensitive information workloads over traditional DevOps application deployments.

• About Us

• Our Application & Security Challenges

• Our Container Journey

• Building an Container Ecosystem

• Learning Secure Application Containers

• Benefits for DevOps and Security

• Our Container Security Maturity Model

• What’s Next


Speakers
avatar for Brian Andrzejewski

Brian Andrzejewski

Information Security Engineer, U.S. Citizenship and Immigration Services (USCIS)
Brian is the lead InfoSec Engineer in the CyberDefense Branch at the United States Immigration Services (USCIS), the world’s largest immigration agency. He leads, engineers, and architects several of USCIS’s security efforts, with his primary focus in application security an... Read More →


Friday September 22, 2017 2:30pm - 3:15pm
Coronado H

2:30pm

How To Approach InfoSec Like a Fed(eral Auditor)

For more than a decade, independent arms of the federal government have published application and hardware security standards that only a minor subset of the InfoSec community has a true grasp on. The Federal Information Processing Standard (FIPS) 140-2 contains 11 comprehensive security requirement areas, and the National Information Assurance Directive (NIAP) has created Common Criteria Protection Profiles for Network Devices and Applications that address many of the security threats and design issues that are still persistent today. These standards take a detailed and secure-by-design approach to security that could be hugely beneficial to engineers and system architects beginning to design new systems. Yet, because of the dense and academic style of these standards, many are only vaguely aware of them, seeing them only as a headache forced onto them by sales managers as development is wrapping up.

 

For three years I worked to formally validate products against these standards, and recently I’ve made the switch to application security assessment where I see many product teams entirely unaware of these practices and standards. This talk aims to cherry-pick the crucial security requirements and principles in these standards and present them in an easily understandable format for development teams, product architects, and security engineers. My goal is to improve your security throughout development and reduce risk for both your customers and company.

 

I will start by briefly discussing the standards themselves and the context in which they were created and still apply.

Next, I will dive into detail on 5 major security principles that are seen throughout these standards. As I discuss these I will include examples and my observations on how they are currently implemented in the industry.

1. Define the security boundary

2. Create a functional specification

3. Prove that the boundary and services protect Critical Security Parameters

4. Protect all network traffic using SSH, TLS, or IPsec

5. Prove the strength of your entire cryptographic stac

Speakers
avatar for Scott Cutler

Scott Cutler

Application Security Engineer, Aspect Security
I became interested in InfoSec when I attended DefCon in 2004. I got a degree in Information and Computer Science from UC Irvine in 2009. After paying my bills by doing QA testing and DevOps, I got my first job in information security performing FIPS and Common Criteria evaluatio... Read More →


Friday September 22, 2017 2:30pm - 3:15pm
Fiesta 6

3:30pm

Crafting the next-generation Man-in-the-Browser Trojan

Current Man-in-the-Browser (MITB) trojans like Trickbot or Dridex are pretty much similar to first generation bots like Zeus or Zbot. They all include a list of targets and corresponding webinjects and still offer essentially the same features such as keylogging, form-data harvesting, and remote control (RAT) capabilities.

 

Today, we are seeing a number of client-side defense proposals being rushed through the standardization process, such as CSP, Subresource Integrity and HPKP. In part, these standards are a response to the permissiveness of the browser against injection attacks.

We argue that it is important to understand how effective these standards can be against MITB attacks specifically and anticipate how attackers will evolve the MITB trojans in an attempt to defeat those defenses.

 

In this talk, based on our work, we fast-forward to a not so distant future of MITB attacks by demoing a home grown MITB trojan that: 1) is resistant to a number of current defenses by tampering with headers and by exploiting JavaScript code polymorphism; 2) holds capabilities that range from credential and data leakage to website hijacking. We'll also cover approaches to defeat these next-gen trojans by employing similar code attacking techniques and demoing how to detect and react to these trojans.

 

This talk is organized in four sections: 1) Man-in-the-Browser (MITB) evolution, 2) Client-side defenses, 3) Crafting the next-gen MITB trojan, and 4) Conclusions and future work.

 

In the first section, we will present a quick chronological evolution of MITB trojans. We will review important concepts like Browser Helper Objects (BHO), Web Injects, Form Grabbing, Stored data exfiltration, keylogging, etc. Most of these concepts are still relevant as current generation MITB trojans are still very similar to first generation bots like Zeus.

We will focus on some capabilities that were added to trojans to bypass defenses. Even though through the years, they evolved very little, we have seen some trojans moving from static to dynamic webinjects, allowing the attack to adjust to the rollout of new defenses; we have seen them become more resilient to AVs and to static and dynamic analysis; employing Domain Generation Algorithms (DGA) to remain connected with their C&Cs; and even trojans that are able to tamper with HTTP headers (e.g. Tinba). Other traits such as the use of reverse connections via proxy and Remote Access (RAT) capabilities will be covered too.

 

In section 2, we will cover a number of different defense mechanisms/techniques - some of which are still being standardized - such as Content Security Policy (CSP), Subresource Integrity, JavaScript Sandboxing, WAFs, User behavior analytics and Device Fingerprinting. We will discuss how effective they can be against current MITB attacks and where they fall short. We will draw strategies that can be followed by MITB trojans to defeat or bypass these defenses/techniques.

 

In section 3, we will dive into the goodies. We will present the capabilities we have designed using a modified implementation of Zeus. These capabilities include HTTP header manipulation, to for instance defeat CSP and other types of defenses based on HTTP headers; the use of metamorphic and polymorphic JavaScript, to avoid detection; etc. We will also explore advanced scenarios like the use of HPKP suicide attacks conveyed by MITB trojans. A demo of our Trojan will be shown at this point.

 

In section 4, the discussion will move on to identify the strategies that can be followed to fight our bot. We will give our opinion on where the appsec community needs to focus next, in order to be prepared for more sophisticated MITB attacks. We’ll draw our conclusion and present our ideas for future work.



Speakers
avatar for Pedro Fortuna

Pedro Fortuna

CTO, Jscrambler
Pedro Fortuna is CTO and Co-Founder of Jscrambler where he leads the application security research activities and lays out the technical vision for all the products developed by the company. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services... Read More →


Friday September 22, 2017 3:30pm - 4:15pm
Coronado L

3:30pm

Building Secure ASP.NET Core MVC Applications

Building secure applications is a difficult task, especially in combination with building it based on a new application framework. ASP.NET Core is a new open-source and cross-platform framework completely rewritten from scratch. It can run on Windows, Mac and Linux and the framework moved to a more modular based approach which gives more flexibility when creating solutions with it.

How secure is ASP.NET Core by default? Do the API’s help the developer out doing a good job or is a mistake easily made? In this session, we're going to investigate how ASP.NET Core MVC deals with the above questions related to e.g. Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) issues. We’re also going to extend it and adapt new web standards and see how we can validate an existing solution for the problems we’ve identified.



Speakers
avatar for Niels Tanis

Niels Tanis

Security Researcher, Veracode
Niels Tanis has got a background in .NET development, pentesting and security consultancy. He also holds the CSSLP certification and has been involved in breaking, defending and building secure applications. He joined Veracode in 2015 and right now he works as a security research... Read More →


Friday September 22, 2017 3:30pm - 4:15pm
Coronado J

3:30pm

Beyond Takeover – Attacker’s in. Now what?

We have been conducting ongoing research on the dynamics of credential theft. Our intent was to learn about how accounts are being taken over once credentials are compromised through a Phishing campaign. It is a "victim's POV" approach to Phishing research that has not been taken to date.

In our "beyond takeover" research, we maintained 57 fake identities through a period of 6 months in platforms well-known as phishing targets like Google and Facebook. We invited attackers in by admitting the credentials of these accounts to selected phishing campaigns and traced the activity of the attackers in the accounts.

In this session, we will share our findings from this research. We will present takeover stories and some statistics for interesting questions. After falling into a phishing trap and giving one's password to a fake site, how long does is take until someone will actually get into his or her account for the first time? What does the attacker look for in the hacked account? Where do they look first and which decoys attract their attention? Which security practices do attackers use when sniffing out a hacked account (hiding their geo-location or covering their tr



Speakers
avatar for Itsik Mantin

Itsik Mantin

Director of Security Research, Imperva
Mantin is a Director of Security Research at Imperva, leading research on cyber threats and innovative security technology. | Over the last 17 years Mantin has been researching, innovating and problem solving in various security-related domains, including cyber threats on data... Read More →


Friday September 22, 2017 3:30pm - 4:15pm
Coronado K

3:30pm

Practical Dynamic Application Security Testing within an Enterprise

The incorporation of DevOps within a large enterprise is generally accomplished through strategic planning on the organizational level. Having a common pipeline for Continuous Integration (CI) and Continuous Deployment (CD) can enhance the security posture of an application and enable organizations to rapidly release applications into production. However, the insertion of application security in the pipeline is only one step of a multidimensional application security approach.

 

In this presentation, we will describe our implementation of two complementary methods, which have allowed us to provide the scalability and coverage required in order to meet the needs of a large enterprise. The first method utilizes a tool written in Java to allow for easy integration with your build. We will demonstrate how to deploy and use a dynamic scanner within a Continuous Integration (CI) and Continuous Deployment (CD) pipeline. The second method leverages the data collected from analytic tools such as Splunk, LogStash, Tealeaf and SiteCatalyst. Through the utilization of containers, we will demonstrate how a RESTful API service can be implemented to perform a quick analysis of applications to ensure basic security requirements are met on a large scale. An example will be presented utilizing a RESTful API service to enhance our continuous scanning platform with multiple scanning technologies.

 

Implementing these solutions has transformed the way we assess our applications. Using the first method we were able to present a dynamic scanning solution to all of our applications that support automated regression testing. Our second method has enabled us to effortlessly scan over 2000 urls in less than 2 hours to provide a quick look at the security of all of our exposed urls. It is essential to put security on the forefront of organizational structure and to ensure that dynamic analysis is part of all build cycles



Speakers
avatar for Nicholas Doell

Nicholas Doell

Senior Application Security Engineer, Verizon
Nicholas Doell is a senior application security engineer at Verizon. He received his M.Sc. degree in System Security Engineering from Stevens Institute of Technology in 2012 and has nine years of experience working in multiple security fields. He has a passion for web and mobile... Read More →
avatar for Nicholas Kenney

Nicholas Kenney

Application Security Engineer, Verizon
Nicholas Kenney is an application security engineer at Verizon. He received his B.Sc. degree in Computer Science from East Stroudsburg University in 2012 and has worked in IT for 7 years. Nick started out working as a freelance web developer while in college, until being hired b... Read More →


Friday September 22, 2017 3:30pm - 4:15pm
Coronado H

3:30pm

An Agile Framework for Building GDPR Privacy and Data Protection Requirements into SDLC

The consequences of not complying with the requirements of General Data Protection Regulation (GDPR) is immense for all international data processors. The fines and penalties even for small companies can be as high as 20 million EUR, and GDPR requires data protection by design and by default. Most IT companies do not have in-house expertise to identify the required features for full compliance. This work provides a valuable vendor and technology-agnostic toolkit for building GDPR-complaint software with minimum cost and effort. The toolkit is based on a tag-based approach for identifying required features and tasks. After reviewing various privacy regulations, including GDPR, and coding their content, we arrived at a set of tags that fully capture the principles and notions of privacy requirements relevant to software development, deployment and operation. The tags are organized in 14 classes and include sub-tags, and variants. Any list of privacy and security controls can be evaluated using these tags to ascertain if they adequately enable the desired level of privacy. As a case study we will develop the first publicly available agile scrum template, using the proposed tagging system, for the development of an IoT system that transmits private information across the international borders. The tagging system and the approach could be easily customized for any other agile methodology and framework. The talk will expand on some of the recent stories and case studies of how missing the tags can create non-compliance and as a result, huge liability.



Speakers
avatar for Farbod H Foomany

Farbod H Foomany

Senior Security Researcher (Tech. Lead), Security Compass
Farbod H Foomany is a senior application security researcher (technical lead) at security compass. He has a bachelor degree in electrical engineering (control systems), Masters degree in artificial intelligence and robotics, and has completed a PhD with main research on security... Read More →
avatar for Mina Miri

Mina Miri

Application Security Researcher, Security Compass
Mina has several years of experiences in IT field and is particularly attuned to the need of enterprise level software which demands dependability and well-developed security characteristics. She has Masters in IT Security and a Bachelor degree of engineering in IT Business. In... Read More →


Friday September 22, 2017 3:30pm - 4:15pm
Fiesta 6

4:30pm

Passport Program Raffle
Friday September 22, 2017 4:30pm - 5:00pm
Veracruz C

4:30pm

Afternoon Coffee Break
Friday September 22, 2017 4:30pm - 5:00pm
Veracruz C

5:00pm

KeyNote - Tony UcedaVelez: Fixing Broken Enterprise Threat Models w/ OWASP Measures: Commissioning AppSec Professionals for Real Change

Global organizations have been working off of a broken or non-existent threat model. Distracted with compliance, plagued with undefined attack surfaces, a deluge of inoperable threat intel, risk distortions, and made complacent by a sea of controls, *Sec practitioners should feel compelled to reboot their approach.  This talk will exemplify how key OWASP projects can truly bootstrap the smallest of *Sec groups to make a measurable impact to applying security through measurable technology in lieu of security smokescreens that plague our industry.  Come hear an OWASP commission for change and hear how an OWASP security mesh can exemplify a model that can be imitated by audience members to apply to their own respective security programs and overall companies. 


Speakers
avatar for Tony UcedaVelez

Tony UcedaVelez

CEO, VerSprite
Tony UcedaVélez is CEO at VerSprite, an Atlanta based security services firm assisting global multi-national corporations on various areas of cyber security, secure software development, threat modeling, application security, security governance, and security risk management. Ton... Read More →


Friday September 22, 2017 5:00pm - 5:45pm
Coronado L

5:45pm

Closing Note
Friday September 22, 2017 5:45pm - 6:00pm
Coronado L