Loading…
AppSec USA 2017 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

2-day training [clear filter]
Tuesday, September 19
 

9:00am EDT

Hands On Hardened Web Service Development using ASP.NET (1 of 2 days)

Class Summary: This hands on, two (2) day class will help students learn how to write hardened ASP.NET based web services. Day one (1) will start off with the very basics of C# and Visual studio and slowly progress through a variety of topics as they pertain to web service hardening. On day two (2), students will dive into standard web service security, and end with trainees writing their own secure service for a fictional project. Individuals who meet the requirements and write a working hardened web service, are entered into a prize drawing.

 

Syllabus:

1. Day One (1) –Fundamentals

a. Visual Studio – Quick Rundown

i. IDE Basics

ii. C# Hello World

b. Basics of Object Oriented Programming

c. Useful 3rd Party Libraries

i. JSON.NET (Newtonsoft.Json)

ii. PushSharp

iii. BouncyCastle

d. Basic Web Service writing

i. Bindings

ii. Database design (quick tutorial)

iii. SOAP Services

iv. RESTful Services

e. Basic Service Security

i. Response Encapsulation

ii. Input validation and Sanitizing

iii. XXE, SQLi, and ‘XSS’ mitigation

f. Transport Security

i. SSL

ii. Binding Parameters

g. Message Security

i. Credential Types

ii. Encryption

iii. Certificates

2. Day Two (2) – Intermediate Service Security

a. Replay Attacks

b. Cross Site Request Forgery

c. WS-Security (SOAP Services)

d. Signature Based Security (RESTful Services)

e. Performance and usability vs Security

f. Afternoon Hardened Web Service Development

 

Experience: This would be the first class I’ve taught on a national scale. I’ve taught people individually on both coding, and penetration testing. I served as an adjunct teacher while in High School and in College.

 



Speakers
avatar for Kelly Correll

Kelly Correll

Security Consultant, NTT Security
I work as a security consultant in NTT Security's Threat Services group. As part of my duties, I perform penetration assessments and social engineering assessments. I also own my own business developing business applications using ASP.NET based technologies. When I'm not working... Read More →


Tuesday September 19, 2017 9:00am - 5:00pm EDT
Fiesta 10

9:00am EDT

Hands-on Security in DevOps and Application Security Automation Workshop (1 of 2 days)

After immensely successful workshops in the Bay Area, Bangalore, AppSecEU 2017 and record, sold-out workshop at the OWASP AppSecUSA 2016 in Washington D.C., we bring to you a new avatar of the Hands-on Security in DevOps workshop, this time, with some focused content on Application Security Automation.  

 

Agile and DevOps have revolutionized the way we deliver apps to customers. Software products today demand rapid everything. Rapid Code Changes, Rapid Deployments and Rapid Delivery. In addition, you have embraced Agile Development Methodologies that stress on iterative product development and flexibility to changing environments. There is one major problem in this entire chain, and that is Application Security.

 

While your product may be rapidly delivered to customers, Application security still remains a massive bottleneck in your continuous delivery pipeline. Application security is critical because companies lose billions of dollars due to vulnerabilities in their applications. Apart from typical vulnerabilities like SQL Injection and Cross Site Scripting, vulnerabilities in authentication, authorization, business logic and cryptographic implementations are more prevalent and can cause massive damage to a software product company.

 

This is why you need SecDevOps. You need a practical, repeatable and scalable way to deliver Application Security to your product across the Agile and DevOps lifecycle. In this workshop you will receive powerful hands on training on how you can implement scalable and effective security for rapid-release applications. The workshop will be a hardcore hands-on workshop with coverage on the following, but not limited to:

 

¥ Static Application Security Testing - Integrated with Continuous Integration Services

¥ Rolling out Custom SAST – using Abstract Syntax Trees and Regular Expressions

¥ Customized Security Automation Scripting Framework with Continuous Integration

¥ Creating specialized Application Security Testing Scripts to be integrated with existing Test Suites

¥ Performing Automated, Authenticated and Parameterized Vulnerability Assessments against Web Apps and Web Services by hacking tools like ZAP and w3af

¥ Automation Scripting for Application Security Vulnerability Scanners – OWASP ZAP Custom Scripts – Active Scanning, HTTPSender, Proxy Scripts, with an introduction to Zest Scrits. MITMproxy Inline Scripting

¥ An Introduction to Behavior Driven Security Testing

¥ Parameterized Security Testing for Web Services using the OpenAPI Specification

¥ Security in Configuration management and Continuous Deployment

¥ Security Practices and Considerations for Docker Deployments

¥ Creating Security Configuration Management “Infrastructure as Code” and Validation Scripts – using Ansible

¥ Practical Threat Modeling in an Agile and DevOps world

 

 



Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Founder, we45
"Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron"", a leading Application Vulnerability Correlation and Orchestration Framework.  He has created some pioneering... Read More →


Tuesday September 19, 2017 9:00am - 5:00pm EDT
Acapulco

9:00am EDT

Mobile App Attack (1 of 2 days)

 

This full-fledged hands-on training will get the attendees familiar with the various Android as well as iOS application analysis techniques and bypassing the existing security models in both the platforms.

 

The main objective of this training is to provide a proper guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.

 

The workshop will also include a CTF challenge designed by the trainer in the end where the attendees will use their skills learnt during the workshop to solve this challenge.

 

This training will mainly focus on the following :

 

> Arm basics and Android native code.

> Reverse engineer Dex code for security analysis.

> Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.

> Runtime analysis of the apps by active debugging.

> Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries , modify these binaries accordingly, resign the application.

> Runtime modification of code. Objective is to learn how the programs/codes can be changed or modified at runtime. we will learn how to perform introspection or overriding the default behavior of the methods during runtime and then we will learn how to identify if the methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc.

> Hooking an application and learn to perform program/code modification.

> By the end of workshop, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges. The workshop will begin with a quick understanding on the architecture, file system,permissions and security model of both iOS and Android platform.

 

NOTE:

The tools and techniques used in the workshop are all open source and no special proprietary tools need to be purchased by the attendees for analysis post the training. Some of the tools taught in the training will be helpful in analysis and automating test cases for security testing of the mobile apps:

 

Drozer

Introspy

Apktool

Dex2jar

Cycript

JD-Gui

SSL Trust killer


Speakers
avatar for Sneha Rajguru

Sneha Rajguru

Payatu Software Labs LLP, Payatu Software Labs LLP
India


Tuesday September 19, 2017 9:00am - 5:00pm EDT
Fiesta 7

9:00am EDT

Open Source Defensive Security (1 of 2 days)

Open Source Defensive Security Training is an Open Source IT Security laboratory dedicated for professionals who need close the gaps in Linux, Web application & Open Source Security knowledge. Very detailed and up to date course content with focus especially on defensive approach gives you the best opportunity for making stronger defensive layers inside your network infrastructures or/and Linux-based products. Delivering a real world scenarios in our Open Source Defensive Security hands-on labs provide a very practical knowledge you need for expand your Linux Security skills.

This is an extremely deep dive training on Open Source-based infrastructure security, Linux systems and network services hardening. We like details as attackers do and that details bring the differences - from offensive and defensive approach. That's how we see it works. Our high-tech workshop has a unique formula “protection vs attack”. This means that most of the security issues we are talking about will be effectively protected by the use of a suitable approach, sophisticated software and dedicated secure configuration. We focus on delivering a defensive content, but we understand that for being good in defense you have to also be good in offense. That way we are providing a kind of knowledge-mix in those fields using Open Source software. Except basic Linux skills and TCP/IP knowledge, most of the lab exercises required of candidate at least basic understanding of what attacker techniques are. We strongly believe that only a mix of broad, systematic Defensive and Offensive Security knowledge can guarantee secure solutions. As Sun Tzu said: "Know your enemy and know yourself and you can fight a hundred battles without disaster."

The workshop has prepared the following examples of laboratory scenarios:
● Web Application Security vs OWASP Top 10 attack techniques and others
● Grsecurity/PAX/GCC hardening vs Linux kernel and userspace exploitation using vulnerabilities from the last past years (PERF_EVENTS, ptrace/sysret, memppodiper, semtex, sendpage, chroot() escape, dirty_cow, others)
● Seccomp/capabilities/namespaces vs exploits
● SELinux vs exploits (Redis Command Execution, Venom, Apache)
● Volatility vs rootkits
● Secure SSH relays and importance of low level privileges rule
● System users accountability, including root
● Linux Domain Controller
● Using sysdig/SystemTAP for detecting deviations in the behavior of daemons and services ● Network packet filtering including TOR, ipsets, IP reputation, port knocking
● Network honeypots vs scanning tools and obstruction of the process of enumeration
● PCAP analysis and Deep Packet Inspection vs malware
● Sandboxing for malware detection and deep analysis (cuckoo, yara) and others

Target:
● Linux administrators & System Architects
● IT Security professionals
● Penetration testers
● IT Security consultants and Open Source specialists

Thanks to this training you will:
● learn techniques to protect your Linux systems against attacks used by modern attackers
● find out how you can protect Linux servers and web applications against real attacks
● learn how to use dozens of solutions and security tools for offensive and defensive scope
● configure several advanced solutions to reduce the success of the attack or minimize the risk of the use of vulnerability

True values:
● real life, 100% pure lab-oriented defensive security scenarios
● minimum theory, maximum hands-on
● a lot of cumulated knowledge in one place
● created by enthusiasts and professionals for professionals with enthusiasm

Agenda:

1. Threats are everywhere - introduction to technical Open Source Defensive Security program.

2. Web application security -> hardened Reverse Proxy -> modsecurity vs HTTP security issues:
● Analysis and practical use of exploits for popular web applications: Jenkins, Zimbra, PHPnuke, Joomla, Drupal, PHPmyadmin, OScommerce, Magento, Wordpress, dotProject and others
● Authorization and authentication: CAS SSO, OAuth, SAML (ipsilon), Federation, Basic / Digest Auth, SSL authentication, LDAP authorization, SAML based - mod_auth_mellon, Kerberos based - mod_auth_kerb, Login-form based - mod_intercept_form_submit, Mod_lookup_identity, mod_pubcookie
●HTTPS – how to achieve status A+?:
○ Attacks:
■ Heartbleed
■ Breach
■ Drown
■ Beast
■ Poodle
■ MiTM: sslstrip
○ Mutual SSL
● Security headers: Content Security Policy, Cross Origin Resource Sharing / Same Origin Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Fetch API, Service Workers, Sub_resource Integrity, Per-page sub-origins, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), Same Origin Policy (SOP) / Cross Origin Resource Sharing (CORS), HPKP, PFS
● Cookies: Secure, Httponly, Domain, Path, Same_site, Clear Site Data Feature Policy, First-party cookies
● HTTP header anomalies Virtual patching
● Full HTTP auditing
● LUA/OpenResty support
● Sensor approach - OWASP Appsensor
● Web application security using Modsecurity - creating dedicated WAF rules against:
■ *Injections
■ Null bytes
■ Path/directory traversal
■ LFI/RFI->Command Execution
■ Cross Site Scripting (XSS)
■ Cross Site Request Forgery (CSRF)
■ HTTP Parameter Pollution (HPP)
■ Open Redirect
■ Insecure Direct Object Reference vs HMAC
■ Forceful Browsing
■ CSWSH - Cross Site Websocket Hijacking
■ Session Security
■ Brute force
■ Slow DOS
■ GEO restrictions
■ Error handling
■ Leakage detection
■ Secure file upload
■ Secure logout / forgot password form
■ Web honeypots
■ Bot/scan protection
■ AV protection
■ PHP Security
■ Tomcat Security
■ Tools:
● Sqlmap, sqlninja
● Xsser
● Dominator
● Skipfish
● ZAP / Burp
● Wafdetect
● Joomscan, wpscan
● Dirbuster, dirb
● Nikto
● JSDetox
● Brakeman
● And others

3. Hardened Linux vs exploits/rootkits:
● Discretionary Access Control (DAC) vs Mandatory Access Control (MAC)
● Grsecurity / PAX
● SELinux / Multi Category Security / sVirt
● Apparmor, Tomoyo, Smack, RSBAC
● GCC hardening: SSP, NX, PIE, RELRO, ASLR vs attacks
● Linux Containers - Docker/LXC
● LKM-off / YAMA / enforcing
● Linux capabilities vs SUID and others
● System call restriction - seccomp
● Integrity checking - IMA/EVM
● Package mgmt security
● Debuggers and profilers - gdb/strace/ldd/Valgring/Yara
● Chroot/jail/pivot_root
● Behavioral analysis - systemtap / LTTng / sysdig
● Memory forensics - Volatility vs malware
● PAM / 2FA
● System update vs reboot
● *privchecks

4. Network security:
● Vulnerability scanning:
● Nmap NSE
● Seccubus
● OpenVAS
● Metasploit
● Linux Domain Controller - IdM/HBAC/SUDO
● SFTP/SCP - Secure SSH Relay
● Restricted shells/commands
● SSH tips and tricks
● Public Key Infrastructure – SSL/TLS
● NFS Security
● Database Security
● DNS Security
● Mail Security
● DOS / scanning / brute-force protection techniques
● Advanced network firewall: iptables/nftables/ebtables
● System honeypots
● Network traffic analysis - wireshark, scapy / tcpdump / tcpreplay
● Suricata / Bro IDS / Snort / SELKS vs known malware and attacks:
     ○ Metasploit,
     ○ PtH,
     ○ Heartbleed,
     ○ shellshock and others
● Security by obscurity

5. System Auditing, integrating & accounting:
● *syslog
● Auditd
● OSSEC / Samhain / aide
● SIEM: Splunk/ELK/OSSIM/osquery

6. Summary: offense vs defense


Speakers
avatar for Leszek Mis

Leszek Mis

VP of Cyber Security / IT Security Architect, Collective Sense / Defensive Security
Leszek Miś has over 12 years of experience in IT security technology supporting the largest companies and institutions for implementation, consulting and technical training. Next to that, he has 8 years of experience in teaching and transferring a technical knowledge and experience... Read More →


Tuesday September 19, 2017 9:00am - 5:00pm EDT
Fiesta 8

9:00am EDT

Practical DevOps Security and Exploitation (1 of 2 days)

Practical DevOps Security and Exploitation is a brand new and unique class by Attify. This class has been created as a result of our many pentest engagement experiences where we have exploited vulnerabilities in the various systems supporting CI/CD during DevOps transition of an organisation. The class covers hands-on techniques to both exploit as well as defend various systems that support the target CI/CD Architecture.

This class takes practitioner's approach in breaking, exploiting and securing systems owned by DevOps teams, thus enabling them to move towards DevSecOps. Some of the topics that we will cover are Exploiting Various tools from the CI/CD landscape like Jenkins, Git, Multiple Cloud instances, practical security issues in Docker instances and setting up your DevSecOps architecture.

This training covers different CI/CD tools with pentesters perspective and hence each tool will be covered as below:

  • Code Versioning Systems (Git, GitHub, Bitbucket etc.)
    • Exploiting the product features
    • Finding existing exploits or implementation loopholes
    • Identifying historically stored sensitive information
    • Hardening and Securing Guidelines
  • Orchestration Tools (Ansible, Saltstack etc.)
    • Exploiting the access rights and configuration mistakes
    • Use of Orchestration tools to mass deploy the exploits
    • Finding sensitive information
    • Guidelines to securely configure and organise the orchestration tools
  • Build Servers (Jenkins, Hudson etc.)
    • Pentesting and Vulnerability Assessment
    • Risk involved with Plugins
    • Exploiting most common configuration mistakes
    • Breaking the boundaries with superuser access rights
    • Scheduling vulnerability assessment reports for the CI/CD chain.
    • Guidelines to avoid security issues with integration of various CI/CD tools
  • Container Platform (Docker, Kubernetes etc.)
    • Pentesting and Vulnerability Assessment
    • Exploiting most common configuration mistakes
    • Guidelines with respect to microservices to avoid bloating containers with superuser access rights
  • Security in Cloud (AWS, Google Cloud etc.)
    • Configuration best practices for Identity & Access Management Portals
    • Planning right network architecture with use of VPC and VPN
    • Securing instances by running only the required services
    • Configuring instances at the boot time to remove unwanted softwares or upgrade to stable software versions with no known vulnerabilities.
    • Using access tokens and Cloud API’s to regularly rotate keys/passwords.

This is an action packed class with over 20+ labs covering a number of attacks, vulnerabilities and exploitation tactics.

Deliverables:

  • Lab handouts with readymade scripts for use
  • Printed commands cheatsheet
  • VM for pentesting and securing DevOps instances with pre-configured tools and vulnerable labs

After the training, attendees would be able to:

  • Identifying vulnerabilities in the implementation of the CI/CD instances.
  • Find and craft publicly available exploits to compromise the CI instance
  • Address configuration related vulnerabilities
  • Abuse Jenkins script console   
  • Create an attack surface map of the entire architecture
  • Implement usage of password vaults.
  • Write build jobs which can enable privileged access to the target system and steal sensitive values
  • Abuse Git history and fix/preventing the problems using git hooks
  • Create scheduled validation scripts to enforce security best practices
  • Perform docker breakouts  
  • Audit different tools used in CI/CD chain
  • Guidelines for centralized authentication and authorization
  • Design secure cloud architectures

Minimum Requirements:

  • Laptop with Windows/Linux/MacOS pre-installed
  • 8 GB RAM
  • 40 GB of free disk space.
  • Modern CPU 2.2GHz or more with Virtualization support
  • Wifi Enabled for network access
  • 1 USB 2.0 port
  • Capability to run VirtualBox/VmWare virtual machines
  • Administrative rights on the laptop to install required software packages.

 

 


Speakers
avatar for Amol Bhure

Amol Bhure

Security Researcher, Attify
Amol Bhure leads the Infrastructure Pentesting team at Attify. He has more than 5 years experience leading corporate pentests and has worked extensively on breaking CI systems, DevOps security, Log analysis and monitoring, and Mobile and Web Application Exploitation. He is also an... Read More →
avatar for Suraj Biyani

Suraj Biyani

Infrastructure Security Consultant, Attify
I have several years of experience with Integration of various tools. For last couple of years have been working at multiple small startups and established organisations to setup different CI/CD tools required to support DevOps transformation. Suggesting and implementing industry... Read More →


Tuesday September 19, 2017 9:00am - 5:00pm EDT
Cancun

9:00am EDT

Practical Hands-on Internet of Things Hacking - 2017 Edition (1 of 2 days)

Practical Hands-on Internet of Things Hacking is an updated version of our previous year class ran at OWASP AppSec US. We received some great feedback with our class, and decided to take it a step further and redesign the course from the ground up and include tons of new material including medical utilities, smart locks, smart home systems, newer radio protocols, advanced exploitation techniques, new exercises on BLE and lots more

 

Practical Hands-on Internet of Things Exploitation is the course for you in case you would like to perform real-world pentest on IoT and smart devices. This “new version” of the course takes a practitioner approach, focusing on how to deal with the IoT devices in a real-world scenario, and not just from a research perspective.

 

Some of the things that we will perform (in an extremely hands-on nature) in this training are:

 

[+] Attacking IoT devices through hardware and embedded exploitation techniques

[+] Firmware reversing, emulation and binary exploitation

[+] Hands-on labs on serial interfaces - UART, SPI and I2C

[+] JTAG debugging, exploitation and advanced techniques for extracting data

[+] Sniffing BLE, Zigbee and other radio communications

[+] Writing own GNURadio processing blocks to decode radio information

[+] Taking over smart home systems

[+] Remote and Local Exploitation for IoT devices

[+] Attacking a smart home and smart enterprise network

And much more.

 

Want to learn how to attack an IoT infrastructure or individual devices? You will walk out of the 2-day class having learnt new skills which you could immediately apply in your job/research roles. Come join the course and experience the fast-paced, action-packed IoT Exploitation class.

 

Note: There is an additional $200 fee for the IoT hacking kit - which includes Attify Badges and custom vulnerable IoT device prepared by us, and an author signed copy of the IoT Hackers Handbook, and additional utilities for other IoT exploitation techniques.



Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile penetration testing and training firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation... Read More →


Tuesday September 19, 2017 9:00am - 5:00pm EDT
Fiesta 9

9:00am EDT

Whiteboard Hacking aka Hands-on Threat Modeling (1 of 2 days)

Toreon proposes a 2 day, trainer-led, on-site, Threat Modeling course. The training material and hands-on workshops with real live Use Cases are provided by Toreon. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:

• A hotel booking web and mobile application, sharing the same REST backend

• An Internet of Things (IoT) deployment with an on premise gateway and secure update service

• An HR services OAuth scenario for mobile and web applications

 

This edition also introduces a new section on privacy threats and privacy by design, including a hands-on privacy impact assessment of a face recognition system in an airport. Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)

 

This training is delivered successfully at OWASP Europe 2016 and is selected for OWASP Europe 2017 and Blackhat USA 2017. More details and the outline of the training are available in the attached syllabus.

 



Speakers

Tuesday September 19, 2017 9:00am - 5:00pm EDT
Baja
 
Wednesday, September 20
 

9:00am EDT

Hands On Hardened Web Service Development using ASP.NET (1 of 2 days)

Class Summary: This hands on, two (2) day class will help students learn how to write hardened ASP.NET based web services. Day one (1) will start off with the very basics of C# and Visual studio and slowly progress through a variety of topics as they pertain to web service hardening. On day two (2), students will dive into standard web service security, and end with trainees writing their own secure service for a fictional project. Individuals who meet the requirements and write a working hardened web service, are entered into a prize drawing.

 

Syllabus:

1. Day One (1) –Fundamentals

a. Visual Studio – Quick Rundown

i. IDE Basics

ii. C# Hello World

b. Basics of Object Oriented Programming

c. Useful 3rd Party Libraries

i. JSON.NET (Newtonsoft.Json)

ii. PushSharp

iii. BouncyCastle

d. Basic Web Service writing

i. Bindings

ii. Database design (quick tutorial)

iii. SOAP Services

iv. RESTful Services

e. Basic Service Security

i. Response Encapsulation

ii. Input validation and Sanitizing

iii. XXE, SQLi, and ‘XSS’ mitigation

f. Transport Security

i. SSL

ii. Binding Parameters

g. Message Security

i. Credential Types

ii. Encryption

iii. Certificates

2. Day Two (2) – Intermediate Service Security

a. Replay Attacks

b. Cross Site Request Forgery

c. WS-Security (SOAP Services)

d. Signature Based Security (RESTful Services)

e. Performance and usability vs Security

f. Afternoon Hardened Web Service Development

 

Experience: This would be the first class I’ve taught on a national scale. I’ve taught people individually on both coding, and penetration testing. I served as an adjunct teacher while in High School and in College.



Speakers
avatar for Kelly Correll

Kelly Correll

Security Consultant, NTT Security
I work as a security consultant in NTT Security's Threat Services group. As part of my duties, I perform penetration assessments and social engineering assessments. I also own my own business developing business applications using ASP.NET based technologies. When I'm not working... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm EDT
Fiesta 10

9:00am EDT

Hands-on Security in DevOps and Application Security Automation Workshop (2 of 2 days)

After immensely successful workshops in the Bay Area, Bangalore, AppSecEU 2017 and record, sold-out workshop at the OWASP AppSecUSA 2016 in Washington D.C., we bring to you a new avatar of the Hands-on Security in DevOps workshop, this time, with some focused content on Application Security Automation.  

 

Agile and DevOps have revolutionized the way we deliver apps to customers. Software products today demand rapid everything. Rapid Code Changes, Rapid Deployments and Rapid Delivery. In addition, you have embraced Agile Development Methodologies that stress on iterative product development and flexibility to changing environments. There is one major problem in this entire chain, and that is Application Security.

 

While your product may be rapidly delivered to customers, Application security still remains a massive bottleneck in your continuous delivery pipeline. Application security is critical because companies lose billions of dollars due to vulnerabilities in their applications. Apart from typical vulnerabilities like SQL Injection and Cross Site Scripting, vulnerabilities in authentication, authorization, business logic and cryptographic implementations are more prevalent and can cause massive damage to a software product company.

 

This is why you need SecDevOps. You need a practical, repeatable and scalable way to deliver Application Security to your product across the Agile and DevOps lifecycle. In this workshop you will receive powerful hands on training on how you can implement scalable and effective security for rapid-release applications. The workshop will be a hardcore hands-on workshop with coverage on the following, but not limited to:

 

¥ Static Application Security Testing - Integrated with Continuous Integration Services

¥ Rolling out Custom SAST – using Abstract Syntax Trees and Regular Expressions

¥ Customized Security Automation Scripting Framework with Continuous Integration

¥ Creating specialized Application Security Testing Scripts to be integrated with existing Test Suites

¥ Performing Automated, Authenticated and Parameterized Vulnerability Assessments against Web Apps and Web Services by hacking tools like ZAP and w3af

¥ Automation Scripting for Application Security Vulnerability Scanners – OWASP ZAP Custom Scripts – Active Scanning, HTTPSender, Proxy Scripts, with an introduction to Zest Scrits. MITMproxy Inline Scripting

¥ An Introduction to Behavior Driven Security Testing

¥ Parameterized Security Testing for Web Services using the OpenAPI Specification

¥ Security in Configuration management and Continuous Deployment

¥ Security Practices and Considerations for Docker Deployments

¥ Creating Security Configuration Management “Infrastructure as Code” and Validation Scripts – using Ansible

¥ Practical Threat Modeling in an Agile and DevOps world

 

 


Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Founder, we45
"Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron"", a leading Application Vulnerability Correlation and Orchestration Framework.  He has created some pioneering... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm EDT
Acapulco

9:00am EDT

Mobile App Attack (2 of 2 days)

This full-fledged hands-on training will get the attendees familiar with the various Android as well as iOS application analysis techniques and bypassing the existing security models in both the platforms.

 

The main objective of this training is to provide a proper guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.

 

The workshop will also include a CTF challenge designed by the trainer in the end where the attendees will use their skills learnt during the workshop to solve this challenge.

 

This training will mainly focus on the following :

 

> Arm basics and Android native code.

> Reverse engineer Dex code for security analysis.

> Jailbreaking/Rooting of the device and also various techniques to detect Jailbreak/Root.

> Runtime analysis of the apps by active debugging.

> Modifying parts of the code, where any part can be specified as some functions, classes and to perform this check or to identify the modification, we will learn how to find and calculate the checksum of the code. Our objective in this section will be to learn, Reverse Engineering an application, get its executable binaries , modify these binaries accordingly, resign the application.

> Runtime modification of code. Objective is to learn how the programs/codes can be changed or modified at runtime. we will learn how to perform introspection or overriding the default behavior of the methods during runtime and then we will learn how to identify if the methods have been changed). For iOS we can make use of tool Cycript, snoop-it etc.

> Hooking an application and learn to perform program/code modification.

> By the end of workshop, based on the course content CTF challenges written by the trainer will be launched, where the attendees will use their skills learnt in the workshop to solve the CTF challenges. The workshop will begin with a quick understanding on the architecture, file system,permissions and security model of both iOS and Android platform.

 

NOTE:

The tools and techniques used in the workshop are all open source and no special proprietary tools need to be purchased by the attendees for analysis post the training. Some of the tools taught in the training will be helpful in analysis and automating test cases for security testing of the mobile apps:

 

Drozer

Introspy

Apktool

Dex2jar

Cycript

JD-Gui

SSL Trust killer


Speakers
avatar for Sneha Rajguru

Sneha Rajguru

Payatu Software Labs LLP, Payatu Software Labs LLP
India


Wednesday September 20, 2017 9:00am - 5:00pm EDT
Fiesta 7

9:00am EDT

Open Source Defensive Security (2 of 2 days)
Open Source Defensive Security Training is an Open Source IT Security laboratory dedicated for professionals who need close the gaps in Linux, Web application & Open Source Security knowledge. Very detailed and up to date course content with focus especially on defensive approach gives you the best opportunity for making stronger defensive layers inside your network infrastructures or/and Linux-based products. Delivering a real world scenarios in our Open Source Defensive Security hands-on labs provide a very practical knowledge you need for expand your Linux Security skills.

This is an extremely deep dive training on Open Source-based infrastructure security, Linux systems and network services hardening. We like details as attackers do and that details bring the differences - from offensive and defensive approach. That's how we see it works. Our high-tech workshop has a unique formula “protection vs attack”. This means that most of the security issues we are talking about will be effectively protected by the use of a suitable approach, sophisticated software and dedicated secure configuration. We focus on delivering a defensive content, but we understand that for being good in defense you have to also be good in offense. That way we are providing a kind of knowledge-mix in those fields using Open Source software. Except basic Linux skills and TCP/IP knowledge, most of the lab exercises required of candidate at least basic understanding of what attacker techniques are. We strongly believe that only a mix of broad, systematic Defensive and Offensive Security knowledge can guarantee secure solutions. As Sun Tzu said: "Know your enemy and know yourself and you can fight a hundred battles without disaster." 

The workshop has prepared the following examples of laboratory scenarios: 
● Web Application Security vs OWASP Top 10 attack techniques and others 
● Grsecurity/PAX/GCC hardening vs Linux kernel and userspace exploitation using vulnerabilities from the last past years (PERF_EVENTS, ptrace/sysret, memppodiper, semtex, sendpage, chroot() escape, dirty_cow, others) 
● Seccomp/capabilities/namespaces vs exploits 
● SELinux vs exploits (Redis Command Execution, Venom, Apache) 
● Volatility vs rootkits 
● Secure SSH relays and importance of low level privileges rule 
● System users accountability, including root 
● Linux Domain Controller 
● Using sysdig/SystemTAP for detecting deviations in the behavior of daemons and services ● Network packet filtering including TOR, ipsets, IP reputation, port knocking 
● Network honeypots vs scanning tools and obstruction of the process of enumeration 
● PCAP analysis and Deep Packet Inspection vs malware 
● Sandboxing for malware detection and deep analysis (cuckoo, yara) and others 

Target: 
● Linux administrators & System Architects 
● IT Security professionals 
● Penetration testers 
● IT Security consultants and Open Source specialists 

Thanks to this training you will: 
● learn techniques to protect your Linux systems against attacks used by modern attackers 
● find out how you can protect Linux servers and web applications against real attacks 
● learn how to use dozens of solutions and security tools for offensive and defensive scope 
● configure several advanced solutions to reduce the success of the attack or minimize the risk of the use of vulnerability 

True values: 
● real life, 100% pure lab-oriented defensive security scenarios 
● minimum theory, maximum hands-on 
● a lot of cumulated knowledge in one place 
● created by enthusiasts and professionals for professionals with enthusiasm 

Agenda: 

1. Threats are everywhere - introduction to technical Open Source Defensive Security program. 

2. Web application security -> hardened Reverse Proxy -> modsecurity vs HTTP security issues: 
● Analysis and practical use of exploits for popular web applications: Jenkins, Zimbra, PHPnuke, Joomla, Drupal, PHPmyadmin, OScommerce, Magento, Wordpress, dotProject and others 
● Authorization and authentication: CAS SSO, OAuth, SAML (ipsilon), Federation, Basic / Digest Auth, SSL authentication, LDAP authorization, SAML based - mod_auth_mellon, Kerberos based - mod_auth_kerb, Login-form based - mod_intercept_form_submit, Mod_lookup_identity, mod_pubcookie 
●HTTPS – how to achieve status A+?: 
○ Attacks: 
■ Heartbleed
■ Breach 
■ Drown 
■ Beast 
■ Poodle 
■ MiTM: sslstrip 
○ Mutual SSL 
● Security headers: Content Security Policy, Cross Origin Resource Sharing / Same Origin Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Fetch API, Service Workers, Sub_resource Integrity, Per-page sub-origins, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), Same Origin Policy (SOP) / Cross Origin Resource Sharing (CORS), HPKP, PFS 
● Cookies: Secure, Httponly, Domain, Path, Same_site, Clear Site Data Feature Policy, First-party cookies 
● HTTP header anomalies Virtual patching 
● Full HTTP auditing 
● LUA/OpenResty support 
● Sensor approach - OWASP Appsensor 
● Web application security using Modsecurity - creating dedicated WAF rules against: 
■ *Injections 
■ Null bytes 
■ Path/directory traversal 
■ LFI/RFI->Command Execution 
■ Cross Site Scripting (XSS)
■ Cross Site Request Forgery (CSRF) 
■ HTTP Parameter Pollution (HPP)
■ Open Redirect 
■ Insecure Direct Object Reference vs HMAC 
■ Forceful Browsing 
■ CSWSH - Cross Site Websocket Hijacking 
■ Session Security 
■ Brute force
■ Slow DOS 
■ GEO restrictions 
■ Error handling 
■ Leakage detection 
■ Secure file upload
■ Secure logout / forgot password form
■ Web honeypots 
■ Bot/scan protection 
■ AV protection 
■ PHP Security 
■ Tomcat Security 
■ Tools: 
● Sqlmap, sqlninja 
● Xsser 
● Dominator 
● Skipfish 
● ZAP / Burp 
● Wafdetect 
● Joomscan, wpscan 
● Dirbuster, dirb 
● Nikto 
● JSDetox 
● Brakeman 
● And others 

3. Hardened Linux vs exploits/rootkits: 
● Discretionary Access Control (DAC) vs Mandatory Access Control (MAC) 
● Grsecurity / PAX 
● SELinux / Multi Category Security / sVirt 
● Apparmor, Tomoyo, Smack, RSBAC 
● GCC hardening: SSP, NX, PIE, RELRO, ASLR vs attacks 
● Linux Containers - Docker/LXC 
● LKM-off / YAMA / enforcing 
● Linux capabilities vs SUID and others 
● System call restriction - seccomp 
● Integrity checking - IMA/EVM 
● Package mgmt security 
● Debuggers and profilers - gdb/strace/ldd/Valgring/Yara 
● Chroot/jail/pivot_root 
● Behavioral analysis - systemtap / LTTng / sysdig 
● Memory forensics - Volatility vs malware 
● PAM / 2FA 
● System update vs reboot 
● *privchecks 

4. Network security: 
● Vulnerability scanning: 
● Nmap NSE 
● Seccubus 
● OpenVAS 
● Metasploit 
● Linux Domain Controller - IdM/HBAC/SUDO 
● SFTP/SCP - Secure SSH Relay 
● Restricted shells/commands 
● SSH tips and tricks 
● Public Key Infrastructure – SSL/TLS 
● NFS Security 
● Database Security
● DNS Security 
● Mail Security 
● DOS / scanning / brute-force protection techniques 
● Advanced network firewall: iptables/nftables/ebtables 
● System honeypots 
● Network traffic analysis - wireshark, scapy / tcpdump / tcpreplay 
● Suricata / Bro IDS / Snort / SELKS vs known malware and attacks: 
     ○ Metasploit, 
     ○ PtH, 
     ○ Heartbleed, 
     ○ shellshock and others 
● Security by obscurity 

5. System Auditing, integrating & accounting: 
● *syslog 
● Auditd 
● OSSEC / Samhain / aide 
● SIEM: Splunk/ELK/OSSIM/osquery 

6. Summary: offense vs defense

Speakers
avatar for Leszek Mis

Leszek Mis

VP of Cyber Security / IT Security Architect, Collective Sense / Defensive Security
Leszek Miś has over 12 years of experience in IT security technology supporting the largest companies and institutions for implementation, consulting and technical training. Next to that, he has 8 years of experience in teaching and transferring a technical knowledge and experience... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm EDT
Fiesta 8

9:00am EDT

Practical DevOps Security and Exploitation (2 of 2 days)

Practical DevOps Security and Exploitation is a brand new and unique class by Attify. This class has been created as a result of our many pentest engagement experiences where we have exploited vulnerabilities in the various systems supporting CI/CD during DevOps transition of an organisation. The class covers hands-on techniques to both exploit as well as defend various systems that support the target CI/CD Architecture.

This class takes practitioner's approach in breaking, exploiting and securing systems owned by DevOps teams, thus enabling them to move towards DevSecOps. Some of the topics that we will cover are Exploiting Various tools from the CI/CD landscape like Jenkins, Git, Multiple Cloud instances, practical security issues in Docker instances and setting up your DevSecOps architecture.

This training covers different CI/CD tools with pentesters perspective and hence each tool will be covered as below:

  • Code Versioning Systems (Git, GitHub, Bitbucket etc.)
    • Exploiting the product features
    • Finding existing exploits or implementation loopholes
    • Identifying historically stored sensitive information
    • Hardening and Securing Guidelines
  • Orchestration Tools (Ansible, Saltstack etc.)
    • Exploiting the access rights and configuration mistakes
    • Use of Orchestration tools to mass deploy the exploits
    • Finding sensitive information
    • Guidelines to securely configure and organise the orchestration tools
  • Build Servers (Jenkins, Hudson etc.)
    • Pentesting and Vulnerability Assessment
    • Risk involved with Plugins
    • Exploiting most common configuration mistakes
    • Breaking the boundaries with superuser access rights
    • Scheduling vulnerability assessment reports for the CI/CD chain.
    • Guidelines to avoid security issues with integration of various CI/CD tools
  • Container Platform (Docker, Kubernetes etc.)
    • Pentesting and Vulnerability Assessment
    • Exploiting most common configuration mistakes
    • Guidelines with respect to microservices to avoid bloating containers with superuser access rights
  • Security in Cloud (AWS, Google Cloud etc.)
    • Configuration best practices for Identity & Access Management Portals
    • Planning right network architecture with use of VPC and VPN
    • Securing instances by running only the required services
    • Configuring instances at the boot time to remove unwanted softwares or upgrade to stable software versions with no known vulnerabilities.
    • Using access tokens and Cloud API’s to regularly rotate keys/passwords.

This is an action packed class with over 20+ labs covering a number of attacks, vulnerabilities and exploitation tactics.

Deliverables:

  • Lab handouts with readymade scripts for use
  • Printed commands cheatsheet
  • VM for pentesting and securing DevOps instances with pre-configured tools and vulnerable labs

After the training, attendees would be able to:

  • Identifying vulnerabilities in the implementation of the CI/CD instances.
  • Find and craft publicly available exploits to compromise the CI instance
  • Address configuration related vulnerabilities
  • Abuse Jenkins script console   
  • Create an attack surface map of the entire architecture
  • Implement usage of password vaults.
  • Write build jobs which can enable privileged access to the target system and steal sensitive values
  • Abuse Git history and fix/preventing the problems using git hooks
  • Create scheduled validation scripts to enforce security best practices
  • Perform docker breakouts  
  • Audit different tools used in CI/CD chain
  • Guidelines for centralized authentication and authorization
  • Design secure cloud architectures

Minimum Requirements:

  • Laptop with Windows/Linux/MacOS pre-installed
  • 8 GB RAM
  • 40 GB of free disk space.
  • Modern CPU 2.2GHz or more with Virtualization support
  • Wifi Enabled for network access
  • 1 USB 2.0 port
  • Capability to run VirtualBox/VmWare virtual machines
  • Administrative rights on the laptop to install required software packages.

 


Speakers
avatar for Amol Bhure

Amol Bhure

Security Researcher, Attify
Amol Bhure leads the Infrastructure Pentesting team at Attify. He has more than 5 years experience leading corporate pentests and has worked extensively on breaking CI systems, DevOps security, Log analysis and monitoring, and Mobile and Web Application Exploitation. He is also an... Read More →
avatar for Suraj Biyani

Suraj Biyani

Infrastructure Security Consultant, Attify
I have several years of experience with Integration of various tools. For last couple of years have been working at multiple small startups and established organisations to setup different CI/CD tools required to support DevOps transformation. Suggesting and implementing industry... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm EDT
Cancun

9:00am EDT

Practical Hands-on Internet of Things Hacking - 2017 Edition (2 of 2 days)

Practical Hands-on Internet of Things Hacking is an updated version of our previous year class ran at OWASP AppSec US. We received some great feedback with our class, and decided to take it a step further and redesign the course from the ground up and include tons of new material including medical utilities, smart locks, smart home systems, newer radio protocols, advanced exploitation techniques, new exercises on BLE and lots more

 

Practical Hands-on Internet of Things Exploitation is the course for you in case you would like to perform real-world pentest on IoT and smart devices. This “new version” of the course takes a practitioner approach, focusing on how to deal with the IoT devices in a real-world scenario, and not just from a research perspective.

 

Some of the things that we will perform (in an extremely hands-on nature) in this training are:

 

[+] Attacking IoT devices through hardware and embedded exploitation techniques

[+] Firmware reversing, emulation and binary exploitation

[+] Hands-on labs on serial interfaces - UART, SPI and I2C

[+] JTAG debugging, exploitation and advanced techniques for extracting data

[+] Sniffing BLE, Zigbee and other radio communications

[+] Writing own GNURadio processing blocks to decode radio information

[+] Taking over smart home systems

[+] Remote and Local Exploitation for IoT devices

[+] Attacking a smart home and smart enterprise network

And much more.

 

Want to learn how to attack an IoT infrastructure or individual devices? You will walk out of the 2-day class having learnt new skills which you could immediately apply in your job/research roles. Come join the course and experience the fast-paced, action-packed IoT Exploitation class.

 

Note: There is an additional $200 fee for the IoT hacking kit - which includes Attify Badges and custom vulnerable IoT device prepared by us, and an author signed copy of the IoT Hackers Handbook, and additional utilities for other IoT exploitation techniques.



Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile penetration testing and training firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation... Read More →


Wednesday September 20, 2017 9:00am - 5:00pm EDT
Fiesta 9

9:00am EDT

Whiteboard Hacking aka Hands-on Threat Modeling (2 of 2 days)

Toreon proposes a 2 day, trainer-led, on-site, Threat Modeling course. The training material and hands-on workshops with real live Use Cases are provided by Toreon. The students will be challenged to perform practical threat modeling in groups of 3 to 4 people covering the different stages of threat modeling on:

• A hotel booking web and mobile application, sharing the same REST backend

• An Internet of Things (IoT) deployment with an on premise gateway and secure update service

• An HR services OAuth scenario for mobile and web applications

 

This edition also introduces a new section on privacy threats and privacy by design, including a hands-on privacy impact assessment of a face recognition system in an airport. Each student will receive a hard copy of the book: Threat Modeling, designing for security by Adam Shostack (2014, Wiley)

 

This training is delivered successfully at OWASP Europe 2016 and is selected for OWASP Europe 2017 and Blackhat USA 2017. More details and the outline of the training are available in the attached syllabus.

 


Speakers

Wednesday September 20, 2017 9:00am - 5:00pm EDT
Baja