Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, November 18
 

9:00am

OWASP Media Project Introduction

The OWASP Media Project is an infrastructure project that gathers, consolidates, and promotes OWASP content in video format on a central appealing hub. The first and main instance of the project will be a YouTube channel.

The session will be used in order bring project leaders up to speed on how video sharing and live streaming can help promote your project and reach people. We will do that by presenting Google Hangout, and the official OWASP YouTube channel.

Then, we will gather potential sources and existing videos in order to populate the OWASP channel. This summit experience will not just be about promoting the Media Project itself, but also about the exposure of any other projects with video content.


Speakers
JM

Jonathan Marcil

Montreal Chapter Leader, OWASP
As the chapter leader of OWASP Montreal, Jonathan manages most of the events and do the online community management. He is filling up the chapter's agenda with continuous events. He teamed up with various student groups to be present in three universities. He also works to put most of the talks online using YouTube and Google Hangouts. | | Those implications leaded him to create OWASP Media Project, where we gather, consolidate and promote... Read More →


Monday November 18, 2013 9:00am - 10:00am
Sky Lounge (16th Floor) NY Marriott Marquis

9:00am

Project Summit: OWASP Projects Review Session
During the OWASP Projects Review working session, attendees will be able to participate in the review of the entire inventory of OWASP Projects using the new assessment criteria developed by our team of Technical Project Advisors. The aim of this session is to establish a more accurate representation of OWASP project health and product quality. The session outline is as follows:

  1. Overview of new assessment criteria to conduct reviews.
  2. Team in small groups(2 to 3 max) based on experience and background to asses a set of Projects (Code, Tool or Documentation)
  3. Fill in the Questionnaire (Google Forms) to complete assessment of Projects and provide the review with a final score and results (Project defined as Incubator, Lab or Flagship) 
  4. Review results of questionnaire with your team.
  5. Present results and conclusions of assessment session.
 

Moderators
avatar for Samantha Groves

Samantha Groves

Program Manager, OWASP
Samantha Groves is the Project Manager at OWASP. Samantha has led many projects in her career, some of which include website development, brand development, sustainability and socio-behavioral research projects, competitor analysis, event organization and management, volunteer engagement projects, staff recruitment and training, and marketing department organization and strategy implementation projects for a variety of commercial and... Read More →

Speakers
avatar for Johanna Curiel

Johanna Curiel

Security Researcher, Banking Sector
Johanna has mainly worked in the area of C# and ASP.NET development, Testing and Quality Control. She is an experienced developer and understands different types of programming languages such as Java and PHP and different types of scripting languages. Johanna has ample experience in Microsoft Technologies and Security Engineering, and is also a Certified PCI -Professional... Read More →


Monday November 18, 2013 9:00am - 1:00pm
Sky Lounge (16th Floor) NY Marriott Marquis

9:00am

2 Day Pre-Conference Training: Application Cryptanalysis with Bletchley
2 Day Class running Monday Nov 18 and Tuesday Nov 19

Abstract:
Use of cryptography permeates todays computing infrastructures. While few programmers attempt to implement sophisticated cryptosystems, many unwittingly develop simple protocols in every day applications without adequate knowledge of how cryptographic primitives should be combined. In this training we explore several techniques for analyzing and breaking the kinds of cryptographic protocols which are commonly found in modern applications.  Attendees will first be presented with a brief review of cryptographic primitives and their uses, followed by an introduction of several techniques to analyze cryptographic systems in a black-box manner.  In each case, the discussion will describe how programmers can avoid making the common mistakes that allow these attacks to succeed.  Each lecture session will be followed by lab exercises where students will utilize the Bletchley toolkit and other open source tools to attack vulnerable applications.
Outline for two-day version:
Day 1
=====
1. Crypto refresher
  A. Pseudorandom number generators
  B. Block ciphers and their modes
  C. Hashes and (H)MACs
2. Attacks on nonces
  A. Statistical/structural analysis
  B. Attacking weak seeds
  C. Attacking weak algorithms
  D. Examples of past flaws in real-world applications
3. Exercise: Weak nonces
  A. Fun with Stompy
  B. Attacking a linear congruential generator (LCG)
4. Attacks on encrypted tokens
  A. Determining block size / mode
  B. Basics of block swapping
  C. Attacks on ECB and CBC modes
D. Algorithm Reuse
5. Exercise: Block swapping
  A. Analyzing encoded blobs
  B. Identifying algorithm reuse
  C. Forging tokens
6. Padding oracle attacks
  A. Theory
  B. Real-world examples
7. Exercise: Asking the oracle
Day 2
=====
8. Hash length-extension attacks (3/4 hr)
  A. Naive Hash-based MAC construction
  B. The popular M-D hash method
  C. Construction of an attack
9. Exercise: A simple HLE attack (1.5 hrs)
  A. Identifying hashed elements
  B. Constructing a message
10. Attacking unprotected stream ciphers (1 1/4 hr)
  A. Refresher on synchronous ciphers and modes (OFB/CTR)
  B. Identifying stream ciphers
  C. Static IV decryption
  D. Looking for decryption oracles
11. Exercise: Bit flipping for success (2 hrs)
  A. Building a bit probe script
  B. Modifying ciphertexts
12. Open lab time (1-2 hrs)
  A. Bonus exercise: breaking a password generator; or
  B. Finish implementations from previous exercises

Speakers
avatar for Timothy Morgan

Timothy Morgan

Tim is credited with the discovery and responsible disclosure of several security vulnerabilities in commercial off-the-shelf and open source software including: IBM Tivoli Access Manager, Real Networks Real Player, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, and Oracle WebLogic Application Server. Tim develops and maintains several open source forensics tools as well as Bletchley, an application cryptanalysis tool kit... Read More →


Monday November 18, 2013 9:00am - 5:00pm
Chelsea (7th Floor) NY Marriott Marquis

9:00am

2 Day Pre-Conference Training: Running A Software Security Program On Open Source Tools
2 Day Class running Monday Nov 18 and Tuesday Nov 19

Abstract:
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, Brakeman, Agnitio, w3af, OWASP Zed Attack Proxy (ZAP), and ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.
Outline: • So You Want To Roll Out A Software Security Program?
• The Software Assurance Maturity Model (OpenSAMM)
• ThreadFix: Overview
• Governance: Strategy and Metrics • ThreadFix: Reporting

• Governance: Policy and Compliance
• Governance: Education and Guidance • OWASP Development Guide
• OWASP Cheat Sheets
• OWASP Secure Coding Practices

• Construction: Threat Assessment
• Construction: Security Requirements
• Construction: Secure Architecture • ESAPI overview
• Microsoft Web Protection Library (Anti-XSS) overview

• Verification: Design Review • Microsoft Threat Analysis and Modeling Tool

• Verification: Code Review • FindBugs
• Brakeman
• Agnitio

• Verification: Security Testing • w3af
• OWASP Zed Attack Proxy (ZAP)

• Deployment: Vulnerability Management • ThreadFix: Defect Tracker Integration

• Deployment: Environment Hardening • Microsoft Baseline Security Analyzer (MBSA)

• Deployment: Operational Enablement • mod_security


Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.


Monday November 18, 2013 9:00am - 5:00pm
Gotham (7th Floor) NY Marriott Marquis

9:00am

2 Day Pre-Conference Training: Securing Mobile Devices & Applications
2 Day Class running Monday Nov 18 and Tuesday Nov 19

Overview: 
Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?
This two-day, hands-on course enables students to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile devices across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.

Outline: 
1)  Mobile Devices and Applications
Section Overview: Introduction to Mobile Devices, their capabilities, and how to emulate mobile apps and use mobile testing tools.
1)     Device Types and Capabilities
2)     Mobile App Emulators / IDEs
3)     Running the Class Apps
4)     Using a Testing Proxy: Burp
5)     How to get Proxying to work
2)  Mobile Application Architectures and Threat Model
Section Overview: An explanation of high-level threats, attack techniques and the impacts associated with mobile computing and how different architectures affect these.
1)     Different Mobile Architectures
2)     OWASP Mobile Security Resources
3)     Mobile Threat Model
4)     Top 10 Mobile Controls
5)     Risk Management                                      
6)     Mobile Threats and Attacks on Users, Devices, and Apps
7)     Consequences
8)     AppStore Security / Malware Threats
9)     Hands On: Hacking Mobile URLs (iOS), or Intents (Android)
3)  Mobile Application Architectures Deeper Dive
Section Overview: Different styles of computing in the mobile space, the core technologies involved, and how applications are built.                                                     
1)     Device Protections built into Android and iPhone
2)     Data Protection
3)     Encryption
4)     Client Only Architecture and Recommended Controls
5)     Client-Server Architecture and Recommended Controls
6)     Recommendation: Standard Security Controls
7)     Mobile Web Applications and Recommended Controls
8)     HTML 5 Risks
9)     JavaScript Framework Risks
10)  Same Origin Policy                         
4) Securing the Device                                           
Section Overview: We demonstrate how to harden mobile devices against attack and the issues related to managing security across an enterprise.  We show students how to secure employee-owned devices.
1)     Mobile Device Management (MDM) Applications
2)     Password Requirements
3)     Data Protection
4)     Enterprise Security Management (ESM)
5) Securing Communications
Section Overview: What are all the different communications technologies used by mobile devices and what security threats do they pose?
1)     Threat: Unsafe wireless access points, sniffing, tampering
2)     Review mobile protocols and platforms
3)     How to use SSL Securely
6)  Mobile Authentication
Section Overview: We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.
1)     Threats: lost/stolen phone, remember me, sniffing
2)     Strong Authentication vs. User Usability
3)     Communicating credentials safely
4)     Storing credentials safely
7)  Mobile Registration
Section Overview: How to register a device to a person and explain the need for mobile channel authentication.
1)     Threats: lost/stolen device, remember me, lost/stolen credentials
2)     Benefits of Registering the Device
3)     Methods for Authenticating the Device
4)     Avoiding use of UDID
8)  Mobile Data Protection           
Section Overview: All of the different places that sensitive data can be stored on phones, and how it can be protected.
1)     Identifying sensitive data
2)     Where and how is data stored on devices
3)     Hashing and encryption
4)     Storing keys
5)     Browser Caching
6)     Mobile specific ‘accidental’ data storage areas
7)     Where NOT to store your data on the device
8)     HTML5 local storage
9)  Mobile Forensics
Section Overview:Where application data and configuration information typically gets stored on the mobile device.
1)     Forensics tools for Android and iPhone
2)     Exploring the file system (Android / iPhone)
3)     Jailbreaking grants more access
4)     Interesting areas of the file system (Android / iPhone)
5)     Application configuration files
6)     Autocomplete records / iPhone app screen shots
7)     Dumping Android Intents
8)     Scrounging in Backups
10)  Mobile Access Control
Section Overview: The code-access security models to use in mobile apps.
1)     Threat: user attacks server
2)     Example attacks
3)     Documenting your access control policy
4)     Mapping enforcement to server side controls
5)     Presentation Layer Access Control
6)     Environmental Access Control
7)     Business Logic
8)     Data Protection
9)     Hands On: Access Other Peoples Accounts, Steal Funds
11)  How to Protect Against Cross Site Scri

Speakers
avatar for Dan Amodio

Dan Amodio

Principal Consultant, Aspect Security
As a Principal Consultant, Dan manages and defines Aspect Security's line of Assessment Services-- helping organizations quantify their security risks from design to implementation. He works with staff and clients to develop the team members and deliverables. | | Dan holds a security clearance and directly supports a variety of client projects. He leads mobile security efforts, security architecture and design reviews, code reviews, and... Read More →
avatar for David Lindner

David Lindner

Managing Consultant and Global Practice Manager, Aspect Security
David Lindner, a Managing Consultant and Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 15 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David's focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD... Read More →


Monday November 18, 2013 9:00am - 5:00pm
Empire & Hudson (7th Floor) NY Marriott Marquis

9:00am

2 Day Pre-Conference Training: The Art of Exploiting Injection Flaws
PROMOTION: All attendees of my class will receive FREE 1 month access to on-line labs after the class allowing them more time to practice the concepts taught in the class.

2 Day Class running Monday Nov 18 and Tuesday Nov 19

Overview

OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project. http://www.owasp.org/index.php/Top_10_2010-A1
(even the 2013 Relese Candidate for Top 10 has retained injection flaw as top flaw)
This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are:
SQL Injection
XPATH Injection
LDAP Injection
Hibernate Query Language Injection
Direct OS Code Injection
XML Entity Injection
During the 2 days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course:
Understand the problem of Injection Flaws
Learn a variety of advanced exploitation techniques which hackers use.
learn how to fix these problems?

WHAT STUDENTS WILL BE PROVIDED
Student hand-outs
Tools/scripts (some public and some not so public)

WHO SHOULD ATTEND
Web Application Developers
Web Application Security Consultants
Penetration Testers
Anyone who wants to take their skills to next level

WHAT TO EXPECT
Shells popping
Advanced data ex-filtration techniques.
Advanced exploitation (some neat, new and ridiculous hacks).
Some insane examples of code which appears secure but it's not.

WHAT STUDENTS SHOULD BRING
Students must bring their own laptop with Windows Operating System installed (either natively or running in a VM). Further, students must have administrative access to perform tasks like install software, disable antivirus etc. Devices which don't have ethernet connection (e.g. macbook Air, tablets etc) are not supported. A prior knowledge of Database systems and SQL language will be an added advantage but it's not a strict requirement.


Speakers
avatar for Sumit Siddharth

Sumit Siddharth

Director, NotSoSecure Ltd.
Sumit “sid” Siddharth is the founder of NotSoSecure Ltd, a specialist IT security firm delivering high-end IT security consultancy and Training. Prior to NotSoSecure, he worked as Head of Penetration Testing for a leading IT security company in UK. He has more than 8 years of experience in Penetration Testing. Sid has authored a number of whitepapers and tools. He has been a Speaker/Trainer at many security conferences including numerous... Read More →


Monday November 18, 2013 9:00am - 5:00pm
Brecht (4th Floor) NY Marriott Marquis

9:00am

2 Day Pre-Conference Training: Web Application Defender's Cookbook: LIVE
2 Day Class running Monday Nov 18 and Tuesday Nov 19

Can you answer these questions? • Are your web applications secure?
• Do you know how to lock down new web applications when they are placed into production?
• Do you know if/when attackers are trying to break into your site and steal data or cause other harm?
• Do you know if/when attackers are attacking other web application users?

If you can not confidently answer yes to all of these questions then this is the class for you!  This 2-day bootcamp is based on the popular book "Web Application Defender's Cookbook: Battling Hackers and Protecting Users" written by the class trainer Ryan Barnett.  Copies of the book will be provided to all participants and will be used as the basis for the courseware material.  The class is tailored for web application defenders (operational security personnel) who are charged with protecting live web applications.  The training will provide answers to these questions and increase your ability to identify and thwart malicious activities within your web applications.
You will learn the following skills: • Implement full HTTP auditing for incident response
• Utilize virtual patching processes to remediate identified vulnerabiities
• Deploy web tripwires (honeytraps) to identify malicious users
• Detect when users are acting abnormally
• Analyze uploaded files and web content for malware
• Recognize when web applications leak sensitive user or technical data
• Respond to attacks with varying levels of force

Tools:
Each student will need to bring their own laptop with VMware installed.  For hands-on lab exercises, we will utilize the OWASP Broken Web Applications VM project as it already has many vulnerable target web applications.  OWASPBWA also includes the cross-platform (Apache, IIS and Nginx), open source ModSecurity Web Application Firewall (WAF) and OWASP ModSecurity Core Rule Set (CRS) which is the tool that we will be using for our labs exercises to implement our defenses.

Speakers
avatar for Ryan Barnett

Ryan Barnett

Lead Security Researcher, Trustwave SpiderLabs
Ryan C. Barnett is renowned in the web application security industry for his unique expertise. After a decade of experience defending government and commercial websites, Ryan joined Trustwave SpiderLabs Research Team. He specializes in application defense research and leads the open source ModSecurity web application firewall project. | | In addition to his commercial work at Trustwave, Ryan is also an active contributor to many... Read More →


Monday November 18, 2013 9:00am - 5:00pm
Odets (4th Floor) NY Marriott Marquis

10:30am

Project Summit: ESAPI Hackathon Session
Take part in building the next generation of the Enterprise Security API. In this hackathon we will focus on building modular security controls that can be plugged in to the brand new ESAPI 3.0 framework allowing developers to quickly and easily integrate the security controls they need into their projects. During the hackathon, the ESAPI leaders will be on-site to get the effort kicked off, join in the coding fun, and to present awards for submitted components on the final day! Join us to leave your mark on one of the most visible OWASP Code Projects in our arsenal, and help make tomorrow's applications more secure!

Speakers
avatar for Chris Schmidt

Chris Schmidt

Chief Architect, Contrast Security
Chris is currently the Project Leader for the OWASP ESAPI Projects and also served on the OWASP Global Projects Committee. He has been involved with OWASP for 6 years and has spoken at many OWASP events about the benefits of the Enterprise Security API as well as participated in Leadership discussions amongst the organization. During the day, Chris is Chief Architect for Contrast Security where he has been since fall 2010. Prior to joining the... Read More →
avatar for Kevin Wall

Kevin Wall

Information Security Engineer 5, Wells Fargo
Kevin is an experienced Application Security developer, and he is the OWASP ESAPI project co-leader / committer.
avatar for Jeff Williams

Jeff Williams

CTO, Contrast Security
Jeff Williams is a co-founder and CTO of Contrast Security, the world's fastest and most accurate application security technology. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and... Read More →


Monday November 18, 2013 10:30am - 5:00pm
Sky Lounge (16th Floor) NY Marriott Marquis

1:00pm

OWASP PHP Security and RBAC Projects: An introduction
The aim of this session is to introduce attendees to both projects, and to get them working on project related activities. 

OWASP PHP Security Project


1. To demonstrate and introduce the OWASP PHP Security Project, have people contribute to it and have people contribute it to their own projects!

2. The project is developed, we're going to show sample usages and have people try to hack them (which should be impossible). We also introduce the libraries and discuss what future works are needed on the project.

3. The project is really interesting and has a cool aim, and this will help get a lot more people in its community.

OWASP RBAC Project

1. OWASP RBAC is a new cutting-edge technology taht can revolutionize the authorization domain. Unfortunately because its rigorous and comlex, we havent been very succesful in expanding its usage.

2. Get the people know how awesome this is, and get them use it in their applications. This is a pretty mature project and is one of those things that you don't know exists, but when you do you can't get enough of. We also like to get contributors porting it to other programming languages.

3. We've done 85% of the job. There is a website, API, full code with tests, all we need is people to go ahead and use it, and some people who want to use it in another programming language so that we get the community to port it!

Moderators
avatar for Abbas Naderi

Abbas Naderi

Project/Chapter Leader, OWASP
Information security, cryptography, computer science, and all sorts of geeky stuff make up my life. | | | | I'm doing heavy infosec research as well. | | | | My CV is available at https://abiusx.com/cv

Monday November 18, 2013 1:00pm - 5:00pm
Sky Lounge (16th Floor) NY Marriott Marquis

1:00pm

Project Summit: AppSensor 2.0 Hackathon
Take part in building the next generation of AppSensor. In this hackathon we will focus on building the code for AppSensor 2.0, which will involve moving to a services (both REST and SOAP) model for event detection and response. During the hackathon, the AppSensor development leaders will be designing and coding side-by-side with you. Come join us and help make the AppSensor idea available to all!

Speakers
avatar for John Melton

John Melton

Principal Security Researcher, WhiteHat Security
John Melton: I'm the lead developer for OWASP AppSensor, which I discovered after building a nearly identical tool, and looking for prior art. | | For my day job, I am currently a principal security researcher at WhiteHat Security, where I do R&D work, particularly in the static analysis space. My previous positions have included technical and leadership roles in both software development and security, working in the financial and defense... Read More →


Monday November 18, 2013 1:00pm - 5:00pm
Sky Lounge (16th Floor) NY Marriott Marquis

8:00pm

Bug Bounty - Group Hack
The Great OWASP Bug Bash of 2013

CALLING ALL SECURITY NINJAS… Whether you’re attending Appsec in person or in spirit, you’re invited to join Bugcrowd and the OWASP team as we unite hackers across the world for the first everInternet-wide bug bash.

This collaborative hack-a-thon will feature testers and providers of public bug bounty programs finding bugs in the world’s largest Internet companies! Companies contributing to bounty programs, including Prezi, Facebook, Google and Yandex will be present to meet and greet those responsible for improving global application and internet security. No need to worry about protecting your identity, masks will be provided!

Featuring…
The Inaugural Wall of Bugz, music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!

Bug Bounty programs have been getting a lot of press lately, and for good reason. They work. Bugcrowd will be running this event live from 8-12 every night during Appsec USA 2013 and we actively encourage OWASP members around the world to participate.

Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/


Speakers
avatar for Dinis Cruz

Dinis Cruz

AppSec, OWASP
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives. After failing to scale his own security... Read More →


Monday November 18, 2013 8:00pm - 11:59pm
Sky Lounge (16th Floor) NY Marriott Marquis
 
Tuesday, November 19
 

9:00am

Project Summit: Mobile Security Session
Just as the mobile security landscape has changed, so has the OWASP Mobile Project. Join us as we discuss the major milestones of 2013 and what is in store for the projects future. We will also go deeper in to the Mobile Top Ten project where we will discuss the decisions made on categories, vulnerability information, and look at some surprising vulnerability trends in mobile applications.

During this session, we will cover:

- OWASP Top 10 Mobile Risks, 2014 Refresh.

- Mobile project 2013 achievements and the 2014 roadmap.

- Increasing industry collaboration within the mobile security space.
 

Speakers
avatar for Jason Haddix

Jason Haddix

Head of Penetration Testing, Fortify
I currently facilitate information security consulting at HP which includes developing test plans for Fortune 100 companies and competing in "bake-offs" against other top tier consulting vendors. My strengths are web, network, and mobile assessments. I write for my own infosec website (www.securityaegis.com) that reviews industry training, interviews security professionals, and provides anecdotal/practical advice related to offensive security... Read More →
JM

Jack Mannino

nVisium
Jack is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run... Read More →
avatar for Daniel Miessler

Daniel Miessler

Principal Security Architect, HP
Daniel Miessler is Principal Security Architect with HP based out of San Francisco, California. He specializes in application security with specific focus in web and mobile application assessments, helping enterprise customers build effective application security programs, and speaking with executives about how to best leverage technologies and processes to reduce real-world risk. In his spare time he enjoys reading and writing, programming... Read More →


Tuesday November 19, 2013 9:00am - 1:00pm
Sky Lounge (16th Floor) NY Marriott Marquis

9:00am

Project Summit: Training Development Session
Training is an important part of OWASP's mission as it helps not only in increasing the awareness around application security but also in actually improving the security of applications. In the past, we have tried several training models (e.g. Training Days, Tours, etc.) and dozens of ideas have been put on the table. Nevertheless, we are still missing a viable training model that will be easy to reproduce and will provide added value to attendees.   

During the Project Summit, we will discuss various training models, and the experience we have gained over the past years in order to build a model that will be subsequently used to train developers and anyone involved in securing applications.

Speakers
avatar for Konstantinos Papapanagiotou, Spryros Gastreratos

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE
Both trainers are Hackademic project leaders, long time OWASP members and application security professionals
avatar for Martin Knobloch

Martin Knobloch

Principal Consultant, Nixu
Martin is Principal Consultant at Nixu BeNeLux (https://www.nixu.com/en/nixubenelux). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures. | With his background in Java Development, he understands the complexity of Enterprise software development, Agile Scrum... Read More →


Tuesday November 19, 2013 9:00am - 1:00pm
Sky Lounge (16th Floor) NY Marriott Marquis

9:00am

2 Day Pre-Conference Training: Application Cryptanalysis with Bletchley
2 Day Class running Monday Nov 18 and Tuesday Nov 19

Abstract:
Use of cryptography permeates todays computing infrastructures. While few programmers attempt to implement sophisticated cryptosystems, many unwittingly develop simple protocols in every day applications without adequate knowledge of how cryptographic primitives should be combined. In this training we explore several techniques for analyzing and breaking the kinds of cryptographic protocols which are commonly found in modern applications.  Attendees will first be presented with a brief review of cryptographic primitives and their uses, followed by an introduction of several techniques to analyze cryptographic systems in a black-box manner.  In each case, the discussion will describe how programmers can avoid making the common mistakes that allow these attacks to succeed.  Each lecture session will be followed by lab exercises where students will utilize the Bletchley toolkit and other open source tools to attack vulnerable applications.
Outline for two-day version:
Day 1
=====
1. Crypto refresher
  A. Pseudorandom number generators
  B. Block ciphers and their modes
  C. Hashes and (H)MACs
2. Attacks on nonces
  A. Statistical/structural analysis
  B. Attacking weak seeds
  C. Attacking weak algorithms
  D. Examples of past flaws in real-world applications
3. Exercise: Weak nonces
  A. Fun with Stompy
  B. Attacking a linear congruential generator (LCG)
4. Attacks on encrypted tokens
  A. Determining block size / mode
  B. Basics of block swapping
  C. Attacks on ECB and CBC modes
D. Algorithm Reuse
5. Exercise: Block swapping
  A. Analyzing encoded blobs
  B. Identifying algorithm reuse
  C. Forging tokens
6. Padding oracle attacks
  A. Theory
  B. Real-world examples
7. Exercise: Asking the oracle
Day 2
=====
8. Hash length-extension attacks (3/4 hr)
  A. Naive Hash-based MAC construction
  B. The popular M-D hash method
  C. Construction of an attack
9. Exercise: A simple HLE attack (1.5 hrs)
  A. Identifying hashed elements
  B. Constructing a message
10. Attacking unprotected stream ciphers (1 1/4 hr)
  A. Refresher on synchronous ciphers and modes (OFB/CTR)
  B. Identifying stream ciphers
  C. Static IV decryption
  D. Looking for decryption oracles
11. Exercise: Bit flipping for success (2 hrs)
  A. Building a bit probe script
  B. Modifying ciphertexts
12. Open lab time (1-2 hrs)
  A. Bonus exercise: breaking a password generator; or
  B. Finish implementations from previous exercises

Speakers
avatar for Timothy Morgan

Timothy Morgan

Tim is credited with the discovery and responsible disclosure of several security vulnerabilities in commercial off-the-shelf and open source software including: IBM Tivoli Access Manager, Real Networks Real Player, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, and Oracle WebLogic Application Server. Tim develops and maintains several open source forensics tools as well as Bletchley, an application cryptanalysis tool kit... Read More →


Tuesday November 19, 2013 9:00am - 5:00pm
Chelsea (7th Floor) NY Marriott Marquis

9:00am

2 Day Pre-Conference Training: Running A Software Security Program On Open Source Tools
2 Day Class running Monday Nov 18 and Tuesday Nov 19

Abstract:
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, Brakeman, Agnitio, w3af, OWASP Zed Attack Proxy (ZAP), and ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.
Outline: • So You Want To Roll Out A Software Security Program?
• The Software Assurance Maturity Model (OpenSAMM)
• ThreadFix: Overview
• Governance: Strategy and Metrics • ThreadFix: Reporting

• Governance: Policy and Compliance
• Governance: Education and Guidance • OWASP Development Guide
• OWASP Cheat Sheets
• OWASP Secure Coding Practices

• Construction: Threat Assessment
• Construction: Security Requirements
• Construction: Secure Architecture • ESAPI overview
• Microsoft Web Protection Library (Anti-XSS) overview

• Verification: Design Review • Microsoft Threat Analysis and Modeling Tool

• Verification: Code Review • FindBugs
• Brakeman
• Agnitio

• Verification: Security Testing • w3af
• OWASP Zed Attack Proxy (ZAP)

• Deployment: Vulnerability Management • ThreadFix: Defect Tracker Integration

• Deployment: Environment Hardening • Microsoft Baseline Security Analyzer (MBSA)

• Deployment: Operational Enablement • mod_security


Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.


Tuesday November 19, 2013 9:00am - 5:00pm
Gotham (7th Floor) NY Marriott Marquis

9:00am

2 Day Pre-Conference Training: Securing Mobile Devices & Applications
2 Day Class running Monday Nov 18 and Tuesday Nov 19

Overview: 
Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?
This two-day, hands-on course enables students to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile devices across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.

Outline: 
1)  Mobile Devices and Applications
Section Overview: Introduction to Mobile Devices, their capabilities, and how to emulate mobile apps and use mobile testing tools.
1)     Device Types and Capabilities
2)     Mobile App Emulators / IDEs
3)     Running the Class Apps
4)     Using a Testing Proxy: Burp
5)     How to get Proxying to work
2)  Mobile Application Architectures and Threat Model
Section Overview: An explanation of high-level threats, attack techniques and the impacts associated with mobile computing and how different architectures affect these.
1)     Different Mobile Architectures
2)     OWASP Mobile Security Resources
3)     Mobile Threat Model
4)     Top 10 Mobile Controls
5)     Risk Management                                      
6)     Mobile Threats and Attacks on Users, Devices, and Apps
7)     Consequences
8)     AppStore Security / Malware Threats
9)     Hands On: Hacking Mobile URLs (iOS), or Intents (Android)
3)  Mobile Application Architectures Deeper Dive
Section Overview: Different styles of computing in the mobile space, the core technologies involved, and how applications are built.                                                     
1)     Device Protections built into Android and iPhone
2)     Data Protection
3)     Encryption
4)     Client Only Architecture and Recommended Controls
5)     Client-Server Architecture and Recommended Controls
6)     Recommendation: Standard Security Controls
7)     Mobile Web Applications and Recommended Controls
8)     HTML 5 Risks
9)     JavaScript Framework Risks
10)  Same Origin Policy                         
4) Securing the Device                                           
Section Overview: We demonstrate how to harden mobile devices against attack and the issues related to managing security across an enterprise.  We show students how to secure employee-owned devices.
1)     Mobile Device Management (MDM) Applications
2)     Password Requirements
3)     Data Protection
4)     Enterprise Security Management (ESM)
5) Securing Communications
Section Overview: What are all the different communications technologies used by mobile devices and what security threats do they pose?
1)     Threat: Unsafe wireless access points, sniffing, tampering
2)     Review mobile protocols and platforms
3)     How to use SSL Securely
6)  Mobile Authentication
Section Overview: We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.
1)     Threats: lost/stolen phone, remember me, sniffing
2)     Strong Authentication vs. User Usability
3)     Communicating credentials safely
4)     Storing credentials safely
7)  Mobile Registration
Section Overview: How to register a device to a person and explain the need for mobile channel authentication.
1)     Threats: lost/stolen device, remember me, lost/stolen credentials
2)     Benefits of Registering the Device
3)     Methods for Authenticating the Device
4)     Avoiding use of UDID
8)  Mobile Data Protection           
Section Overview: All of the different places that sensitive data can be stored on phones, and how it can be protected.
1)     Identifying sensitive data
2)     Where and how is data stored on devices
3)     Hashing and encryption
4)     Storing keys
5)     Browser Caching
6)     Mobile specific ‘accidental’ data storage areas
7)     Where NOT to store your data on the device
8)     HTML5 local storage
9)  Mobile Forensics
Section Overview:Where application data and configuration information typically gets stored on the mobile device.
1)     Forensics tools for Android and iPhone
2)     Exploring the file system (Android / iPhone)
3)     Jailbreaking grants more access
4)     Interesting areas of the file system (Android / iPhone)
5)     Application configuration files
6)     Autocomplete records / iPhone app screen shots
7)     Dumping Android Intents
8)     Scrounging in Backups
10)  Mobile Access Control
Section Overview: The code-access security models to use in mobile apps.
1)     Threat: user attacks server
2)     Example attacks
3)     Documenting your access control policy
4)     Mapping enforcement to server side controls
5)     Presentation Layer Access Control
6)     Environmental Access Control
7)     Business Logic
8)     Data Protection
9)     Hands On: Access Other Peoples Accounts, Steal Funds
11)  How to Protect Against Cross Site Scri

Speakers
avatar for Dan Amodio

Dan Amodio

Principal Consultant, Aspect Security
As a Principal Consultant, Dan manages and defines Aspect Security's line of Assessment Services-- helping organizations quantify their security risks from design to implementation. He works with staff and clients to develop the team members and deliverables. | | Dan holds a security clearance and directly supports a variety of client projects. He leads mobile security efforts, security architecture and design reviews, code reviews, and... Read More →
avatar for David Lindner

David Lindner

Managing Consultant and Global Practice Manager, Aspect Security
David Lindner, a Managing Consultant and Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 15 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David's focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD... Read More →


Tuesday November 19, 2013 9:00am - 5:00pm
Empire & Hudson (7th Floor) NY Marriott Marquis

9:00am

2 Day Pre-Conference Training: The Art of Exploiting Injection Flaws
PROMOTION: All attendees of my class will receive FREE 1 month access to on-line labs after the class allowing them more time to practice the concepts taught in the class.

2 Day Class running Monday Nov 18 and Tuesday Nov 19

Overview

OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project. http://www.owasp.org/index.php/Top_10_2010-A1 
(even the 2013 Relese Candidate for Top 10 has retained injection flaw as top flaw) 
This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are: 
SQL Injection
XPATH Injection
LDAP Injection
Hibernate Query Language Injection
Direct OS Code Injection
XML Entity Injection 
During the 2 days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course: 
Understand the problem of Injection Flaws
Learn a variety of advanced exploitation techniques which hackers use.
learn how to fix these problems? 

WHAT STUDENTS WILL BE PROVIDED
Student hand-outs
Tools/scripts (some public and some not so public)

WHO SHOULD ATTEND
Web Application Developers
Web Application Security Consultants
Penetration Testers
Anyone who wants to take their skills to next level

WHAT TO EXPECT
Shells popping
Advanced data ex-filtration techniques.
Advanced exploitation (some neat, new and ridiculous hacks).
Some insane examples of code which appears secure but it's not.

WHAT STUDENTS SHOULD BRING
Students must bring their own laptop with Windows Operating System installed (either natively or running in a VM). Further, students must have administrative access to perform tasks like install software, disable antivirus etc. Devices which don't have ethernet connection (e.g. macbook Air, tablets etc) are not supported. A prior knowledge of Database systems and SQL language will be an added advantage but it's not a strict requirement. 


Speakers
avatar for Sumit Siddharth

Sumit Siddharth

Director, NotSoSecure Ltd.
Sumit “sid” Siddharth is the founder of NotSoSecure Ltd, a specialist IT security firm delivering high-end IT security consultancy and Training. Prior to NotSoSecure, he worked as Head of Penetration Testing for a leading IT security company in UK. He has more than 8 years of experience in Penetration Testing. Sid has authored a number of whitepapers and tools. He has been a Speaker/Trainer at many security conferences including numerous... Read More →


Tuesday November 19, 2013 9:00am - 5:00pm
Brecht (4th Floor) NY Marriott Marquis

9:00am

2 Day Pre-Conference Training: Web Application Defender's Cookbook: LIVE
2 Day Class running Monday Nov 18 and Tuesday Nov 19

Can you answer these questions? • Are your web applications secure?
• Do you know how to lock down new web applications when they are placed into production?
• Do you know if/when attackers are trying to break into your site and steal data or cause other harm?
• Do you know if/when attackers are attacking other web application users?

If you can not confidently answer yes to all of these questions then this is the class for you!  This 2-day bootcamp is based on the popular book "Web Application Defender's Cookbook: Battling Hackers and Protecting Users" written by the class trainer Ryan Barnett.  Copies of the book will be provided to all participants and will be used as the basis for the courseware material.  The class is tailored for web application defenders (operational security personnel) who are charged with protecting live web applications.  The training will provide answers to these questions and increase your ability to identify and thwart malicious activities within your web applications.
You will learn the following skills: • Implement full HTTP auditing for incident response
• Utilize virtual patching processes to remediate identified vulnerabiities
• Deploy web tripwires (honeytraps) to identify malicious users
• Detect when users are acting abnormally
• Analyze uploaded files and web content for malware
• Recognize when web applications leak sensitive user or technical data
• Respond to attacks with varying levels of force

Tools:
Each student will need to bring their own laptop with VMware installed.  For hands-on lab exercises, we will utilize the OWASP Broken Web Applications VM project as it already has many vulnerable target web applications.  OWASPBWA also includes the cross-platform (Apache, IIS and Nginx), open source ModSecurity Web Application Firewall (WAF) and OWASP ModSecurity Core Rule Set (CRS) which is the tool that we will be using for our labs exercises to implement our defenses.

Speakers
avatar for Ryan Barnett

Ryan Barnett

Lead Security Researcher, Trustwave SpiderLabs
Ryan C. Barnett is renowned in the web application security industry for his unique expertise. After a decade of experience defending government and commercial websites, Ryan joined Trustwave SpiderLabs Research Team. He specializes in application defense research and leads the open source ModSecurity web application firewall project. | | In addition to his commercial work at Trustwave, Ryan is also an active contributor to many... Read More →


Tuesday November 19, 2013 9:00am - 5:00pm
Odets (4th Floor) NY Marriott Marquis

10:30am

Project Summit: ESAPI Hackathon Session
Take part in building the next generation of the Enterprise Security API. In this hackathon we will focus on building modular security controls that can be plugged in to the brand new ESAPI 3.0 framework allowing developers to quickly and easily integrate the security controls they need into their projects. During the hackathon, the ESAPI leaders will be on-site to get the effort kicked off, join in the coding fun, and to present awards for submitted components on the final day! Join us to leave your mark on one of the most visible OWASP Code Projects in our arsenal, and help make tomorrow's applications more secure!

Speakers
avatar for Chris Schmidt

Chris Schmidt

Chief Architect, Contrast Security
Chris is currently the Project Leader for the OWASP ESAPI Projects and also served on the OWASP Global Projects Committee. He has been involved with OWASP for 6 years and has spoken at many OWASP events about the benefits of the Enterprise Security API as well as participated in Leadership discussions amongst the organization. During the day, Chris is Chief Architect for Contrast Security where he has been since fall 2010. Prior to joining the... Read More →
avatar for Kevin Wall

Kevin Wall

Information Security Engineer 5, Wells Fargo
Kevin is an experienced Application Security developer, and he is the OWASP ESAPI project co-leader / committer.
avatar for Jeff Williams

Jeff Williams

CTO, Contrast Security
Jeff Williams is a co-founder and CTO of Contrast Security, the world's fastest and most accurate application security technology. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and... Read More →


Tuesday November 19, 2013 10:30am - 5:00pm
Sky Lounge (16th Floor) NY Marriott Marquis

1:00pm

Project Summit: Academies Development Session
The OWASP Academies program aims to bring together academic institutions from all over the world in order to collaborate towards increasing awareness on application security. The OWASP Academy Portal is the actual deliverable of this process: a portal that will provide various types of content (presentations, labs, etc.) to students and faculty who wish to learn or teach application security. 

During the Projects Summit we intend to kick start the Academy Portal, complete the intial design and add some actual content. The OWASP Academy Portal will then serve as the meeting point for application security in academia.

Moreover, the Projects Summit will serve as a meeting point for several members of the academic community and a unique opportunity to exchange ideas and experience.

Speakers
avatar for Konstantinos Papapanagiotou, Spryros Gastreratos

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE
Both trainers are Hackademic project leaders, long time OWASP members and application security professionals
avatar for Martin Knobloch

Martin Knobloch

Principal Consultant, Nixu
Martin is Principal Consultant at Nixu BeNeLux (https://www.nixu.com/en/nixubenelux). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures. | With his background in Java Development, he understands the complexity of Enterprise software development, Agile Scrum... Read More →


Tuesday November 19, 2013 1:00pm - 5:00pm
Sky Lounge (16th Floor) NY Marriott Marquis

3:00pm

OWASP O2 Documentation Session
The objective of this session is to discuss the development of a Book about the O2 Platform Web Automation capabilities. Join us during our initial discussion, and get your ideas heard. 

Speakers
avatar for Dinis Cruz

Dinis Cruz

AppSec, OWASP
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives. After failing to scale his own security... Read More →
avatar for Michael Hidalgo

Michael Hidalgo

Software Developer Engineer, Security Innovation
Software Developer Engineer based on San José, Costa Rica. With more than 6 years of experience building financial applications and with his high sense of responsibility and quality, Michael always work hard to do things better. Currently Michael works as a Software Developer Engineer for one of the best Application Security company in the market. He also leads the OWASP Chapter in Costa Rica and he is always writing about software, testing... Read More →


Tuesday November 19, 2013 3:00pm - 6:00pm
Sky Lounge (16th Floor) NY Marriott Marquis

3:00pm

Registration
Tuesday November 19, 2013 3:00pm - 9:00pm
Empire & Hudson (7th Floor) NY Marriott Marquis

6:00pm

Tuesday Night Reception
Moderators
avatar for Sarah Baso

Sarah Baso

Former Executive Director, OWASP Foundation | I am based in San Francisco, Californa, USA and served as the Executive Director of the OWASP Foundation from April 2013 through July 2014. In this role, I supervise the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.
avatar for Kate Hartmann

Kate Hartmann

OWASP Foundation, OWASP Foundation
Kate joined the OWASP Foundation May 2008 Kate's Ongoing Job Duties Kates work within the OWASP Foundation includes supervising and facilitating the completion of operationally critical tasks. She provides direction to the operational team by mapping out cross-committee objectives and identifying opportunities that promote the Foundation's short term and long term strategic goals. Current Initiatives include: Improving Foundation... Read More →
avatar for Kelly Santalucia

Kelly Santalucia

Membership & Business Liaison, OWASP

Tuesday November 19, 2013 6:00pm - 9:00pm
Empire & Hudson (7th Floor) NY Marriott Marquis

7:00pm

Hands-on Ethical Hacking: Preventing and Writing Exploits for Buffer Overflows
Limited Capacity filling up

** YOU MUST RSVP FOR THIS TRAINING BY EMAILING RALPH.DURKEE@OWASP.ORG. CAPACITY IS LIMITED TO 24 ATTENDEES **

A ntense 2.5 hours hands-on course where you will find a buffer overflow vulnerability and then develop an exploit for a stack based buffer overflow. We'll also discuss and test mitigating techniques such as address randomization, stack protections mechanisms, non-executable stacks and of course programming to prevent buffer overflows.

The course will use a virtual Linux system with the required tools running on your own laptop. Students must be comfortable with the Linux command line, and be familiar with basic C/C++ programming. We'll be using the Gnu development tools such as g++. gcc, gdb, and make. Vim, Emacs and Eclipse will all be installed for your editing and exploit writing pleasure. We'll be looking at assembly code in order to develop the final exploit, so some familiarity with assembler languages is helpful, but not required. You must bring your own laptop. The laptop can be MS Windows, Mac or Linux, just make sure you have a recent version of VirtualBox installed and working. Having a DVD reader is helpful for transferring the VM, but a flash drive will also be available.

Laptop Requirements:

  • At least 4Gb RAM

  • 8 Gb of free disk space

  • Virtual Box 4.2.16 or newer installed.

  • Administrator or root privileges for the laptop.

  • Comfortable with Linux Command Line and g++ / gcc.

  • SomeC/C++programming


Speakers
avatar for Ralph Durkee

Ralph Durkee

Principal Security Consultant, Durkee Consulting, Inc.
Ralph Durkee is the principal security consultant and president of Durkee Consulting, Inc since 1996. Ralph founded the OWASP Rochester, NY chapter and has served on the board since 2004. Ralph served on the ISSA chapter board to start the Rochester ISSA chapter as well as starting the annual Rochester Security Summit. He has served as the ISSA chapter president since 2010. He performs a variety of network and application penetration tests... Read More →


Tuesday November 19, 2013 7:00pm - 11:00pm
Brecht (4th Floor) NY Marriott Marquis

8:00pm

Bug Bounty - Group Hack
The Great OWASP Bug Bash of 2013

CALLING ALL SECURITY NINJAS… Whether you’re attending Appsec in person or in spirit, you’re invited to join Bugcrowd and the OWASP team as we unite hackers across the world for the first everInternet-wide bug bash.

This collaborative hack-a-thon will feature testers and providers of public bug bounty programs finding bugs in the world’s largest Internet companies! Companies contributing to bounty programs, including Prezi, Facebook, Google and Yandex will be present to meet and greet those responsible for improving global application and internet security. No need to worry about protecting your identity, masks will be provided!

Featuring…
The Inaugural Wall of Bugz, music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!

Bug Bounty programs have been getting a lot of press lately, and for good reason. They work. Bugcrowd will be running this event live from 8-12 every night during Appsec USA 2013 and we actively encourage OWASP members around the world to participate.

Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/


Speakers
avatar for Dinis Cruz

Dinis Cruz

AppSec, OWASP
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives. After failing to scale his own security... Read More →


Tuesday November 19, 2013 8:00pm - 11:59pm
Sky Lounge (16th Floor) NY Marriott Marquis
 
Wednesday, November 20
 

7:00am

Registration
Wednesday November 20, 2013 7:00am - 5:00pm
3rd Floor

8:30am

Welcome to OWASP AppSecUSA - Updates
Let us get this event started!

Presentation will include kick-off with details about the activities that will happen, changes to the event schedule and regarding AppSec USA 2013. 



Speakers
avatar for Tom Brennan

Tom Brennan

Consultant, ProactiveRISK
Global Board of Directors OWASP Foundation | 2016 Chairman NYMJCSC Conference | Consultant for Hire @ Proactive Risk
avatar for Israel Bryski

Israel Bryski

IT Security, Nomura
Israel Bryski has over 7 years of experience in technology and information risk management. He is currently working in IT Security at Nomura and is Chapter Leader for the NYC OWASP Chapter.

Volunteers
avatar for Sarah Baso

Sarah Baso

Former Executive Director, OWASP Foundation | I am based in San Francisco, Californa, USA and served as the Executive Director of the OWASP Foundation from April 2013 through July 2014. In this role, I supervise the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.
avatar for Kate Hartmann

Kate Hartmann

OWASP Foundation, OWASP Foundation
Kate joined the OWASP Foundation May 2008 Kate's Ongoing Job Duties Kates work within the OWASP Foundation includes supervising and facilitating the completion of operationally critical tasks. She provides direction to the operational team by mapping out cross-committee objectives and identifying opportunities that promote the Foundation's short term and long term strategic goals. Current Initiatives include: Improving Foundation... Read More →
avatar for Kelly Santalucia

Kelly Santalucia

Membership & Business Liaison, OWASP

Wednesday November 20, 2013 8:30am - 8:50am
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

9:00am

Computer and Network Security: I Think We Can Win!
Some think that computer and network security is a lost cause. I have spent forty years in the field, and it is discouraging that we have made few advances, and lost a lot of ground: our current technologies and practices are clearly unable to keep attackers out of our business.

Bob Morris said that security people are paid to think bad ideas, and I have had a lot of them. The threats are persistent, but not really advanced in most cases. I remain optimistic: it is still early in the game. These are our computers, our software, our network wiring.  We have plenty of CPU cycles and storage and daunting cryptography. We ought to be able to win this battle---we have the home field advantage!

Some things are pretty clear to me at this point: user education and strict edicts are an inadequate substitute for good engineering; a good scientific measure of security still eludes us and is probably an intractable problem; standards compliance and checklists don't solve the problem; and our industry has not improved over the decades.

What does a cure look like? It is still early in the game, our software designs and user interfaces are still at the level of the Ford Model T. I will try to describe some of the technology and scenarios that may be part of the solutions.

Speakers
avatar for William Cheswick

William Cheswick

I am interested in visualization, user interfaces, security and security usability, typography, tinkering, and science, medicine, and technology in general. Felix, qui potuit rerum cognoscere causus. - Virgil; (“Happy is he who knows the cause of things.”) I love living in the future!


Wednesday November 20, 2013 9:00am - 9:50am
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

9:00am

Project Summit: Writing and Documentation Review Session

OWASP Documentation Projects are a key element in the industry. They are broadly adopted and used. 

This session aims to review the below documents, and give recommendations on where they can be improved.

->OWASP AppSensor Project.

->OWASP Development Guide Project.

->OWASP Code Review Guide Project.

->OWASP Testing Guide Project.

->OWASP Code of Conduct.


During this session, the objectives we will be covering are:

1. Figure out what needs to be done for each project.

2. Assign sections to each participant

3. Finish various sections assigned to you.

4. Consolidate all finished sections.


Join us today!

 

 

Moderators
avatar for Samantha Groves

Samantha Groves

Program Manager, OWASP
Samantha Groves is the Project Manager at OWASP. Samantha has led many projects in her career, some of which include website development, brand development, sustainability and socio-behavioral research projects, competitor analysis, event organization and management, volunteer engagement projects, staff recruitment and training, and marketing department organization and strategy implementation projects for a variety of commercial and... Read More →

Speakers
avatar for Michael Hidalgo

Michael Hidalgo

Software Developer Engineer, Security Innovation
Software Developer Engineer based on San José, Costa Rica. With more than 6 years of experience building financial applications and with his high sense of responsibility and quality, Michael always work hard to do things better. Currently Michael works as a Software Developer Engineer for one of the best Application Security company in the market. He also leads the OWASP Chapter in Costa Rica and he is always writing about software, testing... Read More →


Wednesday November 20, 2013 9:00am - 1:00pm
Sky Lounge (16th Floor) NY Marriott Marquis

10:00am

Hardening Windows 8 apps for the Windows Store
Security and privacy in mobile development has been a topic in the iOS and Android world for a few years now. Microsoft is entering the fray with be their first significant push into the mobile space. Will your apps be the next ones on the front page of Ars Technica (for the wrong reasons)? Bill would like to help you make sure that won’t happen. Learn the security considerations of HTML5, backend services, cloud computing and WinRT.

Speakers
avatar for Bill Sempf

Bill Sempf

Secure Software Architect, Products Of Innovative New Technology
Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. I help people write more secure software.


Wednesday November 20, 2013 10:00am - 10:50am
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

10:00am

The Perilous Future of Browser Security
Video of session:
https://www.youtube.com/watch?v=CzA1hCTkmFw&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=41

The tradeoffs required to make a secure browser are often largely poorly understood even amongst the best of security people.  It makes sense since so few people actually work on browsers.  There is little knowledge about what it requires to make a browser safe enough to use when viewing hostile websites - against all known adversaries.  In this presentation Mr. Hansen will cover how browsers are critically insecure, how they can be made to be secure, and what consumers forfeit in order to gain that extra level of security.  Lastly, the presentation will cover how to think about tradeoffs and what customers can live without.

Speakers
avatar for Robert Hansen

Robert Hansen

Director of Product Management & Technical Evangelist, WhiteHat Security
Robert Hansen (CISSP) is the Director of Product Management at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Cable & Wireless doing managed security services, and eBay as a Sr. Global Product Manager of Trust and Safety. Mr. Hansen contributes to and sits on the... Read More →


Wednesday November 20, 2013 10:00am - 10:50am
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

10:00am

Automation Domination
Building your application security automation program as part of the Software Development Lifecycle (SDLC) with architects, developers, and QA has always been challenging.  Automation Domination is the answer to that challenge, structuring a continuous integration framework around your portfolio of dynamic (DAST) and static (SAST) scanning products with integration into your software development stack.  We will explore how to take theory into practice with a proven, scalable enterprise solution with OWASP Projects, continuous integration (CI), bug-tracking, and content creation products.

Speakers
avatar for Brandon Spruth

Brandon Spruth

Prior to beginning his career in Application Security he was both a Technical Recruiter and Entrepreneur with a passion for Technology. As an entrepreneur, he founded a small computer company that provided services to the Real Estate Industry. Currently, he is also President and a musician for Rhythm and Raag a non-profit school for the East Asian performing Arts.


Wednesday November 20, 2013 10:00am - 10:50am
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

10:00am

How To Stand Up an AppSec Program - Lessons from the Trenches
We all know the importance of building security into the development of a company’s applications.  Most of us know many of the steps needed for an effective Application Security Program.  In this talk, we will discuss the best practices for implementing an AppSec Program, we’ll list all the moving parts, and we’ll talk about what worked and what didn’t work in various organizations.
Risk Management
Metrics
Training
SDLC
Requirements
Design Review
Development
Testing
Pre-Production
Production
Lessons Learned

Speakers
avatar for Joe Friedman

Joe Friedman

Director, Security Architecture and Planning, NYSE Euronext
NYSE Euronext - Application Security Program, Security Architecture; Merrill Lynch - Pentest Program, Security Architecture; Johnson & Johnson - Risk Assessments and Pentests of M&A targets & Operating Companies, Development of Security Processes; Various financial firms, startups, and AT&T - Application Development


Wednesday November 20, 2013 10:00am - 10:50am
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

10:00am

PANEL: Aim-Ready-Fire
Audio recording of panel:
https://www.youtube.com/watch?v=ZWARRluApsA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=22

Software assurance in the past 5 - 6 years has emerged as the key focus area for information security professionals. The C - suite has recognized software assurance to be more than a hygiene problem as the application security breaches have started making impact to the bottom line of the companies. The international regulators are demanding systems that are more resilient. The number and complexity of cyber breaches keeps on increasing, there is no relief in sight... lets learn what is working and what is not.

Moderators
avatar for Wendy Nather

Wendy Nather

Research Director, Enterprise Security Practice, 451 Research
Wendy Nather is Research Director, Security, within 451 Research's Enterprise Security Program, providing analysis on the current state of security from the perspective of a veteran CISO. Wendy's primary areas of coverage are on application security and security services. Wendy joined 451 Research after five years building and managing all aspects of the IT security program at the Texas Education Agency, which serves 4.6 million Texas students... Read More →

Speakers
avatar for Sean Barnum

Sean Barnum

Cyber Security Principal, MITRE
Sean Barnum is a Principal and Cyber Threat Intelligence Community Lead at The MITRE Corporation where he acts as a thought leader and senior advisor on information security topics to a wide variety of players within the US government, commercial industry and the international community. He has over 25 years of experience in the software industry in the areas of architecture, development, software quality assurance, quality management, process... Read More →
avatar for Pravir Chandra

Pravir Chandra

Security Architect at Bloomberg, Bloomberg
Pravir Chandra is a veteran in the security space and a long-time OWASP contributor, including his role as the creator and leader of the Open Software Assurance Maturity Model (OpenSAMM) project. Currently as security architect for the CTO of Bloomberg, he drives proactive security initiatives that demonstrate concrete value for the firm. Prior to this, Pravir was Director of Strategic Services at HP/Fortify where he lead software security... Read More →
avatar for Suprotik Ghose

Suprotik Ghose

Head of Security, Risk & Control, Americas, RBS
Suprotik Ghose | Head of Security, IT Risk & Control, M&IB Americas | Head of Security Operations, Global M&IB | | Suprotik Ghose has over 22 years of experience (18 years in financial services), in infosec policy, privacy, compliance and IT risk. Since June 2012, Mr. Ghose has been the Head of Security, Risk & Control at Royal Bank of Scotland (RBS) Americas. Previously he was VISA's Global Head of CyberSecurity and the Principal... Read More →
avatar for Ajoy Kumar

Ajoy Kumar

Head of Application Security, UBS
Extensive experience in designing, implementing, and managing enterprise Software Security Program from ground up.  Strong innovation skills have led in many value delivery systems in the enterprise. Strong believer in implementing security process and technology controls over the information lifecycle. | | Enjoy creating state of art practice for security with demonstrated leadership in establishing database and application... Read More →
avatar for Jason Rothhaupt

Jason Rothhaupt

Broadridge
Leader of technology risk management functions for financial service companies. Currently focused on reducing the risk that insecure application pose to critical business functions and processes. | | Specialties:Application Security | Information Security | Technology Risk Management | Business Continuity Planning | Strategic Risk Management | Certified Information Security Manager (CISM)
avatar for Ramin Safai

Ramin Safai

Chief Information Security Officer, Jefferies
Ramin Safai is the first Chief Information Security Officer at the Jefferies. AS CISO, Ramin is responsible for Jefferies global cyber security and IT risk management programs. Prior to joining Jefferies, Ramin was Americas CISO at Barclays and had global responsibilities for rollout of application security and identity management programs. For the past 15 years Ramin has worked as an Information Security officer at large banks including... Read More →


Wednesday November 20, 2013 10:00am - 10:50am
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

10:00am

Project Talk: Project Leader Workshop
The Project Leader Workshop is a 45 minute event activity that brings together current and potential OWASP project leaders to discuss project related issues and topics. The Project Leader Workshop is an optional event activity for our leaders that takes on a presentation and discussion format. It is an interactive tool used to bring together project leaders from across the globe in an effort to have participants share valuable insights and recommendations with their fellow members.

Leaders can expect to learn more about the OWASP Projects Infrastructure, the benefits of having an OWASP Project, and how they can leverage the infrastructure to help promote their project to the community and beyond. OWASP Project Manager, Samantha Groves, will lead the session. 

Speakers
avatar for Samantha Groves

Samantha Groves

Program Manager, OWASP
Samantha Groves is the Project Manager at OWASP. Samantha has led many projects in her career, some of which include website development, brand development, sustainability and socio-behavioral research projects, competitor analysis, event organization and management, volunteer engagement projects, staff recruitment and training, and marketing department organization and strategy implementation projects for a variety of commercial and... Read More →


Wednesday November 20, 2013 10:00am - 10:50am
Edison (5th floor) NY Marriott Marquis

11:00am

OWASP PCI toolkit Session
Join us and learn how to help organizations achieve PCI-DSS compliance with OWASP tools & Documentation by creating an interactive scope toolkit app. 

Speakers
avatar for Johanna Curiel

Johanna Curiel

Security Researcher, Banking Sector
Johanna has mainly worked in the area of C# and ASP.NET development, Testing and Quality Control. She is an experienced developer and understands different types of programming languages such as Java and PHP and different types of scripting languages. Johanna has ample experience in Microsoft Technologies and Security Engineering, and is also a Certified PCI -Professional... Read More →


Wednesday November 20, 2013 11:00am - 11:45am
Sky Lounge (16th Floor) NY Marriott Marquis

11:00am

From the Trenches: Real-World Agile SDLC
Ideally, all organizations would incorporate security into their Agile development processes; however, best-practices Agile SDL models typically assume a simplified, idealized model of how software is built. These models also impose impractical requirements without providing the necessary support or expertise.  In reality, software development often involves multiple Agile teams working on various components of a larger product, and only the most well-resourced enterprises or ISVs have the bandwidth to execute on the ideal Agile SDL, while smaller organizations are forced to adapt and make tradeoffs.
In this session, we’ll discuss how Veracode has incorporated security into our own Agile development lifecycle for a product that involves anywhere from two to seven Scrum teams working in concert to ship monthly releases. We do this without designating any security experts full-time to the project.  We’ll explain how we’ve evolved our practices to optimize the way our security research team interacts with our engineering teams and accommodates their processes. We’ll also talk about some of the lessons we’ve learned along the way, including things that haven’t worked or wouldn’t scale, and how other organizations can use our experience to integrate security practices into their own Agile development programs.

Speakers
avatar for Chris Eng

Chris Eng

VP Research, Veracode
Chris Eng is vice president of research at Veracode. In this role, he leads the team responsible for integrating security expertise into Veracode’s technology. Throughout his career, he has led projects breaking, building, and defending web applications and commercial software for some of the world’s largest companies. | | Chris is a frequent speaker at premier industry conferences, such as BlackHat, RSA, OWASP, and CanSecWest, where... Read More →


Wednesday November 20, 2013 11:00am - 11:50am
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

11:00am

Securing Cyber-Physical Application Software
Researchers and practitioners have not historically addressed sufficiently the fact that software engineers responsible for IT systems have very different approaches from those who design and build industrial control systems. When Web-facing and distributed information systems are interconnected with legacy industrial control systems, which usually do not include effective security requirements, two major issues arise: one is the possibility of someone gaining access to control systems via Web applications and public networks, and the other is the potential for the transfer of fallacious information from the control systems to the information systems, as ostensibly occurred with Stuxnet. In this presentation we take a new approach to processes and technologies for mitigating the threats and hazards that impinge on, or result from, systems such as the smart grid. The presentation is based in part on the author's book Engineering Safe and Secure Software Systems (Artech House, 2012).

Speakers
avatar for Warren Axelrod

Warren Axelrod

40 years as an IT professional, mostly in financial services with the past 17 years in information security. Spent time at Mobil Oil in IT planning. Actively involved in cybersecurity at industry and national level. Testified before Congress in 2001. Honored by Computerworld (Premier IT Leaders Award and Best in Class Award), ISE (Luminary Leadership Award) and ISACA (Best Paper). Published five books, three on information security. Published... Read More →


Wednesday November 20, 2013 11:00am - 11:50am
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

11:00am

Why is SCADA Security an Uphill Battle?
Video of session:
https://www.youtube.com/watch?v=quhbhy7WkkA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=12

This talk will present technical security challenges faced by organizations that have SCADA, critical infrastructure or control systems installations. It will provide examples of attacks and examples of security controls that orginizations can implement to protect against these attacks. It will focus on how OWASP and SCADA are getting knit closely together. The talk will also introduce an updated version of an open-source tool to help identify and inventory SCADA systems. 
The presentation will begin by introducing SCADA systems under the hood including RTU, IED, PLC, FEP, PCS, DCS, HMI, sensors, data historians and other SCADA components. The presenter will categories these components into distinct groups based on the functionality that each component provides. We will review the security implications on each of these groups and identify where most of the threats lie. We will take a packet level dive into SCADA protocols and study their security implications. The presentation will give example of attacks that can be carried out against each group and component. The presenter will release an updated version of an open-source tool to identify and inventory SCADA systems using the protocols discussed in this presentation. It will then focus on real world examples of successful and not-so-successful implementations of security controls with SCADA systems which will include examples of what some large organizations have done. We will conclude with guidance on how control system owners can start implementing additional measures to get to an acceptable security.
Attendees who are in charge of control system infrastructure will get insight on what worked and what did not for other organizations. Engineers who are in-charge of security for control systems will get a better technical insight of SCADA protocols and components and can use the open source tool that is introduced. Attendees who are new to control systems will get an excellent overview of security complexities of control systems.

Speakers
avatar for Amol Sarwate

Amol Sarwate

Director of Vulnerability and Compliance Labs, Qualys Inc.
As Director of Vulnerability Labs at Qualys, Amol Sarwate heads a worldwide team of security researchers who analyze threat landscape of exploits, vulnerabilities and attacks. He is a veteran of the security industry who has worked for the last 15 years on firewalls, vulnerability scanners, embedded security at McAfee, Hitachi, i2 and other organizations. He has presented his research on various topics like Vulnerability Trends, Credit Card... Read More →


Wednesday November 20, 2013 11:00am - 11:50am
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

11:00am

Computer Crime Laws - Tor Ekeland, Attorney
The Computer Fraud and Abuse Act: An Overview

The notorious Computer Fraud and Abuse Act (CFAA) is the most litigated

federal computer misuse statute in existence. This presentation will cover the

basics of the CFAA, starting with its origins, how Congress intended it to be used,

and how the Department of Justice currently uses it today.

After a brief discussion of the legislative origins of the CFAA in the Orwellian

year of 1984, the presentation will sketch the main statutory components of the law,

focusing specifically on the provisions that prohibit unauthorized access to obtain

information and those that prohibit damage to a computer. Because the CFAA fails

to define what it primarily seeks to prohibit – unauthorized access to a protected

computer – the presentation will then cover the myriad of different interpretations

of unauthorized access.

Finally, the presentation will cover more recent CFAA cases invoking these

different concepts that Tor has worked on as either lead or co-counsel, including

United States v. Auernheimer, (aka weev’s case) which is currently on appeal in front

of the Third Circuit Court of Appeals. If there is time Tor will take questions.

Speakers
avatar for Tor Ekeland

Tor Ekeland

Attorney, Tor Ekeland, P.C.
Tor was lead trial counsel for Andrew Auernheimer (“Weev”) in his prosecution under the Computer Fraud and Abuse Act (“CFAA”) for downloading roughly 120,000 iPad subscriber email addresses from AT&T’s publicly accessible server.  He is currently lead counsel in Mr. Auernheimer’s appeal to the Third Circuit Court of Appeals, working alongside Mark H. Jaffe, Orin Kerr, the Electronic Frontier Foundation... Read More →


Wednesday November 20, 2013 11:00am - 11:50am
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

11:00am

Can AppSec Training Really Make a Smarter Developer?
Video of session:
https://www.youtube.com/watch?v=jUOecoGGA2g&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=40

Most application risk managers agree that training software developers to understand security concepts can be an important part of any software security program.   Couple that with the Payment Card Industry, who mandate that developers should have training in secure coding techniques as laid out in their Data Security Standard.  Yet others call developer training "compliance-ware," a necessary evil and a tax on software development in the enterprise.
This presentation shares the results of a yearlong survey of nearly 1,000 software developers that captures their knowledge of application security before and after formal training.  The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements.  The session also includes the results of a "retest" of a subset of respondents, to identify how much security knowledge they retained after a specific length of time.  The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.

Speakers
avatar for John Dickson

John Dickson

Principal, Denim Group
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. Dickson is a popular speaker on security at industry venues including the RSA Security Conference, the SANS Institute, the Open Web Application Security Project (OWASP) and at... Read More →


Wednesday November 20, 2013 11:00am - 11:50am
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

11:00am

Project Talk: OWASP Enterprise Security API Project
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. Learn more about the OWASP ESAPI Project from Project Leaders, Chris Schmidt and Kevin Wall. 

Speakers
avatar for Chris Schmidt

Chris Schmidt

Chief Architect, Contrast Security
Chris is currently the Project Leader for the OWASP ESAPI Projects and also served on the OWASP Global Projects Committee. He has been involved with OWASP for 6 years and has spoken at many OWASP events about the benefits of the Enterprise Security API as well as participated in Leadership discussions amongst the organization. During the day, Chris is Chief Architect for Contrast Security where he has been since fall 2010. Prior to joining the... Read More →
avatar for Kevin Wall

Kevin Wall

Information Security Engineer 5, Wells Fargo
Kevin is an experienced Application Security developer, and he is the OWASP ESAPI project co-leader / committer.


Wednesday November 20, 2013 11:00am - 11:50am
Edison (5th floor) NY Marriott Marquis

12:00pm

All the network is a stage, and the APKs merely players: Scripting Android Applications
Video of session:
https://www.youtube.com/watch?v=yh4-F90XONI&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=7

The existance of open well defined APIs for many popular websites has been a boon to spammers, but as they have grown in popularity the operators have begun to care more about the integrity of the network. 3rd party access to these APIs is becoming increasingly restricted, while at the same time desires for a frictionless mobile experience have led to much looser restriction in their own applications.
We'll leverage this, along with the ability to load and execute Android APKs within JRuby sessions to create and control a social botnet.
Beginning with a brief overview of tools for disassembling, understanding, modifying, and rebuilding APKs. We will then move onto scripting portions of the application in a JRuby session, along the way covering key recovery, bypassing custom cryptographic routines, and general exploration of the code in a dynamic environment.
We'll conclude with leveraging what we've discovered to create and control thousands of accounts. Building on available information sources, such as the US census, and streams provided by the targetted network itself these accounts will have realistic characteristics and interact with the network in believable ways.

Speakers
avatar for Daniel Peck

Daniel Peck

Principle Research Scientist, Barracuda Networks
Peck is principle research scientist at Barracuda Networks, he is currently focused on studying uses of social networks as a medium for attacks. Previous research includes comparing content and non content based systems to identify malicious accounts on Twitter/Facebook, exploiting programmable logic controllers, and identifying/classifying malicious javascript. Peck has a Bachelor's of Science in Computer Science from the Georgia Institute of... Read More →


Wednesday November 20, 2013 12:00pm - 12:50pm
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

12:00pm

BASHing iOS Applications: dirty, s*xy, cmdline tools for mobile auditors
Video of session:
https://www.youtube.com/watch?v=Ef_YeULnw1k&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=8

The toolchain for (binary) iOS application assessment is weak BUT, like an island of misfit toys, there can be stregnth in numbers. Join us as we explore what actually needs to be done in a mobile assessment and how we can do it right from our SSH prompt on our iOS device. Our tool is simple yet effective and as you learn to do mobile assessments you'll also teach yourself the fundamentals of the OWASP Mobile Top 10. Topics explored will be binary analysis, app decryption, data storage, endpoint parsing, class inspection, file monitoring, and more! Heck we might even release some sort of ghetto BASH Obj-c source parser!

Speakers
avatar for Jason Haddix

Jason Haddix

Head of Penetration Testing, Fortify
I currently facilitate information security consulting at HP which includes developing test plans for Fortune 100 companies and competing in "bake-offs" against other top tier consulting vendors. My strengths are web, network, and mobile assessments. I write for my own infosec website (www.securityaegis.com) that reviews industry training, interviews security professionals, and provides anecdotal/practical advice related to offensive security... Read More →
avatar for Dawn Isabel

Dawn Isabel

HP ShadowLabs
Dawn Isabel is currently a Mobile Security Consultant at HP ShadowLabs, where she tests iOS and Android applications and develops in-house tools for static and dynamic analysis of mobile apps. Prior to that, she designed and ran a penetration testing service at the University of Michigan, and developed Python automation for vulnerability management with Nessus. Dawn was team lead of the Computer Incident Response Team (CIRT) at Ford Motor Company... Read More →


Wednesday November 20, 2013 12:00pm - 12:50pm
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

12:00pm

Case Study: 10 Steps to Agile Development without Compromising Enterprise Security
Video of session:
https://www.youtube.com/watch?v=Y31qgnF-Bzg&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=30

In an Agile, fast paced environment with frequent product releases, security code reviews & testing is usually considered a delaying factor that conflicts with success. Is it possible to keep up with the high-end demands of continuous integration and deployment without abandoning security best practices?

We started our journey seeking a way to reduce friction, risk and cost driven from identifying vulnerabilities too late, when already in Production. After a long way and many lessons learned, we have successfully added in-depth security coverage to more than 20 SCRUMS and up to 1M lines of code. We are happy to share our insights, tips and experience from that process.

LivePerson is a provider of SaaS based technology for real-time interaction between customers and online businesses. Over 1.5 billion web visitors are monitored by the platform on a monthly basis. LivePerson's R&D center consists of hundreds of developers who work in an Agile and Scrum based methods, closely tied with our Secure Software Development Lifecycle.

In order to achieve best results and reduce friction, we have tailored the SSDLC to the standard SCRUM process and added security coverage (both operational + technical controls) for each phase starting with a mutual Security High Level Design post release planning with Software Architects, defining technical security controls and framework in sprint planning, implementation of ESAPI and Static Code Analysis at the CI, manual code reviews, Automated Security Tests during QA and a penetration test as part of the release.

This session will include detailed information about the methodologies and operational cycles as well as measureable key success factors and tips related to implementation of tools and technologies in our use (e.g. ESAPI package, Static Code Analysis as a Maven Step, Vulnerability Scanning plugins)

References:

OWASP ESAPI https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Writing Secure Code, Second Edition, Michael Howard and David LeBlanc, Microsoft Press The Burp Suite http://portswigger.net/burp/

OWASP Developer Guide http://ignum.dl.sourceforge.net/project/owasp/Guide/2.0.1/OWASPGuide2.0.1.pdf

Speakers
avatar for Yair Rovek

Yair Rovek

Security Specialist, LivePerson
A technical information security specialist with more than 25 years of experience and strong knowledge in Network and Web Applications.


Wednesday November 20, 2013 12:00pm - 12:50pm
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

12:00pm

Build but don't break: Lessons in Implementing HTTP Security Headers
Content Security Policy is a new standard from the WC3 that aims to help stop a mainstay of the OWASP top 10, cross-site scripting (XSS). The problem faced by many major sites today is how to craft a working content security policy that works for already existing applications. We will discuss real world techniques to simplify policy generation and testing, as well as discuss what changes are coming in CSP version 1.1. I will also discussion additional security headers such as X-Frame-Options to stop clickjacking and HTTP Strict Transport Security to stop man-in-the-middle attacks.

Speakers
avatar for Kenneth Lee

Kenneth Lee

Product Security Engineer, Etsy
AppSec Engineer @ Etsy. Loves pentests, code reviews, and a good cup of tea. | Twitter: @kennysan | Github: https://github.com/kennysan


Wednesday November 20, 2013 12:00pm - 12:50pm
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

12:00pm

The Cavalry Is Us: Protecting the public good

Video of session:
https://www.youtube.com/watch?v=aXMcLO4dNwQ&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=2


Speaker(s): Joshua Corman and Nicholas Percoco

Description: In the Internet of Things, security issues have grown well

beyond our day jobs. Our dependence on software is growing faster than our

ability to secure it. In our efforts to find the grown-ups who are paying

attention to these risks, one painful truth has become clear: The Cavalry

Isn¹t Coming. Our fate falls to us or to no one. At BSidesLV and DEF CON

21, a call was made and many of you have answered. At DerbyCon, we begin

the work of shaping our futures. Here at AppSec, we have the opportunity

to level-up and reframe our role in all of this. As the initiated, we face

a clear and present danger in the criminalization of research, to our

liberties, and (with our increased dependence on indefensible IT) even to

human safety and human life. What was once our hobby became our profession

and (when we weren¹t looking) now permeates every aspect of our personal

lives, our families, our safetyŠ Now that security issues are mainstream,

security illiteracy has lead to very dangerous precedents as many of us

are watching our own demise. It is time for some uncomfortable

experimentation.

 

This session will both frame the plans to engage in Legislative, Judicial,

Professional, and Media (hearts & minds) channels and to organize and

initiate our ³constitutional congress² working sessions.  The time is now. It will not be easy, but

it is necessary, and we are up for the challenge.

 

It¹s high time we make our dent in the universe. For background, please

watch the video of the launch of @iamthecavalry : http://bit.ly/16YbpC1 >

Join the conversations also at: google group:

https://groups.google.com/d/forum/iamthecavalry


Speakers
avatar for Josh Corman

Josh Corman

Director of Security Intelligence, Akamai Technologies
Joshua Corman is the Director of Security Intelligence for Akamai. Most recently he served as Research Director for Enterprise Security at The 451 Group. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges plaguing the IT industry, and helps to drive evolutionary strategies toward emerging technologies and shifting... Read More →
avatar for Nicholas J. Percoco

Nicholas J. Percoco

Director, Information Protection, KPMG
With more than 16 years of information security experience, Nicholas is a Director in KPMG's Information Protection practice. Prior to KPMG, Percoco led the global SpiderLabs organization for more than a decade that performed more than 2000 computer incident response and forensic investigations globally, ran thousands of ethical hacking and application security tests for clients, and conducted bleeding-edge security research to improve... Read More →


Wednesday November 20, 2013 12:00pm - 12:50pm
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

12:00pm

OWASP NIST NSTIC IDecosystem Initiative: Initial Discussion Meeting
Bev Corwin, Member Representative for the OWASP IDESG Identity Ecosystem initiative is holding a first meeting discussion forum at AppSec USA to elaborate on the foundation's involvement with the NSTIC Identity Ecosystem Steering Committee. Please contact Bev Corwin (Bev.Corwin@owasp.org) if you wish to attend. 

Moderators
avatar for Bev Corwin

Bev Corwin

Chapter Leader, OWASP Foundation
http://www.linkedin.com/in/bevcorwin

Wednesday November 20, 2013 12:00pm - 12:50pm
Edison (5th floor) NY Marriott Marquis

12:00pm

Project Summit: ESAPI Hackathon Session
Take part in building the next generation of the Enterprise Security API. In this hackathon we will focus on building modular security controls that can be plugged in to the brand new ESAPI 3.0 framework allowing developers to quickly and easily integrate the security controls they need into their projects. During the hackathon, the ESAPI leaders will be on-site to get the effort kicked off, join in the coding fun, and to present awards for submitted components on the final day! Join us to leave your mark on one of the most visible OWASP Code Projects in our arsenal, and help make tomorrow's applications more secure!

Speakers
avatar for Chris Schmidt

Chris Schmidt

Chief Architect, Contrast Security
Chris is currently the Project Leader for the OWASP ESAPI Projects and also served on the OWASP Global Projects Committee. He has been involved with OWASP for 6 years and has spoken at many OWASP events about the benefits of the Enterprise Security API as well as participated in Leadership discussions amongst the organization. During the day, Chris is Chief Architect for Contrast Security where he has been since fall 2010. Prior to joining the... Read More →
avatar for Kevin Wall

Kevin Wall

Information Security Engineer 5, Wells Fargo
Kevin is an experienced Application Security developer, and he is the OWASP ESAPI project co-leader / committer.
avatar for Jeff Williams

Jeff Williams

CTO, Contrast Security
Jeff Williams is a co-founder and CTO of Contrast Security, the world's fastest and most accurate application security technology. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and... Read More →


Wednesday November 20, 2013 12:00pm - 5:00pm
Sky Lounge (16th Floor) NY Marriott Marquis

1:00pm

Mantra OS: Because The World is Cruel
Video of session:
https://www.youtube.com/watch?v=aWByCj8qfFE&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=28

OWASP Mantra OS was developed under the mantra of “OWASP because the world is cruel”;
The reason this mantra is used for a underlying principle for the development of Mantra OS is because simply it is better for the pen tester to find the exploit then the hacker. The tool-set of Mantra OS v13 contains the same tools many hackers use to exploit web applications such ddos, SQL injection, man in the middle attacks, and poisoning attacks. The purpose of this presentation is to show practical testing methodologies using Mantra OS and how to run these test in a controlled environment. In this talk we will discuss and demo:

• Demo of tool-set of Mantra OS
• Maltego and Intelligence collection.
• DDoS using LOIC, Slow HTTP poisoning and ping of death with scampy.
• SQL injection with burp and sqlmap.
• Man in the Middle with SSL stripping.
• Arp Poisoning, ICMP poisoning and Smurf attacks.
• How to deploy these attacks in controlled environment.

In addition we will discuss why and how hackers use these tools, methods of mitigation these style attacks by hackers, and how to turn pen testing into a risk mitigation plan.

Speakers
avatar for Greg Disney-Leugers

Greg Disney-Leugers

Platform Security Engineer, Hytrust


Wednesday November 20, 2013 1:00pm - 1:50pm
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

1:00pm

Open Mic - Birds of a Feather --> Cavalry

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20  badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers
avatar for Josh Corman

Josh Corman

Director of Security Intelligence, Akamai Technologies
Joshua Corman is the Director of Security Intelligence for Akamai. Most recently he served as Research Director for Enterprise Security at The 451 Group. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges plaguing the IT industry, and helps to drive evolutionary strategies toward emerging technologies and shifting... Read More →
avatar for Nicholas J. Percoco

Nicholas J. Percoco

Director, Information Protection, KPMG
With more than 16 years of information security experience, Nicholas is a Director in KPMG's Information Protection practice. Prior to KPMG, Percoco led the global SpiderLabs organization for more than a decade that performed more than 2000 computer incident response and forensic investigations globally, ran thousands of ethical hacking and application security tests for clients, and conducted bleeding-edge security research to improve... Read More →


Wednesday November 20, 2013 1:00pm - 1:50pm
Booth (5th Floor) NY Marriott Marquis

1:00pm

HTML5: Risky Business or Hidden Security Tool Chest?
Video of session
https://www.youtube.com/watch?v=fzjpUqMwnoI&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=15

The term "HTML5" encompasses a number of new subsystems that are currently being implemented in browsers. Most of these were created with a focus on functionality, not security. But the impact of these features is not all negative for security. Quite the oposit. New abilities to store data on the client, or having access to hardware sensors like geolocation and tilt sensors have the ability to enhance session tracking and make authentication more secure and easier to use. This talk will select a number of examples to demonstrate the positive, as well as sometimes negative, impact of these features for web application security. Code samples for any demonstrations will be made available.

Speakers
JU

Johannes Ullrich

Dean of Research and a faculty member, SANS Technology Institute
Dr. Johannes Ullrich is the Dean of Research and a faculty member of the SANS Technology Institute. In November of 2000, Johannes started the DShield.org project, which he later integrated into the Internet Storm Center. His work with the Internet Storm Center has been widely recognized. In 2004, Network World named him one of the 50 most powerful people in the networking industry. Secure Computing Magazine named him in 2005 one of the Top... Read More →


Wednesday November 20, 2013 1:00pm - 1:50pm
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

1:00pm

A Framework for Android Security through Automation in Virtual Environments

This session introduces a practical approach to securing Android applications through an automated framework. The framework uses a simple interface and automatically evaluates applications - even hundreds of them - harvesting behavioral data and run patterns, facilitating the vast majority of evolving security tests. Citing research from using this framework, this session will also answer some of today’s most pressing android security questions.
This presentation will address the limitations of real time security and fragmented security models for security evaluations of Android applications, and will demonstrate how to resolve this using an automated virtual environment that analyzes behavior of Android apps while providing a layer of transparency between Android apps and Android users.

Then it will present how I built an open source framework - the Android Security Evaluation Framework (ASEF) to help resolve security needs of a larger spectrum of Android users including researchers and developers. I will explain how to perform security evaluations on a bigger scale for app stores and large organizations by demonstrating scheduled automatic security evaluations that can be done remotely from an android device using ASEF and its agent.

Citing results from using ASEF, I will also recommend safe practices to follow by being proactive about security measures before installing an app, as well as tips for effective security management after android apps are installed. I will also discuss the importance of Behavioral Analysis and Vulnerability Management of android devices along with idea of integrating security tests in the plug and play framework of ASEF.
           Lastly, I will discuss the future of Android security through the eyes of automation and what tactics can be used to achieve conclusive and comprehensive coverage of upcoming Android security needs.


Speakers
avatar for Parth Patel

Parth Patel

Backend Developer / Security Engineer, Qualys
I find a programmatic way to replace myself at work and when I do, I explore new challenges to work on.  | | Android Security is my most recent interest. Please visit my Open Source Project at (http://code.google.com/p/asef/) | | I have presented my research work at Security Conferences like Sector 2012 (Toronto), BSides 2012 (Vegas, Dallas, Detroit) & S4 Con (San Francisco). | | I aspire to create a largest database of behavioral... Read More →


Wednesday November 20, 2013 1:00pm - 1:50pm
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

1:00pm

2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs
Video of session:
https://www.youtube.com/watch?v=J4i3RY5AGhc&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=3

As organization born from grass root ideals and volunteering efforts that stared 12 years ago from the visionaries of the like of Mark Curphey and the likes OWASP has grown in members. OWASP mission has been to make application security visible to application security stakeholders. Thanks to the OWASP corporate sponsors and volunteers working on sponsored projects, OWASP has delivered free tools and guides that helped software developers to build more secure web applications. Most notably, the OWASP Top Ten provided the benchmark for testing web application vulnerabilities for several organizations. Projects such as the development guide and testing guide provides pointed guidance to software developers on how to design and test web applications. Among the application security stakeholders that OWASP serve today, (CISOs) Chief Information Security Officers are often the ones that make decisions on rolling out application security programs and activities invest in new tools and set budget for application security resources. Recognizing the important role that the CISO has in managing application security processes within the organizations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organization. Recognizing that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.

Speakers
avatar for Tobias Gondrom

Tobias Gondrom

Global Board Member, OWASP
Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures... Read More →
avatar for Marco Morana

Marco Morana

In his current position, Marco runs the application architecture security program globally for one of the largest Financial Institutions (FI) of the world in London U.K. He is also technical advisory for security technology start up and contributor of EU projects for cyber security. During his 15+ years of distinguished career in security, he specialized in application and software security consulting services for major Fortune 500 companies... Read More →


Wednesday November 20, 2013 1:00pm - 1:50pm
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

1:00pm

PANEL: Privacy or Security: Can We Have Both?
Often confused with each other, security and privacy are both interdependent (privacy generally requires robust security) and sometimes at odds with each other (security may require sacrificing privacy). While the public’s online privacy has taken a big hit in the past decade, it is at least defended by an army of public-interest groups and legal experts. Meanwhile, to many, the public’s online security often remains shrouded in technical jargon and barely present in public policy discussions.This panel will explore issues such as these: -When do security measures go “over the line” and begin encroaching on individual privacy? -What privacy rights is the public (or should it be) willing to trade for more security?- Online anonymity gets a lot of lip service. Has it outlived its usefulness? Political dissidents aside, is it now doing more harm than good by shielding criminals while hardly protecting the average user?- Major private and public institutions often fall down on the job of ensuring either cybersecurity or cyberprivacy. What combination of self-regulation, government oversight, and market accountability (in the form of cyber insurance, auditing, and litigation) would most effectively push them to better meet their responsibility to the public and shareholders? Moderator: Jeff Fox, Technology Editor, Consumer Reports and ConsumerReports.org

Moderators
avatar for Jeff Fox

Jeff Fox

Electronics Deputy Content Editor, Consumer Reports Magazine
Jeff Fox is an Electronics Deputy Content Editor at Consumer Reports magazine and ConsumerReports.org. He has covered online security and privacy for 19 years and edited the annual Consumer Reports State of the Net investigative report for the past 9 years. Prior to joining Consumer Reports, he was president of Fox & Geller, a nationally recognized publisher of personal computer software. He holds an MS in Journalism from Columbia... Read More →

Speakers
avatar for Joseph Concannon

Joseph Concannon

Joseph R. Concannon brings his leadership, program management skills and endless energy to the helm of Integris Security LLC., a boutique security startup firm. Mr. Concannon, with his experience, brings to Integris Security information and physical security, disaster recovery/business continuity planning and intelligence services along with his leadership capabilities. | Prior to Integris Security, Mr Concannon led the FBI public/private... Read More →
avatar for James Elste

James Elste

CEO & Co-Founder, Cognitive Extension, Inc.
James is CEO and Founder of Cognitive Extension, Inc., leading the development of inqiri.com and the Decision Optimization Engine technology platform.  He has extensive experience developing and managing enterprise cyber-security programs, in both the public and private sectors having served as the Chief Information Security Officer for the State of Nevada, Director of IS Security and Internal Controlsfor International Game Technology (IGT), and... Read More →
avatar for Jim Manico

Jim Manico

Author and Educator
Jim Manico is an author and educator of developer security awareness trainings. He is a frequent speaker on secure software practices and is a member of the JavaOne "rockstar hall of fame". He has a 17 year history building software as a developer and architect. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including... Read More →
avatar for Amy Neustein

Amy Neustein

Author; Editor-in-Chief, International Journal of Speech Technology
Amy Neustein, Ph.D., is Editor-in-Chief of the International Journal of Speech Technology (Springer), a member of De Gruyter’s STM Editorial Advisory Board, and Editor of their new series, Speech Technologyand Text Mining in Medicine and Healthcare. Dr. Neustein is also Series Editor of Springer Briefs in Speech Technology. She has published over 40 scholarly articles, is a frequent invited speaker at natural language and speech technology... Read More →
avatar for Jack Radigan

Jack Radigan

Owner, Centrych Systems LLC
Jack is a Navy veteran who's IT career has taken him from independant and corporate software development, to multi-national messaging infrastructure design and deployment, to information security. He's worked as a contributor and manager for companies in archival data, business information, telecommunications, and financial industries. While at Dun & Bradstreet one of his roles was Director, Data Security. He was a key contributor to their... Read More →
avatar for Steven Rambam

Steven Rambam

Founder and CEO, Pallorium, Inc
Steven Rambam is the founder and CEO of Pallorium, Inc. (http://www.pallorium.com), a licensed Investigative Agency with offices and affiliates worldwide. Since 1981, Pallorium's investigators have successfully closed more than 10,500 cases, ranging from homicide and death claim investigations to missing persons cases to the investigation of various types of sophisticated financial and insurance frauds. | | Pallorium's online subsidiary... Read More →


Wednesday November 20, 2013 1:00pm - 1:50pm
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

1:00pm

Project Talk: OWASP OpenSAMM Project

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:

◊ Evaluating an organization’s existing
software security practices

◊ Building a balanced software security program
in well-defined iterations

◊ Demonstrating concrete improvements
to a security assurance program

◊ Defining and measuring security-related activities
within an organization

SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project.

Project Leader, Sebastien Deleersnyder, will be speaking about the project in depth in this talk.  

 




Speakers
avatar for Pravir Chandra

Pravir Chandra

Security Architect at Bloomberg, Bloomberg
Pravir Chandra is a veteran in the security space and a long-time OWASP contributor, including his role as the creator and leader of the Open Software Assurance Maturity Model (OpenSAMM) project. Currently as security architect for the CTO of Bloomberg, he drives proactive security initiatives that demonstrate concrete value for the firm. Prior to this, Pravir was Director of Strategic Services at HP/Fortify where he lead software security... Read More →
avatar for Seba Deleersnyder

Seba Deleersnyder

managing partner application security, Toreon
Co-founder & managing partner application security at Toreon.com | As application security specialist for more than 10 years, Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, NationaleNederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. | Sebastien is the Belgian OWASP Chapter... Read More →


Wednesday November 20, 2013 1:00pm - 1:50pm
Edison (5th floor) NY Marriott Marquis

2:00pm

Javascript libraries (in)security: A showcase of reckless uses and unwitting misuses.
Client side code is a growing part of the modern web and those common
patterns or libraries, that are supposed to help developer's life,
have the drawbacks to add complexity to the code exposing unexpected
features with no or little warning.
We will focus on the most popular JavaScript libraries such as jQuery,
YUI etc and common design pattern, describing how happens
that wrong assumptions can lead to unexpected, unsafe behavior.
Several code example and live demos during the talk will try to clear both
exploitation techniques and positive coding strategies.
The presentation will also show some interesting case study, collected
and identified during two years of real world applications analysis.

Speakers
avatar for Stefano Di Paola

Stefano Di Paola

CTO and Co-Founder, Minded Security
Security since 2000, application security since 2004, when I made http://www.wisec.it and published several advisories. Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding MindedSecurity, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the... Read More →


Wednesday November 20, 2013 2:00pm - 2:50pm
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

2:00pm

Revenge of the Geeks: Hacking Fantasy Sports Sites
Video of session:
https://www.youtube.com/watch?v=a7asG7rbsHo&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=37

In this talk, I’ll show how all my IT security geek friends in the OWASP community can win the Super Bowl! I’ll walk through the anatomy of a hack against popular Fantasy Football and Baseball mobile applications showing every “sneak play” required to control the application. The tools and techniques used in this hack can be applied against any mobile application. These applications leverage rich new formats like JSON and REST to deliver a rich user experience, and are not surprisingly exposing the same familiar vulnerabilities like SQL and command injection, yet are not being effectively tested.
In this particular application, mistakes with the application’s session management enable me to break down the nested communication formats and finally inject targeted payloads to manipulate both team lineups, to make sure my players were on top and to cause my opponents to lose. I also found that I could post false comments on the message board from the victims account.
After we walk through the sack, I mean hack, we’ll abstract these techniques, tie them directly to OWASP best practices, and apply them to other mobile applications so participants will walk away with specific tools and techniques to better understand mobile back-end hacking. Are you ready for some football?
This presentation will:
--Provide overview and details about each of the various formats (JSON, REST, SOAP, GWTk, and AMF) in popular use today
--Provide clear examples of basic mobile app insecurityRevenge of the Geeks: Hacking Fantasy Sports Sites In this talk, I’ll show how all my IT security geek friends in the OWASP community can win the Super Bowl! I’ll walk through the anatomy of a hack against popular Fantasy Football and Baseball mobile applications showing every “sneak play” required to control the application. The tools and techniques used in this hack can be applied against any mobile application. These applications leverage rich new formats like JSON and REST to deliver a rich user experience, and are not surprisingly exposing the same familiar vulnerabilities like SQL and command injection, yet are not being effectively tested. In this particular application, mistakes with the application’s session management enable me to break down the nested communication formats and finally inject targeted payloads to manipulate both team lineups, to make sure my players were on top and to cause my opponents to lose. I also found that I could post false comments on the message board from the victims account. After we walk through the sack, I mean hack, we’ll abstract these techniques, tie them directly to OWASP best practices, and apply them to other mobile applications so participants will walk away with specific tools and techniques to better understand mobile back-end hacking. Are you ready for some football?
This presentation will:
--Provide overview and details about each of the various formats (JSON, REST, SOAP, GWTk, and AMF) in popular use today --Provide clear examples of basic mobile app insecurity
--Demonstrate how to setup an environment to start watching mobile traffic, including how to leverage Wifi Pineapple hardware to set up a local access point
--Demonstrate how to inject malicious characters into these services to find vulnerabilities
--Discuss what tools are available to automate this process and make it a little easier
--Show examples of real vulnerabilities in mobile apps in use today
Attendees will be given a whitepaper with the details of the complete setup demonstrated in the talk.

Speakers
avatar for Dan Kuykendall

Dan Kuykendall

co-CEO and CTO, NT OBJECTives
Dan has been with NTO for more than 10 years and is responsible for the strategic direction and development of products and services. He also works closely with technology partners to make sure our integrations are both deep and valuable. As a result of Dan’s dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most accurate because of its sophisticated... Read More →


Wednesday November 20, 2013 2:00pm - 2:50pm
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

2:00pm

What You Didn't Know About XML External Entities Attacks
Video of session:
https://www.youtube.com/watch?v=eHSNT8vWLfc&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=9

The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects.  Certain features built into the design of XML, namely inline schemas and document type definitions (DTDs) are a well-known source of potential security problems.  Despite being a publicly discussed for more than a decade, a significant percentage of software using XML remains vulnerable to malicious schemas and DTDs.  This talk will describe a collection of techniques for exploiting XML external entities (XXE) vulnerabilities, some of which we believe are novel.  These techniques can allow for more convenient file content theft, sending of arbitrary data to arbitrary internal TCP services, uploads of arbitrary files to known locations on a vulnerable system, as well as several possible denial of service attacks. We hope this talk will raise awareness about the overall risk associated with XXE attacks and will provide recommendations that developers and XML library implementors can use to help prevent these attacks.

Speakers
avatar for Timothy Morgan

Timothy Morgan

Tim is credited with the discovery and responsible disclosure of several security vulnerabilities in commercial off-the-shelf and open source software including: IBM Tivoli Access Manager, Real Networks Real Player, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, and Oracle WebLogic Application Server. Tim develops and maintains several open source forensics tools as well as Bletchley, an application cryptanalysis tool kit... Read More →


Wednesday November 20, 2013 2:00pm - 2:50pm
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

2:00pm

Open Mic: Making the CWE Approachable for AppSec Newcomers

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers
HR

Hassan Radwan

Secure Decisions
Hassan Radwan is a developer by trade with a passion for consumable application security. He is the project lead on OWASP Code Pulse, a real-time code coverage tool, and leads the engineering effort on Code Dx, a commercial SAST correlation tool. Hassan has worked in the application security and quality field for the past six years at Secure Decisions and has a passion for representing application security information in a visual and consumable... Read More →


Wednesday November 20, 2013 2:00pm - 2:50pm
Booth (5th Floor) NY Marriott Marquis

2:00pm

"What Could Possibly Go Wrong?" - Thinking Differently About Security
Video of session:
https://www.youtube.com/watch?v=bIn-tzGezqM&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=16

Almost all security professionals have one or more headshaking security stories caused by everything from sloppy design to execrable coding to insanely asymmetric risk assumption. Technical acumen is not enough if we want to improve actual security (instead of improving our job security): we need to think about, and talk about, security differently.   This means absorbing the language, constructs and lessons of other disciplines from economics (systemic risk) to military history and tactics (force multipliers). It means understanding the limits of technology, that there are "unknown unknowns" and that humans are all too fallible (and there's no upgrade coming). Lastly, it requires the techno-proficient among us to learn to de-geek our speak so that we can express security concerns in terms that decision makers and policy makers can understand: "barbarians are at the gate" is so much more understandable and actionable than "there's a manifestation of a theoretic weakness in the Visigoth detection protocol."  

Speakers
avatar for Mary Ann Davidson

Mary Ann Davidson

Chief Security Officer, Oracle Corporation
Mary Ann Davidson is the Chief Security Officer at Oracle Corporation, responsible for Oracle Software Security Assurance. She represents Oracle on the Board of Directors of the Information Technology Information Sharing and Analysis Center (IT-ISAC), and serves on the international board of the Information Systems Security Association (ISSA). She has been named one ofInformation Security's top five "Women of Vision," is a Federal 100 award... Read More →


Wednesday November 20, 2013 2:00pm - 2:50pm
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

2:00pm

PANEL: Cybersecurity and Media: All the News That's Fit to Protect?

It's no longer possible to be in the news media without being security savvy.

Edward Snowden's NSA leaks, FBI subpoenas of reporters' phone records, and frequent hack attacks directed against news organizations -- all of these prove that we're living in a time when journalists need cybersecurity skills. 

Whether to protect the sacred bond between reporters and sources or to protect the credibility and availability of a major news website, those in the media must know what security tools are available and how to use them. And the security industry must know what journalists need, and how existing tools fall short.Cybersecurity and Media: All the News That's Fit to Protect?  

In this panel, reporters and IT pros will describe how security issues have affected them. We'll discuss leading-edge software and best practices to protect the newsroom. And we'll create a wishlist for the software and services needed to protect journalism's role as the 24/7, real-time, global clearinghouse of the information economy. 


Moderators
avatar for Dylan Tweney

Dylan Tweney

Executive Editor, VentureBeat
Dylan Tweney is Executive Editor of VentureBeat (http://venturebeat.com), an independent tech news site that reaches 5 million readers per month. Previously, he was senior editor at Wired.com, where he was responsible for the site’s gadget news and product reviews from 2008 to 2011, and launched the site’s business coverage in 2007 In the past, he also worked as a pizza delivery man, door-to-door environmental activist, English... Read More →

Speakers
avatar for Michael Carbonne

Michael Carbonne

| | Michael is Manager of Tech Policy and Programs at Access, an international human rights organization fighting to defend and extend the digital rights of users at risk around the world. There he manages projects that analyze digital attacks on civil society and media organizations, support the development of innovative secure communications technologies, and provide preventative advice to civil society organizations and human rights defenders... Read More →
avatar for Rajiv Pant

Rajiv Pant

CTO, New York Times
Rajiv Pant is Chief Technology Officer & VP at The New York Times. Prior to his promotion to CTO, Rajiv joined The Times as Vice President of Digital Technology. He supervises a staff of 250+, including the Vice Presidents of Web & Mobile Engineering, CMS & Publishing, and Ecommerce & Customer Service; the Directors of Business Intelligence, Quality, and Project Management; and The Editor of Interactive... Read More →
avatar for Gordon Platt

Gordon Platt

President, GothamMedia
Gordon Platt is the Founder and President of Gotham Media. He is an attorney, television producer and was the Executive Producer of the Poliak Center for First Amendment Issues at Columbia Journalism School. Platt launched Gotham Media in 2007 as a conference company with a focus on innovation in media, technology, advertising, finance and law. Since then, he has transformed the company into a full service strategic communications and marketing... Read More →
SR

Space Rogue

Strategist, Tenable
Space Rogue and his colleagues created the first security research think tank known as L0pht Heavy Industries and was a co-founder of the Internet security consultancy @Stake. While at L0pht Heavy Industries Space Rogue created the widely popular Hacker News Network, which quickly became a major resource on the Internet for daily information security news. Before HNN he ran the The Whacked Mac Archives, which at the time, was the largest and... Read More →
avatar for Nico Sell

Nico Sell

CEO & Co-Founder, Wickr/r00tz
Nico Sell is a professional artist, athlete and entrepreneur based in California.  She is CEO and cofounder of r00tz and Wickr.  Wickr is a free messaging app enabling anyone to send self-destructing messages that are anonymous, private, and secure.  r00tz is a nonprofit dedicated to teaching kids how to love being white-hat hackers.  Nico also helps organize DEF CON, the largest hacker gathering in the world. 


Wednesday November 20, 2013 2:00pm - 2:50pm
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

2:00pm

Project Talk: The OWASP Education Projects
The OWASP Education project is meant to centralize all educational initiatives of OWASP. The project will not deliver education material as such, but define standards and guidelines on education material. Furthermore, this project aims to create an easy entrance towards understanding application security and usage of the OWASP tooling. By creating education documentation papers, screen scrape video courses, and setting up an OWASP Boot camp, a controlled education process of a standardized quality can be created continuously.

Initiatives of the OWASP Education Project are:
  • OWASP Academies
    • OWASP Academy Portal
    • OWASP University Outreach
    • OWASP Student Chapter
Project Leaders, Martin Knobloch and Konstantinos Papapanagiotou, will be giving a talk on the various education projects within the OWASP Projects Inventory. Attend this talk for an excellent overview of each initiative.

Speakers
avatar for Konstantinos Papapanagiotou, Spryros Gastreratos

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE
Both trainers are Hackademic project leaders, long time OWASP members and application security professionals
avatar for Martin Knobloch

Martin Knobloch

Principal Consultant, Nixu
Martin is Principal Consultant at Nixu BeNeLux (https://www.nixu.com/en/nixubenelux). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures. | With his background in Java Development, he understands the complexity of Enterprise software development, Agile Scrum... Read More →


Wednesday November 20, 2013 2:00pm - 2:50pm
Edison (5th floor) NY Marriott Marquis

3:00pm

Advanced Mobile Application Code Review Techniques
Advanced Mobile Application Code Review Techniques
 
Abstract:
Learn how Mobile experts blend their techniques in order to accelerate code reviews. While reviewing Windows Phone 8, Hybrid or HTML 5 applications, you will love these handy tricks that help in detecting famous and a few not-so-famous flaws. Using demonstrations and code snippets, we will highlight the benefits of blended techniques in comparison with those of simple scanning or manual testing. You will also learn how to reduce the time taken for review and obtain a ready-to-use checklist.
Objectives: • To give live demonstrations of the most common insecurities found in Windows Phone 8, HTML5 or Hybrid applications.
• To share tested and proven methods of discovering insecurities via code reviews.
• To learn how to efficiently conduct source code reviews for mobile applications.
• To develop a checklist for Mobile Code Reviews.

Outline:
An emerging trend is the use of smart phones for financial transactions. As usage of mobile devices grow, concerns on security for mobile transactions also grow. With the demand for M-Commerce and M-Banking applications rising, Mobile application developers should be aware of what flaws they may inadvertently introduce.
This presentation is intended to provide an insight into coding-related flaws present in mobile applications. It is aimed at providing you with a targeted and efficient approach towards the discovery of these flaws in your mobile application code. As Windows Phone 8, HTML 5 and Hybrid mobile technology are the latest popular mobile platforms or technology, we would focus on these areas during this presentation. The content of the talk is outlined below: • Introduction to Mobile Applications • Threats to mobile applications
• Advantages of "Mobile Code Reviews"

• Windows Phone Insecurities (with demonstrations using vulnerable code as well as secure code) • Attacks on data stored in the device 
• Malwares present in the application, which send unauthorized SMSs or make unauthorized calls.
• Incorrectly implemented application encoding and encryption.
• Tapjaking
• Other hacks

• HTML5 Insecurities (with demonstrations using vulnerable code as well as secure code) • Insecure Data validations and injection based attacks
• Client side data caching and storage
• Client side reflection based attacks
• Insecure Network Connections
• Other hacks

• Hybrid Technology Mobile Insecurities • A gist of the insecurities with respective discovery techniques and solutions.

• Advanced Mobile Code Reviews • The checklist compiled so far during the presentation
• Handy tricks for Mobile Code Reviews
• A quick demonstration of the discovery of vulnerabilities in a vulnerable application

• Conclusion

Speakers
avatar for sreenarayan a

sreenarayan a

Information Security Consultant, Independant Consultant
Sreenarayan is currently working as an Independant Information Security Consultant. He was the principal researcher in the Mobile Application Security Team at Paladion, having developed Paladion's Android, iOS, Windows Mobile, BlackBerry Gray Box and Code Review checklists, and has trained 30+ engineers to detect security flaws in mobile applications. He has found flaws in leading Mobile-based financial applications and helped the respective... Read More →


Wednesday November 20, 2013 3:00pm - 3:50pm
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

3:00pm

OWASP Zed Attack Proxy
Video of session: https://www.youtube.com/watch?v=pYFtLA2yTR8&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=1

The Zed Attack Proxy (ZAP)  is now one of the most popular OWASP projects.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen tester's toolbox.

After giving a quick introduction for people new to ZAP, Simon will focus on the latest features, including those developed as part of the Google Summer of Code as well as Plug-n-Hack and the Zest scripting language.

Simon will also demonstrate soon to be released features that have not been seen before and are believed to be not currently possible using equivalent tools.

Speakers
avatar for Simon Bennetts

Simon Bennetts

Security, Mozilla
Simon Bennetts has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He is the OWASP Zed Attack Proxy Project Leader and works for Mozilla as part of the Cloud Security Team.


Wednesday November 20, 2013 3:00pm - 3:50pm
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

3:00pm

Open Mic: FERPAcolypse NOW! - Lessons Learned from an inBloom Assessment

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers
avatar for Mark Major

Mark Major

Cybersecurity Engineer, Aerstone
By day Mark works as a cybersecurity engineer at Aerstone. By nights and weekends he organizes the Boulder OWASP chapter. | | Mark directs the annual Front Range OWASP Conference (SnowFROC) in Denver, CO. In 2014 he took a break from SnowFROC in order to chair AppSec USA. In these roles, Mark was integral in all areas of planning, including budgeting, venue negotiation, sponsorship, vendor management, catering, speaker and volunteer... Read More →


Wednesday November 20, 2013 3:00pm - 3:50pm
Booth (5th Floor) NY Marriott Marquis

3:00pm

Pushing CSP to PROD: Case Study of a Real-World Content-Security Policy Implementation
Video of session:
https://www.youtube.com/watch?v=9V64zQi2pX0&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=33

Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organizations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications.  In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5.
Our story will arm you with the knowledge you’ll want should you decide to go down the same path.  When we initially decided to implement CSP, the BETA version of our website was already live.  Like many sites, our platform grew from something we initially started as a pet project.  Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun.  
We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime.  
Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed.  We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks.

Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime.  Needless to say we were surprised by what was reported, and we’ll share the results.  
Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).

Speakers
avatar for Brian Holyfield

Brian Holyfield

Gotham Digital Science
Brian is a founding member of Gotham Digital Science. He has over 10 years of experience performing penetration testing and code review. Brian is also the team lead for SendSafely, an browser based encrypted file exchange platform. Brian has spoken at numerous security conferences including BlackHat, RSA, AppSec USA, Source Boston and Shmoocon.
avatar for Erik Larsson

Erik Larsson

Erik is a professional Java developer. In addition to writing code, Erik also consults with other developers on how to identify security flaws through code review and secure development patterns. | | Java Developer for SendSafely.com and Secure Development Consultant with Gotham Digital Science


Wednesday November 20, 2013 3:00pm - 3:50pm
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

3:00pm

Making the Future Secure with Java
Video of session:
https://www.youtube.com/watch?v=L2Bgn6xMog0&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=13


The world is not the same place it was when Java started.  It’s 2013, and attackers are intensely motivated, sophisticated, and well organized.  Java security is a significant concern across many organizations as well as for individuals.  Attend to learn more about Oracle’s progress on Java platform security and some our plans for the future.

Speakers
avatar for Milton Smith

Milton Smith

Sr. Principle Product Security Manager - Java, Oracle
Milton Smith (Twitter, @spoofzu) Leads the strategic security program for Java platform products as Sr. Principal Security PM at Oracle. Milton is responsible for defining the security vision for Java and managing working relationships with security organizations, researchers, and the industry at large. Prior to Oracle, Milton led security for Yahoo’s User Data Analytics (UDA) property.


Wednesday November 20, 2013 3:00pm - 3:50pm
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

3:00pm

PANEL: Mobile Security 2.0: Beyond BYOD
BYOD has moved quickly from technology concept to business reality. Today's workers bring the mobile devices they want into their organizations, freely accessing data and working from the most convenient network connections. While all this mobility has unleashed greater productivity for today's companies, it has introduced a new level of complexity for IT. IT professionals today need to move their mobility strategies from BYOD 1.0 -- the introduction of different devices and network connections into the enterprise -- to BYOD 2.0 -- a comprehensive framework that helps IT better monitor and secure data and networks without compromising the productivity of workers. This panel will tackle the issues IT now faces it evolves from the early era of BYOD into a more complex work world of multiple devices, social media, apps, and more.

Moderators
avatar for Stephen Wellman

Stephen Wellman

Vice President and Editor-in-Chief, Slashdot Media
Stephen Wellman is Vice President and Editor-in-Chief of Slashdot Media where he oversees all editorial content creation and operations across the company’s industry-leading media properties, including Slashdot, SourceForge and Freecode. Stephen works hands-on with the editors, writers and the online communities at Slashdot Media to ensure the company’s Websites deliver the best possible content and community experiences available... Read More →

Speakers
avatar for Devindra Hardawar

Devindra Hardawar

National Editor; Lead Mobile Writer, VentureBeat
Devindra Hardawar is VentureBeat's National Editor and lead mobile writer, focusing on the latest news from Apple, Google, Samsung, Blackberry and Motorola, along with the hottest startups that are disrupting the industry. Devindra has been writing about technology since 2004, worked in IT support for years, and studied philosophy at Amherst College. He has appeared as an expert source on CNBC, WNYC, NPR and other leading outlets. Devindra is... Read More →
avatar for Daniel Miessler

Daniel Miessler

Principal Security Architect, HP
Daniel Miessler is Principal Security Architect with HP based out of San Francisco, California. He specializes in application security with specific focus in web and mobile application assessments, helping enterprise customers build effective application security programs, and speaking with executives about how to best leverage technologies and processes to reduce real-world risk. In his spare time he enjoys reading and writing, programming... Read More →
avatar for Jason Rouse

Jason Rouse

Security Architect, Bloomberg LP
Jason Rouse  is currently a member of the team responsible for the security of Bloomberg LP's products and services, exploring how to re-invent trusted computing and deliver on the promise of ubiquitous biometrics.  Jason is passionate about security, splitting his time between improving Bloomberg's security capabilities and contributing to cutting-edge security projects around the world. In his spare time, he has chaired the... Read More →


Wednesday November 20, 2013 3:00pm - 3:50pm
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

3:00pm

Project Talk: OWASP AppSensor Project
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities. Learn more about OWASP AppSensor Project by attending this talk by OWASP Co-Founder, Dennis Groves. 

Speakers
avatar for Dennis Groves

Dennis Groves

Co-Founder, OWASP
Dennis Groves is the co-founder of OWASP and a well known thought leader in application security who's work focuses on multidisciplinary approaches to information security risk management. He holds an MSc in Information Security from Royal Holloway, University of London. 
avatar for John Melton

John Melton

Principal Security Researcher, WhiteHat Security
John Melton: I'm the lead developer for OWASP AppSensor, which I discovered after building a nearly identical tool, and looking for prior art. | | For my day job, I am currently a principal security researcher at WhiteHat Security, where I do R&D work, particularly in the static analysis space. My previous positions have included technical and leadership roles in both software development and security, working in the financial and defense... Read More →


Wednesday November 20, 2013 3:00pm - 3:50pm
Edison (5th floor) NY Marriott Marquis

4:00pm

OWASP Top Ten Proactive Controls
Video of session:
https://www.youtube.com/watch?v=Cg5dN8Pyn_c&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=4

You cannot hack your way secure!
The OWASP Proactive Controls is a "Top 10 like document" aimed to help developers build secure applications. This project is phrased and built in a positive, testable manner that describes the Top 10 software control categories that architects and developers should absolutely, positively include 100% of the time in every software project.
This talk will cover the fundamental controls in critical software categories such as Authentication, Access Control, Validation, Encoding, Query Parameterization, Data Protection, Secure Requirements, Secure Architecture and Secure Design.

Speakers
avatar for Jim Manico

Jim Manico

Author and Educator
Jim Manico is an author and educator of developer security awareness trainings. He is a frequent speaker on secure software practices and is a member of the JavaOne "rockstar hall of fame". He has a 17 year history building software as a developer and architect. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including... Read More →


Wednesday November 20, 2013 4:00pm - 4:50pm
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

4:00pm

Open Mic: Struts Ognl - Vulnerabilities Discovery and Remediation

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers

Wednesday November 20, 2013 4:00pm - 4:50pm
Booth (5th Floor) NY Marriott Marquis

4:00pm

Big Data Intelligence (Harnessing Petabytes of WAF statistics to Analyze & Improve Web Protection in the Cloud)
Video of session:
https://www.youtube.com/watch?v=afMvndBEv-I&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=6


Presentation Title: "Big Data Intelligence" 
Subtitle: "Harnessing Petabytes of WAF statistics to Analyze & Improve Web Protection in the Cloud"
As web application attacks turn into massive campaigns against large corporations across the globe, web application firewall data increases exponentially, leaving security experts with a big data mess to analyze. Pinpointing real attacks in a sea of security event noise becomes an almost impossible tedious task. In this presentation, we will unveil a unique platform for collecting, analyzing and distilling Petabytes of WAF security intelligence information. Using the collected data, we will discuss the OWASP ModSecurity Core Rule Set project's accuracy, and reveal common attack trends, as well as our impressions and suggestions for how to wisely make the best out of the CRS project.
Topic covered in this presentation: • Using Big Data for analyzing web application security trends
• Akamai's Cloud Security Intelligence (CSI) platform - collecting Petabytes of WAF events with near-real time analysis capabilities
• Sample data analysis - Top 10 web application attacks and trends, as collected by the system
• Short demo of a unique user interface for navigating and analyzing big WAF data (SARA - Security Analytics Research Application)
• Measuring the accuracy of the OWASP CRS project?
• Analyzing the accuracy of CRS - precision, recall & accuracy statistics against real world traffic
• Frequent real world false positives scenarios, and how to remediate them
• Top 10 triggering rules statistics

Presentation Length: 45 minutes

Speakers
avatar for Tsvika Klein

Tsvika Klein

Cloud Security Product Manager, Akamai Technologies
Rich experience as a speaker in industry conferences and technical panels such as OWASP and academia.
avatar for Ory Segal

Ory Segal

Sr. Director of Threat Research, Akamai
Information about my history in the security industry can be found in the reflection blog post done on me: http://myappsecurity.blogspot.co.il/2007/04/reflection-on-ory-segal.html I have been a part of the security industry since 1996, and was closely involved in building some of the leading products in the web application security industry, such as Sanctum's AppShield & AppScan (now IBM). During the years I have published many research... Read More →


Wednesday November 20, 2013 4:00pm - 4:50pm
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

4:00pm

Forensic Investigations of Web Explotations
Video of session:
https://www.youtube.com/watch?v=WpDSQ18xaXY&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=5

Investigation of hacking incidents often requires combine effort of different technologies. Evidence and forensics artifacts are often found in various forms and formats. Network Forensics is one of the components in the process of finding compromised hosts, capturing and reconstructing malicious sessions. Attacks on web vulnerabilities can be replayed and transmitted data uncovered. This session will cover open source tools used for investigation of web compromised hosts and network forensics. Variety of tools can produce quite significant supplement to electronic evidence, and in many cases also capture the malicious executables transmitted in the traffic, or ex-filtrated data. Various network protocols and their structure will be presented. Open source Network forensic tools will be used on the traffic captured from a hacked web server. Different tools will be introduced for specific tasks in the investigation process. Captured traffic will be analyzed and reconstructed, and various artifacts found in the investigation will be discussed.

Speakers
avatar for LIFARS LLC

LIFARS LLC

CEO, LIFARS LLC
Ondrej Krehel is principal and founder of LIFARS LLC, an international cyber security and digital forensics firm. He’s the former Chief Information Security Officer of Identity Theft 911, the nation’s premier identity theft recovery and data breach management service. He previously conducted forensics investigations and managed the cyber security department at Stroz Friedberg and the Loews Corporation. With two decades of experience... Read More →


Wednesday November 20, 2013 4:00pm - 4:50pm
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

4:00pm

Sandboxing JavaScript via Libraries and Wrappers
The large majority of websites nowadays embeds third-party JavaScript into their pages, coming from external partners. Ideally, these scripts are benign and come from trusted sources, but over time, these third-party scripts can start to misbehave, or to come under control of an attacker. Unfortunately, the state-of-practice integration techniques for third- party scripts do not impose restrictions on the execution of JavaScript code, allowing such an attacker to perform unwanted actions on behalf of the website owner and/or website visitor.
In this paper, we present a two-tier sandbox architecture to enable a website owner to enforce modular fine- grained security policies for potential untrusted third-party JavaScript code. The architecture contains an outer sand- box that provides strong baseline isolation guarantees with generic, coarse-grained policies and an inner sandbox that enables fine-grained, stateful policy enforcement specific to a particular untrusted application. The two-tier approach ensures that the application-specific policies and untrusted code are by default confined to a basic security policy, with- out imposing restrictions on the expressiveness of the policies.
Our proposed architecture improves upon the state-of-the- art as it does not depend on browser modification nor pre-processing or transformation of untrusted code, and allows the secure enforcement of fine-grained, stateful access control policies. We have developed a prototype implementation on top of a open-source sandbox library in the ECMAScript 5 specification, and validated it with several real-world JavaScript applications such as Google Analytics, Google Maps, and jQuery UI.

Speakers
avatar for Phu Phung

Phu Phung

Research Associate, University of Illinois at Chicago
Dr Phu Phung is a Research Associate at the University of Illinois at Chicago from December 2012, employed by the University of Gothenburg, Sweden. From October, 2011 to December 2012, he was a postdoctoral researcher at Department of Computer Science and Engineering, Chalmers University of Technology, where he received his PhD in October, 2011. Phu's research directions include web application security, runtime policy enforcement for untrusted... Read More →


Wednesday November 20, 2013 4:00pm - 4:50pm
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

4:00pm

Tagging Your Code with a Useful Assurance Label
Video of session:
https://www.youtube.com/watch?v=FCyUwyjIoBE&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=14


With so many ways for software to be vulnerable, businesses needs a way to focus their assurance efforts on those potential vulnerabilities that are most dangerous to them and their software.  This talk will offer a new way to focus and organize your software vulnerability assessment and assurance efforts across the entire life-cycle of a project so that you target the most impactful weaknesses when they are most visible.  The approach can be done consistently across your enterprise and will have you looking for specific weaknesses at the point where you can gain the most assurance that you have dealt with them successfully. Matched to the activities of your development effort, this approach will have your team looking for those security weaknesses (CWEs) that are most discernable/findable in each of the different stages of a software development effort.  For example, when you have a live exemplar system available you should look for the weaknesses in design, configuration, code, or architecture that are findable through dynamic analysis, pen testing, or red teaming of that living system. Similarly, in the coding phase you want the emphasis to be looking for weaknesses that are findable by static analysis tools. The follow-on step to this approach is to use what you found and what you did to create “An Assurance Tag for Binaries", basically an assurance "food label" for the code of that project.  This talk will conclude with a discussion of what such a tag could look like, what it could capture, how the information could be obtained, whom would/could create them, and how they could be represented for humans and machines to use.

Speakers
avatar for Sean Barnum

Sean Barnum

Cyber Security Principal, MITRE
Sean Barnum is a Principal and Cyber Threat Intelligence Community Lead at The MITRE Corporation where he acts as a thought leader and senior advisor on information security topics to a wide variety of players within the US government, commercial industry and the international community. He has over 25 years of experience in the software industry in the areas of architecture, development, software quality assurance, quality management, process... Read More →
avatar for Robert Martin

Robert Martin

Sr. Prin. Engineer, MITRE Corporation
Robert joined the MITRE Corporation in 1981 after earning a bachelor's degree and a master's degree in electrical engineering from Rensselaer Polytechnic Institute, subsequently he earned a master's of business degree from Babson College. He is a member of the ACM, AFCEA, IEEE, and the IEEE Computer Society. He is an avid kayaker, photographer, and scuba diver.


Wednesday November 20, 2013 4:00pm - 4:50pm
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

4:00pm

Healthcare Security Forum

The Healthcare Security Discussion Forum is offered to provide security application developers an opportunity to discuss and share perspective on a vital industry sector where their work is gaining traction.  The Healthcare Forum is an open discussion of activities underway to adopt secure applications (apps) and mobility in the Healthcare sector. It includes guidance from the Office of the National Coordinator (ONC) for Health Information Technology (HIT), from the Healthcare Committee of the National Strategy for Trusted Identities in Cyberspace (NSTIC), from Health Level Seven (HL7), and from the U.S. National Institute for Standards and Technology (NIST), such as Special Publication 800-53-4,"Recommended Security Controls for Federal Information Systems and Organization.” All are welcome to participate in this open discussion of trends, issues, and other topics of interest in the healthcare security sector.  A bibliography will be provided to Forum participants.


Moderators
avatar for Judith Fincher, PhD

Judith Fincher, PhD

Senior Security Engineer, Electrosoft Services, Inc.
Judith A. Fincher, PhD, is a Senior Security Engineer at Electrosoft Services, Inc., a boutique identity management firm offering security services to federal and non-federal clients. In that role she provides security architecture consulting services to the Veterans Health Administration (VHA), other federal clients. Working with the VHA Security Architect (John “Mike” Davis), she developed the official VHA Security and Privacy... Read More →
avatar for Amy Neustein

Amy Neustein

Author; Editor-in-Chief, International Journal of Speech Technology
Amy Neustein, Ph.D., is Editor-in-Chief of the International Journal of Speech Technology (Springer), a member of De Gruyter’s STM Editorial Advisory Board, and Editor of their new series, Speech Technologyand Text Mining in Medicine and Healthcare. Dr. Neustein is also Series Editor of Springer Briefs in Speech Technology. She has published over 40 scholarly articles, is a frequent invited speaker at natural language and speech technology... Read More →

Wednesday November 20, 2013 4:00pm - 4:50pm
Edison (5th floor) NY Marriott Marquis

4:30pm

5:30pm

OWASP Jeopardy
This interactive activity will be a fun filled event where top security professionals will get a chance to sit on a panel and answer a wide ranging set of questions relating to the world of OWASP.
Unanswered questions will be presented to the audience, giving everyone a chance to participate and have fun.  Questions and answers will be also synchronized through twitter to add to the participation. Join us for a night of special guest appearances, prizes, fun and drinks. 

Bring your squeeze balls!

Moderators
avatar for Jerry Hoff

Jerry Hoff

VP, Static Code Analysis Division, WhiteHat Security
Jerry Hoff is the VP of the Static Code Analysis Division at WhiteHat Security. In addition to WhiteHat, he is a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where he specialized in manual code review, web application penetration testing, and architecture reviews. Jerry also has years of development and teaching experience. He... Read More →

Wednesday November 20, 2013 5:30pm - 7:00pm
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

6:00pm

Silk, Webservers, Exploits and RATz by M4v3r1ck
Limited Capacity seats available

Disclaimer: If you have trigger issues -- please do not attend this talk.

Now that the statute or limitations has run out on walk with me as I discuss the industry, the people and the events.

From warelords, to the conference that was meant to be a one-time party to say good-bye to BBSs OG.   Todays web applications still provide the perfect place for logic bombs. We will talk about current news events including carderprofit.cc and the newest threat to turning a profit.

Face it..  the computer security industry is a JOKE, Vă veţi bucura acest talk.

pssssss buddy you want to buy a shell... what'ca want what'ca need?








Speakers
avatar for Yuri

Yuri

sysop
Hacker for Profit


Wednesday November 20, 2013 6:00pm - 6:50pm
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

8:00pm

Bug Bounty - Group Hack
The Great OWASP Bug Bash of 2013

CALLING ALL SECURITY NINJAS… Whether you’re attending Appsec in person or in spirit, you’re invited to join Bugcrowd and the OWASP team as we unite hackers across the world for the first everInternet-wide bug bash.

This collaborative hack-a-thon will feature testers and providers of public bug bounty programs finding bugs in the world’s largest Internet companies! Companies contributing to bounty programs, including Prezi, Facebook, Google and Yandex will be present to meet and greet those responsible for improving global application and internet security. No need to worry about protecting your identity, masks will be provided!

Featuring…
The Inaugural Wall of Bugz, music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!

Bug Bounty programs have been getting a lot of press lately, and for good reason. They work. Bugcrowd will be running this event live from 8-12 every night during Appsec USA 2013 and we actively encourage OWASP members around the world to participate.

Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/



Moderators
avatar for Serg Belokamen

Serg Belokamen

Founder and CTO, Bugcrowd, Inc., Bugcrowd
Serg is a co-founder and a CTO of Bugcrowd. Bugcrowd delivers ad-hoc, ongoing and objective-based bug bounties. Our clients can elect to engage the full crowd, or run a private bounty with just the top ranked testers. Our service let's you test web, mobile and client-side applications using our curated crowd of 3,500 security researchers and Crowdcontrol - our unique bug bounty management platform. | | | | Serg is passionate about all things... Read More →
avatar for Tom Brennan

Tom Brennan

Consultant, ProactiveRISK
Global Board of Directors OWASP Foundation | 2016 Chairman NYMJCSC Conference | Consultant for Hire @ Proactive Risk
avatar for Dinis Cruz

Dinis Cruz

AppSec, OWASP
Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives. After failing to scale his own security... Read More →
avatar for Casey Ellis

Casey Ellis

Founder and CEO, Bugcrowd Inc
Casey Ellis, CEO and founder of Bugcrowd has spent 14 years in information security, servicing clients ranging from startups to multinational corporations as a security and risk consultant and solutions architect. He has presented at Derbycon, Converge, SOURCE Conference, and the AISA National Summit. Before relocating from Sydney Australia to San Francisco with Bugcrowd, he founded White Label Security, a white-labelled penetration testing... Read More →
avatar for Simon Roses Femerling

Simon Roses Femerling

Simon Roses holds a B.S. from Suffolk University (Boston), Postgraduate in E-Commerce from Harvard University (Boston) and Executive MBA from IE Business School (IE, Madrid). Frequent speaker at security industry events including BLACK HAT, RSA, OWASP, SOURCE. DeepSec and Microsoft Security Technets.
avatar for Jeremiah Grossman

Jeremiah Grossman

Founder, WhiteHat Security
Jeremiah Grossman is the Founder and iCEO of WhiteHat Security, where he sets overall company vision and oversees day to day operations. Over the last decade, Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. | | As a well-known security expert and industry veteran, Mr... Read More →

Wednesday November 20, 2013 8:00pm - 11:59pm
Salon 2 (5th Floor Ballroom) NY Marriott Marquis
 
Thursday, November 21
 

8:00am

Registration
Thursday November 21, 2013 8:00am - 12:00pm
5th Floor Ballroom Foyer NY Marriott Marquis

9:00am

') UNION SELECT `This_Talk` AS ('New Exploitation and Obfuscation Techniques’)%00
This talk will present some of the newest and most advanced optimization and obfuscation techniques available in the field of SQL Injections. These techniques can be used to bypass web application firewalls and intrusion detection systems at an alarming speed. This talk will also present the ALPHA version of an open-source framework called Leapfrog which Roberto is developing; Leapfrog is designed to assist security professionals, IT administrators, firewall vendors and companies in testing their firewall rules and implementation to determine if they are an adequate enough defense measure to stop a real cyber-attack.

Speakers
avatar for Roberto Salgado

Roberto Salgado

Co-Founder and CTO, Websec
Roberto is the co-founder and CTO of Websec, an Information Security company. He was born in Harlingen, Texas in 1986, but was raised on the island of Cozumel, Mexico. At the age of 17 Roberto moved to Vancouver Island and has lived there ever since. In 2010 Roberto founded Websec with two lifelong friends and since then he has enjoyed building it to what it has become today.


Thursday November 21, 2013 9:00am - 9:50am
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

9:00am

Defeating XSS and XSRF using JSF Based Frameworks
During several recent code review engagements, I have discovered that developers sometimes gain a feeling of comfort when they read that frameworks protect them from certain attacks. This sometimes leads to the assumption that if you use this framework, you are protected.
This presentation will focus on Frameworks built upon JSF API component of JEE and two specific vulnerabilities which frameworks commonly advertise built-in mitigation; cross site scripting and cross site request forgery. 
It is very common for a framework to provide ways to prevent XSS and XSRF so to begin the session, I will take a few minutes to describe at a high level what these frameworks are and what we assume their capabilities are regarding these two vulnerabilities.
During the course of this presentation, I will demonstrate what happens when these frameworks are used out-of-the-box by exploiting a sample application.  Since this code is open source, we will look at the framework code to confirm or deny that they have automatically protected you against these attacks.  I will then proceed to give you a couple of options which will close these gaps and secure the application from these attacks. 
You should leave this presentation with an awareness of what these frameworks are capable of and how to take advantage of their features to help secure the application.

Speakers
avatar for Stephen Wolf

Stephen Wolf

I have spent the last 6 years of my development career evangelizing application security and am currently working as an application security engineer in the San Francisco bay area. I’ve been a developer for over 20 years with my hands into everything from embedded systems and assembly to object oriented languages like .NET and Java. I’ve worked in a variety of industries such as aerospace, healthcare, manufacturing, insurance, and... Read More →


Thursday November 21, 2013 9:00am - 9:50am
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

9:00am

Contain Yourself: Building Secure Containers for Mobile Devices
Video of session:
https://www.youtube.com/watch?v=siVS2jmPABM&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=31

In today's world, everyone wants access to information from his or her personal mobile device.  As a business, this includes your customers and/or employees.  What if the information they want access to is highly sensitive?  While it's tempting to resist these pressures for security reasons, providing mobile access can be a significant competitive advantage and most importantly keep your customers and employees happy and productive. The reality is that in order to survive in a connected world, we must provide a way to meet these demands without sacrificing security.  

Organizations have begun moving from "managed devices" to a Bring Your Own Device (BYOD) model where company resources can be accessed and stored on unmanaged devices. As you can imagine, there are some inherent risks with this approach due to the organizations inability to enforce policies on personal devices. There is currently a huge market for solutions that allowing enterprises protect their data on unmanaged devices. Enter "Secure Containers” and “Application Wrapping". The basic premise of these solutions is that it allows organizations enforce policies at the application layer rather than the device layer. For example, authentication, remote wipes, lockouts and data encryption can now be enforced on a per application basis. Application Wrapping is a technique, which allows the ability inject their own code into existing iOS applications. Once injected, existing iOS method implementations can be overwritten to enforce these policies. In a nutshell, you can have an existing application and have it wrapped so that it enforces various defined policies and secure it without developers having to manually implement it.  

We have performed security assessments of various commercial BYOD solutions and custom secure containers. Additionally, we have also provided guidance in the development and design of such solutions. We plan to share our experiences through various case studies showcasing the various security issues encountered and testing techniques used throughout these assessments. We expect to cover and provide the audience with newfound knowledge in the following topics:  

What is Application Wrapping and How It Is Implemented
    - Dynamic Library Injection
    - iOS Method Swizzling

Walkthrough of Common Designs for Secure Containers
    - Weak Crypto Key Storage and Generation
    - Common Crypto Implementation Flaws   
    - Online and Offline Authentication Designs

Leveraging iOS Runtime Analysis for Reversing Implementations
    - Common iOS Reversing Techniques
    - Writing Mobile Substrate Hooks

Completeness of the Implementation
    - Preventing Common Mobile Security Plaintext Storage Issues
    - Inadvertent Caching of Sensitive Data
    - Jailbreak Detection
    - Weaknesses in Policy Enforcement and Remote Wipes

Attendees will leave with an understanding of the advantages and disadvantages of using "secure container" solutions. The presentation will be delivered from the point of view of a security tester with experience in assessing various implementations. Organizations can leverage this knowledge in order to perform informed decisions when choosing or developing solutions. Security testers will leave with baseline checks and testing techniques for assessing secure container implementations. 

Speakers
avatar for Ronald Gutierrez

Ronald Gutierrez

Senior Security Engineer, Gotham Digital Science
Ron Gutierrez is a senior engineer at Gotham Digital Science (GDS), where he specializes in a application security code reviews, mobile application assessments, black box application testing and threat modeling. Ron is a member of the SendSafely development team and a frequent contributor to the GDS Security Blog (http://blog.gdssecurity.com). Ron has spoken at security conferences such as AppSec USA and Shmoocon. Ron's current interests... Read More →


Thursday November 21, 2013 9:00am - 9:50am
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

9:00am

Mobile app analysis with Santoku Linux
Video of session:
https://www.youtube.com/watch?v=cmVRCWbo0jU&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=26


Did you think there were a lot of mobile devices and platforms out there?  Check out the hundreds of mobile tools being developed.  We calculated it would take more time to install, test and maintain the various mobile tools than to actually fuzz the hell out all existing mobile operating systems.  So, we created Santoku Linux, a F/OSS, bootable Linux distro to make life easier for mobile hackers. 
We pre-install not only the mobile platforms but promising tools in development.  Santoku covers mobile forensics, mobile malware analysis and mobile security testing.  The distribution is based on Lubuntu 12.04 x86_64 and we recently moved to .deb support for simplified upgrades.  The Santoku website contains useful information on Santoku, notable: • Tools: https://santoku-linux.com/features
• HOWTOs: https://santoku-linux.com/howtos
• Changelog: https://santoku-linux.com/download/changelog

This talk will introduce Santoku and provide live demos of 1) how to forensically acquire and analyze Android and iOS devices, 2) several tools to perform security audits of mobile devices and apps, and 3) how to analyze mobile malware analysis.  All demos will leverage tools preinstalled on Santoku Linux and will cover both the iOS and Android  platforms.

Speakers
avatar for Andrew Hoog

Andrew Hoog

CEO/Co-founder, NowSecure
Andrew is the Co-founder and CEO of NowSecure. As a former CIO, Andrew has unique insight into solving enterprise mobile security problems and is driven by NowSecure’s mission to advance mobile security worldwide. He is responsible for the vision, strategy and growth of the company.


Thursday November 21, 2013 9:00am - 9:50am
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

9:00am

AppSec at DevOps Speed and Portfolio Scale
Video of session:
https://www.youtube.com/watch?v=cIvOth0fxmI&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=23

Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops.
Unfortunately, software assurance hasn’t kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002. Here are some of the technologies and practices that today’s best software assurance techniques *can’t*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development.
Although we’re making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It’s not just security tools – application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all.
Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect realtime data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowingall the stakeholders in security to collaborate and finally become proactive.

Speakers
avatar for Jeff Williams

Jeff Williams

CTO, Contrast Security
Jeff Williams is a co-founder and CTO of Contrast Security, the world's fastest and most accurate application security technology. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and... Read More →


Thursday November 21, 2013 9:00am - 9:50am
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

9:00am

OWN THE CON: How we organized AppSecUSA - come learn how you can do it too
Speakers
avatar for Tom Brennan

Tom Brennan

Consultant, ProactiveRISK
Global Board of Directors OWASP Foundation | 2016 Chairman NYMJCSC Conference | Consultant for Hire @ Proactive Risk

Volunteers
avatar for Sarah Baso

Sarah Baso

Former Executive Director, OWASP Foundation | I am based in San Francisco, Californa, USA and served as the Executive Director of the OWASP Foundation from April 2013 through July 2014. In this role, I supervise the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.
avatar for Israel Bryski

Israel Bryski

IT Security, Nomura
Israel Bryski has over 7 years of experience in technology and information risk management. He is currently working in IT Security at Nomura and is Chapter Leader for the NYC OWASP Chapter.

Thursday November 21, 2013 9:00am - 10:00am
Booth (5th Floor) NY Marriott Marquis

9:00am

Project Summit: ZAP Hackathon Session
This session is a chance for people to learn how to work on ZAP from the ZAP Project Leader.
ZAP is a community project, and as such participation is actively encouraged.

Simon will explain the numerous ways in which individuals and companies can contribute to ZAP.
He will also explain how the code is structured and explain how any part of the project can be changed.
Working on ZAP is a great way to learn more about web application security.

Being able to change the code means that you can add and change any features you want, either just for you own benefit or to contribute back to the community. There will be time set aside for hacking ZAP, with Simon on hand to answer any questions and give any guidance required.

This is a great opportunity to be part of the fastest growing and most active OWASP project.

During this session, Simon will:

  • Explain how people can contribute to ZAP.
  • Demonstrate how to set up a ZAP development environment.
  • Explain ZAP code structure. 
  • Show people how to code scripts, active/passive scan rules, add-ons, core changes and improve the docs and localization.
  • Let people hack the ZAP code and docs with full support and guidance.

    Please note that if you want to work on ZAP source code (including add-ons) then you should set up a ZAP development environment prior to attending this session.

    You will need to download and install Eclipse and import the main ZAP project as well as the ZAP extension projects - for more details see http://code.google.com/p/zaproxy/wiki/Building

    You will not need to set up a development environment if you just plan to work on scripts, documentation or translation. 
  •  

    Speakers
    avatar for Simon Bennetts

    Simon Bennetts

    Security, Mozilla
    Simon Bennetts has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He is the OWASP Zed Attack Proxy Project Leader and works for Mozilla as part of the Cloud Security Team.


    Thursday November 21, 2013 9:00am - 1:00pm
    Sky Lounge (16th Floor) NY Marriott Marquis

    10:00am

    Open Mic: OpenStack Swift - Cloud Security

    Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

    Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


    Speakers

    Thursday November 21, 2013 10:00am - 10:50am
    Belasco & Broadhurst (5th Floor) NY Marriott Marquis

    10:00am

    iOS Application Defense - iMAS
    Video of session:
    https://www.youtube.com/watch?v=TRDT8O2G56o&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=32

    iOS application security can be *much* stronger and easy for developers to find, understand and use.  iMAS (iOS Mobile Application Security) - is a secure, open source  iOS application framework research project focused on reducing iOS application vulnerabilities and information loss.  Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which in turn pushes enterprises to augment iOS deployments with commercial solutions.  The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications.  iMAS has released five security controls (researching many more)  for developers to download and use within iOS applications.  This talk will walk through various iOS application vulnerabilities, iMAS security controls, OWASP Mobile top10 and CWE vulnerabilities addressed, and demonstrate the iMAS App Password control integrated into an application.

    Speakers
    avatar for Gregg Ganley

    Gregg Ganley

    Principal Investigator iOS Security Research, MITRE Corp
    23+ software development and management experience Education: MSCS, BSEE. Active research and development in iOS security, Android development, Ruby on Rails web apps, and project leadership. For the past five years his passion has been in the mobile field and in particular mobile security where he is the Principal Investigator of iMAS (iOS Mobile Application Security) a collaborative research project from the MITRE Corporation focused on open... Read More →


    Thursday November 21, 2013 10:00am - 10:50am
    Salon 1 (5th Floor Ballroom) NY Marriott Marquis

    10:00am

    PiOSoned POS - A Case Study in iOS based Mobile Point-of-Sale gone wrong
    Video of session:
    https://www.youtube.com/watch?v=CAtc7Z1VD2I&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=18


    Mobile Point of Sale (POS) are becoming more and more common in a wide variety of retail outlets. And why not, it adds speed and convenience to shopping and can increase a retailers ability to sell. But POS and Mobile are hard to get right and secure. What happens when you try to combine the two on trendy iOS devices and rush your solution out the door?
    Based on multiple mobile tests conducted by Trustwave SpiderLabs' application security, Mike Park will walk through the typical mobile POS apps for iOS and show how and why they can be attacked, often with no sign an attack is going on.
    Mike will cover technological shortcomings, coding mistakes and the common misunderstanding of the underlying platform that almost always occur and result in an insecure application. This will include some hardware card reader devices that default to allowing almost no security.
    Outline

    1. Introduction
    2. Why Mobile POS?
    3. Why iOS?
    4. The Problem
        Poorly written apps
        Speed of jailbreaking
        Ability to hide the jailbreak
        The Card Reader
    5. A walk through of the PiOSon POS demo app
        What the app does
        How the app reads CHD
        How the app processes and send the data to the backend
        How typical is this
    6. Hacking the POS - Demo
        Jailbreak
        Intro to Method Swizzling
        Setting up the device
        Adding the reader
        Installing the malware
        Capture the Track data
    7. How to improve this
        Understand the underlying platform
        Understand the way your card reader works
        Why is this so insecure?
        View a safer version of the app – AntidOte POS
    8. What to do
        Coding best practices
        Choosing a card reader
        Outside the device – MDM?
    9.Conclusion

    Speakers
    avatar for Mike Park

    Mike Park

    Managing Consultant, Trustwave SpiderLabs
    Mike Park is a Managing Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 12 years experience building and securing software for a variety of companies. Mike is a CISSP and specializes in application security assessment, penetration testing, reverse engineering and secure development life cycle. Mike is an... Read More →


    Thursday November 21, 2013 10:00am - 10:50am
    Salon 3 (5th Floor Ballroom) NY Marriott Marquis

    10:00am

    OWASP Chapter Lifecycle
    Thursday November 21, 2013 10:00am - 10:50am
    Booth (5th Floor) NY Marriott Marquis

    10:00am

    Accidental Abyss: Data Leakage on The Internet
    Video of session:
    https://www.youtube.com/watch?v=kuBtCoYj6zA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=27

    PII is personally identifiable information.  In the information age, seemingly useless bits of PII can be found everywhere on the web from Facebook to Amazon to county records.  Using purely legal methods and nothing more than artful searching I will show you the art of the low-tech, high-targeted recon.  How much of your identity is scattered around on the internet?   In this ambitious talk we will look at better hacking through television, how to combine crumbs to build thorough dossiers and learn some tricks on how to do some basic information reconnaissance.  By the end of the talk you’ll have some frightening statistics, something good to think about and some tools that will make you a more effective social engineer, an aware user and a more thoughtful security expert.

    Speakers
    avatar for Kelly FitzGerald

    Kelly FitzGerald

    Kelly has a BS in Computer Science from CSUSB. She was awarded a full academic scholarship from the National Science Foundation. In her senior year of college she took a job at EvidentData doing computer forensics. From there she fell in love with the dark side and purposely went in persuit of a career in computer security looking at the bleedy places where people and technology bruise. Kelly has worked at Symantec since 2003 and has two... Read More →


    Thursday November 21, 2013 10:00am - 10:50am
    Salon 2 (5th Floor Ballroom) NY Marriott Marquis

    10:00am

    Leveraging OWASP in Open Source Projects - CAS AppSec Working Group
    Video of session:
    https://www.youtube.com/watch?v=Zf9xSsRHRNo&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=34

    The CAS AppSec Working Group is a diverse volunteer team of builders, breakers, and defenders that is working to improve the security of Jasig CAS, an open source WebSSO project.  This presentation will show how the team is leveraging OWASP resources to improve security, provide security artifacts for potential adopters, and implementing policy and processes for vulnerability analysis and notification.  The story is significant in that it directly addresses OWASP A9 "Using components with Known Vulnerabilities / Secure Coding", and points towards a model that other open source projects could adopt.

    Speakers
    avatar for David Ohsie

    David Ohsie

    David came to EMC 2005 in its acquisition of SMARTS. At SMARTS, he devised and implemented the lastest version of its automated root cause analysis algorithm. David received his Phd in Computer Sciences from Columbia University in 1997. | | 4 years experience in product security assessment and architecture for EMC applications. David Ohsie works on authentication and security architecture for a number of software applications produced by the... Read More →
    avatar for Bill Thompson

    Bill Thompson

    IAM Director, Unicon
    Bill is the Director of the IAM Practice at Unicon, and leads a team of professionals providing IT consulting services to the Higher Education community with a focus on Identity and Access Management, CAS, Shibboleth, and Grouper. Prior to joining Unicon, Bill served as the Senior Associate Director for the Office of Development at Princeton University, providing leadership and direction for web application development, systems integration... Read More →
    avatar for Aaron Weaver

    Aaron Weaver

    Principal Security Analyst, Pearson Education
    Aaron Weaver is Principal Security Analyst at Pearson Education, the leading learning and publishing company. He has played various roles including software developer, system engineer, embedded developer to IT security. He also leads OWASP Philadelphia. Experience includes mobile security, web application security, penetration testing and embedded development. Aaron has also worked on developer and QA awareness to increase security in the... Read More →


    Thursday November 21, 2013 10:00am - 10:50am
    Salon 4 (5th Floor Ballroom) NY Marriott Marquis

    10:00am

    Project Talk and Training: OWASP O2 Platform

    The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Application Security Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge. Project Leader, Dinis Cruz, will be giving a talk along with a training session on how to use the platform. 




    Speakers
    avatar for Dinis Cruz

    Dinis Cruz

    AppSec, OWASP
    Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives. After failing to scale his own security... Read More →


    Thursday November 21, 2013 10:00am - 10:50am
    Edison (5th floor) NY Marriott Marquis

    10:30am

    Project Summit: ESAPI Hackathon Session
    Take part in building the next generation of the Enterprise Security API. In this hackathon we will focus on building modular security controls that can be plugged in to the brand new ESAPI 3.0 framework allowing developers to quickly and easily integrate the security controls they need into their projects. During the hackathon, the ESAPI leaders will be on-site to get the effort kicked off, join in the coding fun, and to present awards for submitted components on the final day! Join us to leave your mark on one of the most visible OWASP Code Projects in our arsenal, and help make tomorrow's applications more secure!

    Speakers
    avatar for Chris Schmidt

    Chris Schmidt

    Chief Architect, Contrast Security
    Chris is currently the Project Leader for the OWASP ESAPI Projects and also served on the OWASP Global Projects Committee. He has been involved with OWASP for 6 years and has spoken at many OWASP events about the benefits of the Enterprise Security API as well as participated in Leadership discussions amongst the organization. During the day, Chris is Chief Architect for Contrast Security where he has been since fall 2010. Prior to joining the... Read More →
    avatar for Kevin Wall

    Kevin Wall

    Information Security Engineer 5, Wells Fargo
    Kevin is an experienced Application Security developer, and he is the OWASP ESAPI project co-leader / committer.
    avatar for Jeff Williams

    Jeff Williams

    CTO, Contrast Security
    Jeff Williams is a co-founder and CTO of Contrast Security, the world's fastest and most accurate application security technology. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and... Read More →


    Thursday November 21, 2013 10:30am - 5:00pm
    Sky Lounge (16th Floor) NY Marriott Marquis

    11:00am

    OWASP Hackademic: a practical environment for teaching application security
    Video of session:
    https://www.youtube.com/watch?v=OxDDzpJLClA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=10

    Teachers of Application Security in higher education institutions and universities are presented with some unique challenges, especially when compared to other scientific or even computer science fields. This is mainly because students have to learn how to design, implement and protect applications against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system. 
    The OWASP Hackademic Challenges Project introduces the "attacker's perspective" in higher education by implementing realistic scenarios with known vulnerabilities in a safe, controllable environment. Students can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective. 
    Its main difference from other projects that implement vulnerable applications for educational purposes, is that it is has been created mainly for use in a classroom environment, while most other solutions take a more self-learning approach. The OWASP Hackademic Challenges are currently used by more than a dozen universities around the world and are also part of the "Hacking Lab" and "OWASP University Challenge". In addition, we have received contributions to the project by several researchers, including the New Jersey Institute of Technology. 
    The OWASP Hackademic Challenges simulate real-world scenarios that application security consultants and penetration testers encounter during their day-to-day engagements, combined with the academic requirements of a related module. These exercises can be used to complement the respective theoretical lectures. Statistical analysis of the feedback we received from students through questionnaires, shows that the students embraced this approach and have benefited significantly from going through these exercises. In practice, the OWASP Hackademic Challenges help students become more enthusiastic about application security by gaining a realistic, hands-on experience on some real-world vulnerabilities. 
    In this presentation we will give an overview of the Hackademic Challenges and analyze its scientific background. In addition, we will present new features introduced to the interface that was developed during the Google Summer of Code 2012 and more importantly security improvements that were made possible by using OWASP ESAPI. The new interface introduces significant capabilities and features mainly for teachers and administrators. Moreover, as the project is still under development, we expect a bunch of new features to be ready by the conference dates. For example we are expanding the use cases of Hackademic in order for it to be used in a corporate environment to either train, assess or raise awareness among employees.
    Moreover, we will introduce a new scoring mechanism. CTF-type challenges usually follow a binary scoring system (solved/not solved), which is not sufficient for university classes. We have implemented a much more complex scoring system, that takes into account various parameters in order to depict how easy it was for the student to solve the challenge and how much time was required. Using this system, students can be graded according to their performance. Furthermore, we have introduced a randomization algorithm that produces slightly different answers for each try. Thus, it is much more difficult for students to cheat.
    A demo of the new Hackademic portal and challenges will also be delivered, emphasizing on how it can be used in a real classroom and giving the chance to attendees to get their hands on it.

    Speakers
    avatar for Konstantinos Papapanagiotou, Spryros Gastreratos

    Konstantinos Papapanagiotou, Spryros Gastreratos

    Information Security Services Team Lead, OTE
    Both trainers are Hackademic project leaders, long time OWASP members and application security professionals


    Thursday November 21, 2013 11:00am - 11:50am
    Salon 2 (5th Floor Ballroom) NY Marriott Marquis

    11:00am

    An Introduction to the Newest Addition to the OWASP Top 10. Experts Break-Down the New Guideline and Offer Provide Guidance on Good Component Practice
    Video of session:
    https://www.youtube.com/watch?v=pNjDrcG4QDA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=25

    Experts in the field of application security and open source software development discuss the new OWASP A9 guidelines, offering session attendees unique intelligence on component vulnerabilities and how to deploy new approaches to application security and risk management that address security at the component level, while simultaneously eliminating risk in the modern software supply chain. Panelists to include: Sonatype, Aspect Security, Two Senior Security Executives from Fortune 500 Companies
    Most development teams don’t focus on security.  The 2013 Open Source Software Development Survey, the largest survey of OSS users with more than 3,500 participants, found that more than half of the developers, architects and managers surveyed don’t focus on security at all.  Nearly 20% of this group shared they know application security is important but they don’t have the time to spend on it, while almost one-third deferred responsibility to the security and risk management group entirely.  As open source component use continues to skyrocket with applications now more than 80% component-based, organizations continue to struggle with establishing policy to secure and govern component use.  According to the survey, an alarming 65% of organizations have no component management policies in-place.
    This lack of internal controls and a failure to address security vulnerabilities throughout the software development lifecycle threatens the integrity of the software supply chain and exposes organizations to unnecessary risk.  Open source component vulnerabilities are exceedingly common, with more than 70% of applications containing components with vulnerabilities classified as severe or critical.  Virtually every application has these issues because most development teams don’t focus on ensuring their components stay up to date.  In many cases, developers don’t even know all the components they are using let alone the versions.  In fact, the Open Source Software Development Survey shows only 35% of organizations maintain inventories of the components in their production applications. 
    This panel of industry experts will dissect the new OWASP A9 guidelines that look at the widespread use of insecure open source libraries in today’s modern application development.  Executives from Sonatype, will offer exclusive component usage data from the Central Repository – the industry’s largest source of open-source components receiving 8 billion requests annually.  With its deep history as leaders in open source development, Sonatype can also share with attendees its unmatched knowledge of open source development practices.  Jeff Williams, CEO of Aspect Security and founding member of OWASP, will offer best practices and advice to organizations looking to revamp their software assurance policies.  Lastly Jim Routh, the head of application and mobile security at Citibank will share with attendees the real-world challenges and resolutions faced by the financial institution in mitigating risk in agile, component-based development. 
    Together, the panel will address the following key points and offer attendees important takeaways to jumpstart A9 compliance, including: • How software assurance is now largely incompatible with modern development and why new approaches to security must provide developers with immediate feedback on security context to act as the new frontline of defense;
    • How to inform component choice throughout the development lifecycle, including how to pinpoint flaws early and how to deploy flexible remediation options for flawed components
    • How to build-in component security and risk mitigation into the development process that can also be used by non-security experts; and
    • How new security and risk mitigation approaches must be continuous to address ongoing threats in real-time and to ensure sustaining trust between development, risk management and the application end-user.

    Speakers
    avatar for Ryan Berg

    Ryan Berg

    Chief Security Officer, Sonatype
    Ryan is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development. Prior to Ounce Labs, Ryan co-founded Qiave Technologies, a pioneer in kernel-level security, which later sold to WatchGuard... Read More →


    Thursday November 21, 2013 11:00am - 11:50am
    Salon 3 (5th Floor Ballroom) NY Marriott Marquis

    11:00am

    Verify your software for security bugs
    Video of session:
    https://www.youtube.com/watch?v=i8nbESwT2DQ&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=19

    Verification is an important phase of developing secure software that is not always addressed in depth that includes dynamic analysis and fuzzing testing. This step allows checking that security has been built in the implementation phase: secure coding and using compilers mitigations correctly.
    This presentation will cover the current state of verification technologies that developers can use to check the lack of security mitigations (ASLR, DEP, SafeSEH, Stack Guard, PIE, etc.) and vulnerabilities (Missing Code Signing, Insecure API, DLL planting, poor coding, etc.) and how to implement a battery of tests in their organization to verify their products are safe before releasing as required by an Application Assurance process.
    A new tool will be presented, BinSecSweeper, that performs security binary analysis, is open source and cross platform (Windows and Linux) and can scan PE & ELF file formats for x86-64 that can be used by developers to check their software includes security mitigations and is compliance with Application Assurance best practices or by IT pros to identify insecure applications in their networks. This technology was sponsored by DARPA Cyber Fast Track (CFT).
    If you develop software or work in AppSec this is your talk!

    Speakers
    avatar for Simon Roses Femerling

    Simon Roses Femerling

    Simon Roses holds a B.S. from Suffolk University (Boston), Postgraduate in E-Commerce from Harvard University (Boston) and Executive MBA from IE Business School (IE, Madrid). Frequent speaker at security industry events including BLACK HAT, RSA, OWASP, SOURCE. DeepSec and Microsoft Security Technets.


    Thursday November 21, 2013 11:00am - 11:50am
    Salon 1 (5th Floor Ballroom) NY Marriott Marquis

    11:00am

    Open Mic: Password Breaches - Why They Impact Your App Security When Other WebApps Are Breached

    Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

    Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


    Speakers
    avatar for Michael Coates

    Michael Coates

    Director of Product Security, Shape Security
    Michael Coates is the Chairman of the OWASP board, an international non-profit organization focused on advancing and evangelizing the field of application security.  In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack aware applications that leverage real time detection and response capabilities. | | Michael is also the Director of Product Security at Shape Security, a Silicon Valley startup... Read More →


    Thursday November 21, 2013 11:00am - 11:50am
    Belasco & Broadhurst (5th Floor) NY Marriott Marquis

    11:00am

    Chapter Handbook - 2013 Revisions
    Moderators
    avatar for Kate Hartmann

    Kate Hartmann

    OWASP Foundation, OWASP Foundation
    Kate joined the OWASP Foundation May 2008 Kate's Ongoing Job Duties Kates work within the OWASP Foundation includes supervising and facilitating the completion of operationally critical tasks. She provides direction to the operational team by mapping out cross-committee objectives and identifying opportunities that promote the Foundation's short term and long term strategic goals. Current Initiatives include: Improving Foundation... Read More →

    Thursday November 21, 2013 11:00am - 11:50am
    Booth (5th Floor) NY Marriott Marquis

    11:00am

    Chapter Handbook - 2013 Revisions
    Thursday November 21, 2013 11:00am - 11:50am
    Booth (5th Floor) NY Marriott Marquis

    11:00am

    The State Of Website Security And The Truth About Accountability and “Best-Practices”

    Whether you read the Verizon Data Breach Incidents Report, the Trustwave Global Security Report, the Symantec Internet Security Threat Report, or essentially all other reports throughout the industry, the story is the same -- websites and Web applications are one of, if not the leading target of, cyber-attack. This has been the case for years. Website breaches lead directly to financial fraud, identity theft, regulatory fines, brand damage, lawsuits, downtime, malware propagation, and loss of customers. Given modern society’s ever-increasing reliance on the Web, the impact of a breach and the associated costs are going up, and fast. 
    At WhiteHat Security we asked customers to answer roughly a dozen very specific survey questions about their SDLC and application security program. Questions such as: 
    • How often do you preform security tests on your code during QA? 
    • What is your typical rate of production code change? 
    • Do you perform static code analysis? 
    • Have you deployed a Web Application Firewall? 
    • Who in your organization is accountable in the event of a breach? 
    • We even asked: has your website been breached?
    We received responses to this survey from 76 organizations, and then correlated those responses with WhiteHat Sentinel website vulnerability data. The results were both stunning and counter-intuitive. The connections from various software security controls and SDLC behaviors to vulnerability outcomes and breaches are far more complicated than we ever imagined.



    This is exactly the kind of research the application security industry must gather in order to advance the state-of-the-art. To cost-effectively make applications and websites measurably more secure.

    Speakers
    avatar for Jeremiah Grossman

    Jeremiah Grossman

    Founder, WhiteHat Security
    Jeremiah Grossman is the Founder and iCEO of WhiteHat Security, where he sets overall company vision and oversees day to day operations. Over the last decade, Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. | | As a well-known security expert and industry veteran, Mr... Read More →


    Thursday November 21, 2013 11:00am - 11:50am
    Salon 4 (5th Floor Ballroom) NY Marriott Marquis

    11:00am

    Project Talk and Training: OWASP O2 Platform

    The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Application Security Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge. Project Leader, Dinis Cruz, will be giving a talk along with a training session on how to use the platform. 




    Speakers
    avatar for Dinis Cruz

    Dinis Cruz

    AppSec, OWASP
    Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives. After failing to scale his own security... Read More →


    Thursday November 21, 2013 11:00am - 11:50am
    Edison (5th floor) NY Marriott Marquis

    12:00pm

    Open Mic: What Makes OWASP Japan Special

    Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

    Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


    Speakers
    avatar for Riotaro OKADA

    Riotaro OKADA

    founder, AsteriskResearch, Inc.
    future and risk researcher. OWASP Japan chapter leader @okdt http://www.facebook.com/riotaro.okada.pv http://www.linkedin.com/in/riotaroResearcher. Born in Kobe, Hyogo Prefecture, Japan, Mr. Okada has over 20 years of experience in software development and network construction. He has been involved in network construction, software development and the implementation of information security measures at independent software development companies... Read More →


    Thursday November 21, 2013 12:00pm - 12:50pm
    Belasco & Broadhurst (5th Floor) NY Marriott Marquis

    12:00pm

    Insecure Expectations
    Video of session:
    https://www.youtube.com/watch?v=tU-IRg7Cwts&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=20

    Many developers rely on tests or specs (with expectations) to verify that our code is working properly. Few of us leverage the tests we are already writing to demonstrate security controls are properly applied. In this technical talk, we will walk through hands on examples of tests that demonstrate how to test for common security issues against an example Rails application (though the concept is not Rails specific).  Although substantial testing is possible with existing tools, this talk will also present a new open source tool which provides developers with a simpler way to write security tests.
    The goals are twofold: • To illustrate some common security issues.
    • To give developers something concrete they can do about them.

    In addition to the technical portion of the talk, the speaker will spend a short time challenging the audience to help OWASP find ways to reach developers.  The speaker has had success in a local community reaching developers through simple community organizing strategies, applied conscientiously over a long period of time.

    Speakers
    avatar for Matt Konda

    Matt Konda

    Founder, Jemurai
    Matt Konda is a developer and application security expert. He founded Jemurai to focus on working with teams to deliver secure software. Jemurai works with clients on security automation, training, strategy, building AppSec teams and more. Matt is on the global board of OWASP, active in developer and devops focused OWASP open source projects and regularly gives industry talks.


    Thursday November 21, 2013 12:00pm - 12:50pm
    Salon 2 (5th Floor Ballroom) NY Marriott Marquis

    12:00pm

    Event planning for Chapter Leaders
    Unravel the mysteries of planning local chapter events. This session will focus on some of the common logistical questions that arise when chapter leaders want to increase the outreach in their region by stepping up their chapter meetings. Topics will include OCMS walkthrough, reimbursements and payments, contracts, registrations, venue and catering selections, budgets, and much more.

    Pre-Req: https://www.owasp.org/index.php/How_to_Host_a_Conference

    Moderators
    avatar for Samantha Groves

    Samantha Groves

    Program Manager, OWASP
    Samantha Groves is the Project Manager at OWASP. Samantha has led many projects in her career, some of which include website development, brand development, sustainability and socio-behavioral research projects, competitor analysis, event organization and management, volunteer engagement projects, staff recruitment and training, and marketing department organization and strategy implementation projects for a variety of commercial and... Read More →

    Thursday November 21, 2013 12:00pm - 12:50pm
    Booth (5th Floor) NY Marriott Marquis

    12:00pm

    OWASP Periodic Table of Elements
    Video of session:
    https://www.youtube.com/watch?v=4GoLqNANlFg&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=11

    After 25 years of software engineering since the first Internet worm was written to exploit a buffer overflow vulnerability, web developers are still building insecure software. It is time for a new approach. The vast majority of software bug classes can be eliminated by building protections into perimeter technologies, platform infrastructures, and application frameworks before a developer even writes a single line of custom code. By allowing developers to focus on just a small subset of bug classes, training and standards programs can be more targeted and effective so developers can write secure code much more efficiently.
    Vulnerabilities and weaknesses from industry-recognized indexes including OWASP Top 10, WASC TCv2, and CWE-25 are analyzed to determine which of the protection options are ideal for solving the software security problem. Where changes to internet standards and protocols are required, alternatives in perimeter, framework, or custom code solutions are also provided until the internet-scale solutions are in place. If a solution can be completely implemented in perimeter or infrastructure technologies, only that solution is provided. Similarly, if any part of the solution can be provided in standard or custom frameworks, that solution is not recommended to be implemented in custom code. The guiding principle is essentially: "implement security controls as far from custom code as possible." Only if there is no other way to solve a particular security problem is a custom code solution recommended.

    Speakers

    Thursday November 21, 2013 12:00pm - 12:50pm
    Salon 3 (5th Floor Ballroom) NY Marriott Marquis

    12:00pm

    Application Security: Everything we know is wrong
    Video of session:
    https://www.youtube.com/watch?v=1r45Ro1g2Sg&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=24

    The premise behind this talk is to challenge both the technical controls we recommend to developers and also our actual approach to testing and developing secure software. 
    This talk is sure to challenge the status quo of web security today.
    "Insanity is doing the same thing over and over and expecting different results." - Albert Einstein
    We continue to rely on a “pentest” to secure our applications. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability?
    Our testing methodologies are non-consistent and rely on the individual and the tools they use; Some carpenters use glue and some use nails when building a wooden house.
    Which is best and why do we accept poor inconsistent quality.
    Fire and forget scanners won’t solve security issues. Attackers take time and skill but our industry accepts the output of a software programme to help ensure security?
    How can we expect developers to listen to security consultants when the consultant has never written a line of code?
    Why don’t we ask ‘How much code development have you done, seen as you are assessing my code for security bugs?" Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. – it’s all code injection theory!! Why do we do this and make security bugs over complex?

    Why are we still happy with “Testing security out” rather than the more superior “building security in”?

    Speakers
    avatar for Eoin Keary

    Eoin Keary

    CTO and Founder, BCC Risk Advisory Ltd.
    Eoin Keary is an international board member of OWASP. He leads the OWASP code review project. Eoin is the CTO and founder of BCC Risk Advisory Ltd. He has also led global security engagements for some of the world’s largest financial services and consumer products companies. Eoin is a well known technical leader in industry in the area of software security and penetration testing. Eoin lives in Dublin, Ireland. 


    Thursday November 21, 2013 12:00pm - 12:50pm
    Salon 4 (5th Floor Ballroom) NY Marriott Marquis

    12:00pm

    PANEL: Women in Information Security: Who Are We? Where Are We Going? (Salon 1 & 2)
    NPR reports that 80% of computer programmers are men. As an engaged group that believes in the benefits of gender diversity, OWASP wants to know what we can do to close that gap. In this session, we have invited women from different stages of their Information Security careers to share experiences and offer suggestion about what can be done to improve the situation. We will also hear from a stakeholder in the corporate community who offers best practices to manage diversity within organizations large and small. Moderator: Joan Goodchild, Editor, CSO Online.

    Moderators
    avatar for Joan Goodchild

    Joan Goodchild

    Executive Editor, CSO Online
    Joan Goodchild writes frequently about security leadership, social engineering, social media security and cybercrime in her role as Executive Editor, Online with CSO. | Her previous experience in business journalism includes roles as broadcast and web editor with the Boston Business Journal and as a news writer covering the Windows OS with TechTarget. Prior to that, she worked as a television reporter and anchor for more than a decade. | Joan... Read More →

    Speakers
    avatar for Dawn-Marie Hutchinson

    Dawn-Marie Hutchinson

    Sr. Manager IT Security, Urban Outfitters, Inc.
    Dawn-Marie has over fourteen years’ experience in information technology starting her career in the Walt Disney World Merchandise Information Systems organization.She moved into IT Security in 2004 in the Philadelphia based Independence Blue Cross where she spent the following eight years helping tobuild and mature the information security program. In an effort to expand her knowledge and diversify her industry experience she moved into... Read More →
    avatar for Gary Phillips

    Gary Phillips

    Senior Director, R&D, Symantec
    Gary Phillips is Senior Director of Research and Development in the Office of the CTO for Symantec Corporation. In this position, Gary manages a diversity of responsibilities, including technology assurance, product security, software supply chain assurance, and customer assurance. Gary is currently a member of the Cadence Data Soft board of directors and serves as SAFECode's board treasurer. He is also a former member of the Storage... Read More →
    avatar for Carrie Schaper

    Carrie Schaper

    Security Analyst/Penetration Tester/IR, Federal Government
    Carrie Schaper is an Information Security Professional with over 12+ years of industry experience ranging from Penetration Testing Fortune 500 companies, the Banking Infrastructure, and Government to Incident | Response and Continuous Monitoring. She has performed Threat-Mitigation against  targeted  attacks from  | domestic and foreign adversaries for both corporate and government environments. Carrie studied her Master's degree... Read More →
    avatar for Valene Skerpac

    Valene Skerpac

    Security Strategy and Risk Management Manager, Accenture
    Valene Skerpac, CISSP CISM PMP, is Security Strategy and Risk Management Manager at Accenture. Previously, she was Director, IT Consulting Services Security, Application Solutions and Delivery, iBiometrics, Inc. and Director IT, Security Services at Triad Group. She has also held security and engineering management positions at IBM Global Services and Vorec Corporation. She is the author of Voice Communications Security, a handbook of Information... Read More →


    Thursday November 21, 2013 12:00pm - 12:50pm
    Salon 1 (5th Floor Ballroom) NY Marriott Marquis

    12:00pm

    Project Talk: OWASP Testing Guide
    This project’s goal is to create a “best practices” web application penetration testing framework which users can implement in their own organizations. Contributors of this project are currently writing Version 4 of the guide, and are actively seeking authors. Learn more about the OWASP Testing Guide here by attending this talk by Project Leader, Andrew Muller. 

    Speakers
    avatar for Matteo Meucci

    Matteo Meucci

    CEO and Co-Founder, Minded Security
    Matteo Meucci is the CEO and a cofounder of Minded Security, where he is responsible for strategic direction and business development for the Company. Prior to founding Minded Security, Matteo had several consultancy experiences from BT Global Services, INS, Business-e and CryptoNet. Matteo has more than 13 years of specializing in information security and collaborates from several years at the OWASP project: he founded the OWASP-Italy Chapter in... Read More →
    avatar for Andrew Mueller

    Andrew Mueller

    Managing Director, Ionize
    I have a drive to improve the security and efficiency of business processes through innovative solutions to perennial problems. Currently I am developing security management through security automation and redefining the security testing process through work with Standards Australia and OWASP.


    Thursday November 21, 2013 12:00pm - 12:50pm
    Edison (5th floor) NY Marriott Marquis

    1:00pm

    Hack.me: a new way to learn web application security
    Video of session:
    https://www.youtube.com/watch?v=hbd_QBJJLhw&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=38

    The Hack.me (https://hack.me) project is a worldwide, FREE for all platform where to build, host and share simple and complex vulnerable web applications. It's completely online and doesn’t require any software to be installed, just a web browser.
    Users will be able to run and practice offensive techniques against always new vulnerable web applications provided by the community. Users will be able to practice the OWASP Top 10, testing CMS vulnerabilities,verifying the latest exploits. The vulnerable web applications, referred as hackmes, are run in a sandboxed and user-isolated environment provided by the Coliseum Framework.
    We will show a typical use of the platform and some of the challenges, both technical and legal, faced by the project.

    Speakers
    avatar for Armando Romeo

    Armando Romeo

    eLearnSecurity
    I'm the founder of eLearnSecurity and Hack.me. | | Passionate about anything web application security related. | | | | Connect with me on Linkedin | | | | If you are interested in trying one of our web app security training courses click here


    Thursday November 21, 2013 1:00pm - 1:50pm
    Salon 3 (5th Floor Ballroom) NY Marriott Marquis

    1:00pm

    Hacking Web Server Apps for iOS
    Video of session:
    https://www.youtube.com/watch?v=1oCRagEk31A&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=21

    Since the iPhone has been released, people have been trying to figure out different ways to turn it  into a common data storage device. Many applications have been released in the iTunes Store in order to add this capability, some using USB transport (via iTunes), others Bluetooth.
    However, another way found by most of these software vendors is to share the disk space in the cellphone using not only using WiFi capabilities but also the data cellphone connections (GSM/CDMA).
    All of this by implementing a simple web server with file upload feature.
    Web file servers are now very common applications available in the iTunes Store with both free and paid versions that satisfies the users need to “share” the phone as being a file storage unit using the (... yes) HTTP protocol.
    Most (if not all) of these applications are not so well-designed with usually poor features. Yet, these apps are still very popular amongst those users that have no intention in jailbreaking their reliable mobile devices but really want file sharing capabilities.
    As previously mentioned, these apps are mainly developed using just HTML (which also brings some limitations to our testing) with no encryption (SSL) and mostly no authentication (and those supporting it are turned off by default??).
    This research covers these applications described above, both free and paid versions, how they work and what problems they bring to non-jailbroken devices, on top of describing the flaws, there will be a live demo on how risky these apps are.
    Despite of not being the highlight of the talk, it will be also demonstrated how worse things can be in jailbroken devices, once the sandbox security feature is lost.
    This talk will present current unpatched vulnerabilities that have been found while researching these applications,  these range from  medium to critical risks, and it will be shown how we can exploit these vulnerabilities and compromise the phone’s file system with practical attacks.
     
    From a basic reflected XSS to an optimistic scenario: RCE, when the device is jailbroken and also has other app to support (web server with dynamic language for example), some of these exploitations will be presented to the public.
     
    And, all of the issues previously discussed can be magnified since the service (web server) is automatically advertised (and/or responds) to mDNS queries, making the device running that APP an easy target for anyone in the same wireless connection and watching these packets or simply running an mDNS browser.

    Speakers
    avatar for Bruno

    Bruno

    Senior Security Consultant, Trustwave SpiderLabs
    Bruno Gonçalves de Oliveira is a MSc candidate, computer engineer and senior security consultant at Trustwave’s SpiderLabs where his duties are mostly focused in offensive security, doing hundreds of penetration tests from common systems and environments to embedded and uncommon devices. Bruno loves german fast cars (a.k.a BMWs), good ol' Jack and also stout/ale beers. Previously spoken at THOTCON, SOURCE Boston, Black Hat DC, SOURCE... Read More →


    Thursday November 21, 2013 1:00pm - 1:50pm
    Salon 4 (5th Floor Ballroom) NY Marriott Marquis

    1:00pm

    Chapter Workshop Promotion | 2014+ NYC/NJ Chapter Leaders Meet-Up
    How to promote your chapter and increase attendance. This session will review different methods of promotion for your chapter all aimed at increasing meeting attendance. Topics will include social media, mailing list management, speaker selections, networking ideas. Geared for the new or re energized chapter leader looking to expand their reach.

    Moderators
    avatar for Kate Hartmann

    Kate Hartmann

    OWASP Foundation, OWASP Foundation
    Kate joined the OWASP Foundation May 2008 Kate's Ongoing Job Duties Kates work within the OWASP Foundation includes supervising and facilitating the completion of operationally critical tasks. She provides direction to the operational team by mapping out cross-committee objectives and identifying opportunities that promote the Foundation's short term and long term strategic goals. Current Initiatives include: Improving Foundation... Read More →

    Thursday November 21, 2013 1:00pm - 1:50pm
    Booth (5th Floor) NY Marriott Marquis

    1:00pm

    Open Mic: Vision of the Software Assurance Market (SWAMP)

    Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

    Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


    Thursday November 21, 2013 1:00pm - 1:50pm
    Belasco & Broadhurst (5th Floor) NY Marriott Marquis

    1:00pm

    NIST - Missions and impacts to US industry, economy and citizens

    Video of session:
    https://www.youtube.com/watch?v=jPA7ILovh84&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=36

    Title:
      The US National Institute of Standards and Technology (NIST), Information Technology Lab (ITL).  What we do, why we do it and what it means to you.

    Founded in 1901 and now part of the U.S. Department of Commerce, NIST is one of the nation's oldest physical science laboratories. Congress established the agency to remove a major handicap to U.S. industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of England, Germany, and other economic rivals. Today, NIST measurements support the smallest of technologies—nanoscale devices—to the largest and most complex of human-made creations, from earthquake-resistant skyscrapers to wide-body jetliners to global communication networks.

    In this session the NIST and ITL missions and impacts to US industry, economy and citizens will be presented.  Attendees can learn about the current Programs, Projects and Research and Development activities in the US Governments premier scientific institutions.


    Speakers
    RK

    Rick Kuhn

    Rick Kuhn is a computer scientist in the Computer Security Division of the National Institute of Standards and Technology. He has authored more than 100 publications on information security, empirical studies of software failure, and software assurance, and is a senior member of the IEEE. He co-developed the role based access control model (RBAC) used throughout industry and led the effort establishing RBAC as an ANSI standard. Previously he... Read More →
    avatar for James St. Pierre

    James St. Pierre

    Deputy Director, ITL, National Institute of Standards and Technology
    James A. St. Pierre is Deputy Director of the Information Technology Laboratory (ITL). ITL is one of six research Laboratories within the National Institute of Standards and Technology (NIST) with an annual budget of $120 million, 367 employees, and about 160 guest researchers from industry, universities, and foreign laboratories. | | Along with the ITL Director St. Pierre oversees a research program designed... Read More →


    Thursday November 21, 2013 1:00pm - 1:50pm
    Salon 1 (5th Floor Ballroom) NY Marriott Marquis

    1:00pm

    PANEL: Wait Wait... Don't Pwn Me!
    Audio of panel:
    https://www.youtube.com/watch?v=2F7wPQASWZY&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=43

    Test your wits and current AppSec news knowledge against our panel of distinguished guests Joshua Corman, Chris Eng, Space Rogue and Gal Shpantzer. "Wait Wait... Don't Pwn Me!" is patterned after the NPR news quiz show where we challenge the panel and the audience with "Bluff the Listener", "This Week's Security News", "The Security Limerick Challenge" and "Lightning Fill In the Blank". 

    Think you know your stuff? Get selected as an audience participant and prove it! Join us for a rollicking hour as we test the panel and the audience on recent security stories in the news. Who knows? Maybe you can pwn the panel.

    Moderators
    avatar for Mark Miller

    Mark Miller

    Founder and Curator, Trusted Software Alliance
    Mark Miller, Senior Storyteller, is recognized internationally for weaving engaging tales to simplify the explanation of complex, technological solutions. He is a serial community builder, participating in the creation of global online communities such as NothingButSharePoint, EndUserSharePoint and the Trusted Software Alliance. | | | | Mark travels internationally from his home in New York City, speaking on the building of community... Read More →

    Speakers
    avatar for Josh Corman

    Josh Corman

    Director of Security Intelligence, Akamai Technologies
    Joshua Corman is the Director of Security Intelligence for Akamai. Most recently he served as Research Director for Enterprise Security at The 451 Group. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges plaguing the IT industry, and helps to drive evolutionary strategies toward emerging technologies and shifting... Read More →
    avatar for Chris Eng

    Chris Eng

    VP Research, Veracode
    Chris Eng is vice president of research at Veracode. In this role, he leads the team responsible for integrating security expertise into Veracode’s technology. Throughout his career, he has led projects breaking, building, and defending web applications and commercial software for some of the world’s largest companies. | | Chris is a frequent speaker at premier industry conferences, such as BlackHat, RSA, OWASP, and CanSecWest, where... Read More →
    SR

    Space Rogue

    Strategist, Tenable
    Space Rogue and his colleagues created the first security research think tank known as L0pht Heavy Industries and was a co-founder of the Internet security consultancy @Stake. While at L0pht Heavy Industries Space Rogue created the widely popular Hacker News Network, which quickly became a major resource on the Internet for daily information security news. Before HNN he ran the The Whacked Mac Archives, which at the time, was the largest and... Read More →
    avatar for Gal Shpantzer

    Gal Shpantzer

    Gal Shpantzer has 12 years of experience as an independent security professional and is a trusted advisor to CSOs of large corporations, technology and pharma startups, Ivy League universities and non-profits/NGOs specializing in critical infrastructure protection. Gal is a Contributing Analyst with Securosis and is involved in the Infosec Burnout research project and co-presented on this topic at BSides-Las Vegas (2011) and RSA (2012). Gal has... Read More →


    Thursday November 21, 2013 1:00pm - 1:50pm
    Salon 2 (5th Floor Ballroom) NY Marriott Marquis

    1:00pm

    Project Talk: OWASP Development Guide
    The Development Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure Web Applications and Web Services. The OWASP Developer Guide 2013 aims to focus the content from countermeasures and weaknesses to secure software engineering. Learn more about the OWASP Development Guide by attending this project talk. Project Leader, Andrew van der Stock, will be speaking. 

    Speakers
    avatar for Andrew van der Stock

    Andrew van der Stock

    Director, OWASP
    Web application security and information security


    Thursday November 21, 2013 1:00pm - 1:50pm
    Edison (5th floor) NY Marriott Marquis

    1:00pm

    Project Summit: Open SAMM Session
    OWASP Software Assurance Maturity Model (SAMM) is an open framework to help organizations start and implement a secure software development lifecycle that is tailored to the specific risks facing the organization. During the AppSec USA conference, the SAMM project team organises this workshop for you to influence in which direction SAMM evolves. The workshop is also an excellent opportunity to exchange experiences with your peers.
    We will cover the following agenda:
    • Introduction / getting to know each other
    • Project status and goals 
    • OpenSAMM inventory of tools and templates
    • Case studies / sharing experiences  
    • What do we need (thinking about improvements, can be anything ranging from translations over tools to model improvements)
    • What do we need next (prioritization)
    • Call for involvement (responsibilities), identity teams for specific topics 
    • Rough planning for the future 
    • Extra topic: source/build control 

    Speakers
    avatar for Seba Deleersnyder

    Seba Deleersnyder

    managing partner application security, Toreon
    Co-founder & managing partner application security at Toreon.com | As application security specialist for more than 10 years, Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, NationaleNederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. | Sebastien is the Belgian OWASP Chapter... Read More →


    Thursday November 21, 2013 1:00pm - 5:00pm
    Sky Lounge (16th Floor) NY Marriott Marquis

    2:00pm

    Buried by time, dust and BeEF
    For those who do not listen Mayhem and black metal, the talk title
    might seem a bit weird, and I can't blame you.
    You know the boundaries of the Same Origin Policy, you know SQL injection and time-delays,
    you know BeEF. You also know that when sending cross-domain XHRs you
    can still monitor the timing of the response: you might want to infer
    on 0 or 1 bits depending if the response was delayed or not.
    This means it's possible to exploit every kind of SQL injection,
    blind or not blind, through an hooked browser, if you can inject a time-delay
    and monitor the response timing.
    This works flawlessly in cross-domain situations,
    you don't need a 0day or a particular SOP bypass to do this,
    and it works in every browser.
    The potential of being faster than a normal single-host multi-threaded SQLi
    dumper will be explored. Two experiments will be shown: WebWorkers as well
    as multiple synched hooked browsers, which split the workload communicating
    partial results to a central server.
    A pure JavaScript approach will be exlusively presented during this talk,
    including live demos. Such approach would work for both internet facing targets as well as
    applications available in the intranet of the hooked browser.
    The talk will finish discussing the implications of such an approach
    in terms of Incident Response and Forensics,
    showing evidence of a very small footprint.

    Speakers
    avatar for Michele Orru

    Michele Orru

    Michele Orru a.k.a. antisnatchor is an IT and ITalian security guy. Lead core developer of the BeEF project, he mainly focuses his research on application security and related exploitation techniques. He is one of the authors of Browser Hacker's Handbook, which will be out by late 2013 from Wiley. He is a frequent speaker at hacking conferences, including CONFidence, DeepSec, Hacktivity, SecurityByte, AthCon, HackPra, Semafor, Just4Meeting, OWASP... Read More →


    Thursday November 21, 2013 2:00pm - 2:50pm
    Salon 2 (5th Floor Ballroom) NY Marriott Marquis

    2:00pm

    Go Fast AND Be Secure: Eliminating Application Risk in the Era of Modern, Component-Based Development
    Organizations are exposed to significant risks caused by their increasing reliance on open-source components. Component flaws are exceedingly common – 71 percent of applications contain components with known security flaws classified as severe or critical.  Everything from Big Data, to cloud and mobile applications are exposed to unmanaged risk.  The pressure to add more features and put applications into production quickly comes at a devastating tradeoff – to go fast or be secure.  Using never-before-seen data from the Central Repository – the industry’s primary source for open source components receiving 8 billion requests annually this presentation will examine how modern development is ushering in massive amounts of unmanaged risk demanding a new approach to mitigating the risk in modern, component-based applications – one that is significantly simpler to use, integrated throughout the software lifecycle and shows real, sustainable results. 
    Like automobile manufacturers, today’s software developers assemble applications using existing components or parts rather than writing applications from scratch.  Open source component use has skyrocketed in recent years.  In 2012, the Central Repository registered eight billion component downloads, doubling activity from 2011.  90% of a typical application today is now comprised of components, the bulk of these are open source, coming from dozens, if not hundreds, of individual suppliers.  Yet, 71 percent of applications contain components with known security flaws classified as severe or critical, pointing to a major breakdown in application security.  Unlike manufacturing, the software industry lacks the tools to manage the intricacy and risk associated with a complex and distributed software supply chain.  When coupled with a trend toward agile development, enterprises are finding themselves with massive, unmanaged risk. 
     Few organizations have the controls or processes to identify which components are in use, to govern their usage or to eradicate flawed components from applications.  In the annual Open Source Development Survey – the largest study of its kind surveying more than 3,500 developers, architects and IT managers using open source – 76 percent of respondents shared that they have no control over what components are being used in software development projects and more than half cited a failure to maintain an inventory of components used in production applications. Like operating systems or database, open-source components represent a rich attack vector for hackers to exploit given their commonality across organizations and applications. 
     New to the OWASP Top 10 Guidelines is A9: Use of Insecure Libraries, acknowledging the widespread use of open source components in today’s applications and the significant security risks that exists when organizations lack proper internal controls or fail to address security vulnerabilities throughout the software development lifecycle.  Joint research from Aspect Security and Sonatype found the probability of having at least one vulnerability in an application due to a KNOWN insecure library is 95%.
    In this presentation, Ryan Berg, CSO of Sonatype and Jeff Williams, CEO of Aspect Security will examine why traditional approaches to application security can’t protect today’s applications.  Using exclusive data from the Central Repository and sharing the findings of joint research, Berg and Williams will show why organizations must extend defense-in-depth to the application layer and how to deploy new approaches to software assurance that are simple, quick and continuous. 
    Key topics and takeaways include: • How to empower developers to become the new frontline of defense in today’s cyber-security war
    • Why securing the perimeter is not enough to protect the critical data housed in modern applications
    • How to breakdown the traditional walls that exist between development teams and security and risk professionals
    • Steps for introducing policy to govern component usage that will actually be adopted by developers
    • How organizations can expedite development (go fast) and govern/manage (be secure) the entire application lifecycle to ensure the integrity of the software supply chain
    • How to give developers the tools and authority to focus on security in real-time

    Speakers
    avatar for Ryan Berg

    Ryan Berg

    Chief Security Officer, Sonatype
    Ryan is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development. Prior to Ounce Labs, Ryan co-founded Qiave Technologies, a pioneer in kernel-level security, which later sold to WatchGuard... Read More →
    avatar for Jeff Williams

    Jeff Williams

    CTO, Contrast Security
    Jeff Williams is a co-founder and CTO of Contrast Security, the world's fastest and most accurate application security technology. Previously, Jeff was a founder and CEO of Aspect Security. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and... Read More →


    Thursday November 21, 2013 2:00pm - 2:50pm
    Salon 1 (5th Floor Ballroom) NY Marriott Marquis

    2:00pm

    Modern Attacks on SSL/TLS: Let the BEAST of CRIME and TIME be not so LUCKY
    SSL/TLS is the core component for providing confidentiality and authentication in modern web communications. Recent vulnerabilities have undermined this and left much of web based communication vulnerable.
    This talk will survey recent attacks such as BEAST, TIME, CRIME, LUCKY 13 and RC4 biases, highlighting the conditions required for exploitation as well as the current state of mitigations. Comprehensive recommendations will be provided highlighting the real world risks and mitigations taking all attacks into account instead of providing conflicting solutions to mitigate these attacks individually.
    Finally, long term recommendations will be made as we move to a post TLS 1.0 world without overhauling the basic structure and operational infrastructure of modern web communication.

    Speakers
    avatar for Shawn Fitzgerald

    Shawn Fitzgerald

    Shawn Fitzgerald is a senior security consultant at iSEC Partners, an information security firm specializing in application, network, and mobile security. At iSEC, Shawn specializes in web based applications, client/server testing, cryptographic systems, security design and security protocol reviews.
    avatar for Pratik Guha Sarkar

    Pratik Guha Sarkar

    Security Consultant, iSEC Partners
    Pratik Guha Sarkar is a Security Consultant with iSEC Partners. At iSEC, Pratik works in the areas of web application/web services security, practical cryptography, mobile security and client/server testing. Before iSEC, he was with IBM working in telecom domain. Pratik graduated from Johns Hopkins University in Security Informatics.


    Thursday November 21, 2013 2:00pm - 2:50pm
    Salon 4 (5th Floor Ballroom) NY Marriott Marquis

    2:00pm

    OWASP Broken Web Applications (OWASP BWA): Beyond 1.0
    Video of session:
    https://www.youtube.com/watch?v=0dxzGK1ZPxA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=39


    The OWASP Broken Web Applications (OWASP BWA) Project produces a free and open source virtual machine (VM) loaded with more than twenty-five web applications with a variety of security vulnerabilities.  The project VM is well suited for use as a learning and training environment or as a standard target for testing tools and techniques.  After two years of betas, the project released version 1.0 of the VM in 2012.  With that milestone behind us, this talk will focus on the project’s future, though it will include some background on the project and demonstrate key features in the current release.

    Speakers
    avatar for Chuck Willis

    Chuck Willis

    Mandiant
    Mr. Willis is the leader of the OWASP Broken Web Applications project, which distributes a virtual machine with known vulnerable web applications for testing and training.


    Thursday November 21, 2013 2:00pm - 2:50pm
    Salon 3 (5th Floor Ballroom) NY Marriott Marquis

    2:00pm

    Open Mic: Practical Cyber Threat Intelligence with STIX

    Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

    Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


    Speakers
    avatar for Sean Barnum

    Sean Barnum

    Cyber Security Principal, MITRE
    Sean Barnum is a Principal and Cyber Threat Intelligence Community Lead at The MITRE Corporation where he acts as a thought leader and senior advisor on information security topics to a wide variety of players within the US government, commercial industry and the international community. He has over 25 years of experience in the software industry in the areas of architecture, development, software quality assurance, quality management, process... Read More →


    Thursday November 21, 2013 2:00pm - 2:50pm
    Belasco & Broadhurst (5th Floor) NY Marriott Marquis

    2:00pm

    Vendor relationships
    Vendors are not the bad guys. This session will include a lively discussion on vendor relationships within your chapter. Topics will include some benefits of vendor relationships, how to leverage neighboring companies, chapter fundraising, and Foundation guidelines on relationships with vendors/sponsors.

    Moderators
    avatar for Sarah Baso

    Sarah Baso

    Former Executive Director, OWASP Foundation | I am based in San Francisco, Californa, USA and served as the Executive Director of the OWASP Foundation from April 2013 through July 2014. In this role, I supervise the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.

    Thursday November 21, 2013 2:00pm - 2:50pm
    Booth (5th Floor) NY Marriott Marquis

    2:00pm

    Project Talk: OWASP Security Principles Project
    The OWASP Security Principles Project aims to distill the fundamentals of security into a set of concise principles that must be present in any system through out the requirements, architecture, development, testing, and implementation of a system. OWASP Co-Founder and Project Leader, Dennis Groves, will be giving a talk about the future of the project.  

    Speakers
    avatar for Dennis Groves

    Dennis Groves

    Co-Founder, OWASP
    Dennis Groves is the co-founder of OWASP and a well known thought leader in application security who's work focuses on multidisciplinary approaches to information security risk management. He holds an MSc in Information Security from Royal Holloway, University of London. 


    Thursday November 21, 2013 2:00pm - 2:50pm
    Edison (5th floor) NY Marriott Marquis

    3:00pm

    Open Mic: About OWASP - Executive Director, OWASP Foundation

    Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

    Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


    Speakers
    avatar for Sarah Baso

    Sarah Baso

    Former Executive Director, OWASP Foundation | I am based in San Francisco, Californa, USA and served as the Executive Director of the OWASP Foundation from April 2013 through July 2014. In this role, I supervise the paid OWASP staff in addition to administering all programs and operations of the OWASP Foundation, reporting to the OWASP Board of Directors.


    Thursday November 21, 2013 3:00pm - 3:30pm
    Belasco & Broadhurst (5th Floor) NY Marriott Marquis

    3:00pm

    HTTP Time Bandit
    Video of session:
    https://www.youtube.com/watch?v=jFNnI1DDSaE&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=35


    While web applications have become richer to provide a higher level user experience, they run increasingly large amounts of code on both the server and client sides. A few of the pages on the web server may be performance bottlenecks. Identifying those pages gives both application owners as well as potential attackers the chance to be more efficient in performance or attack.
       We will discuss a tool created to identify weaknesses in the web application by submitting a series of regular requests to it. With some refinement and data normalizations performed on the gathered data,
    and then performing more testing based on the latter, it is possible to pinpoint the single most (CPU or DB) resource-consuming page of the application. Armed with this information, it is possible to perform more efficient DOS/DDOS attacks with very simple tools.
       The presentation will be accompanied by demos of the tool performing testing and attacking on various targets. The tool will be published for the interested researchers to play with.

    Speakers
    VT

    vaagn toukharian

    Senior Software Engineer, qualys
    Was involved with security industry since 1999. Experience includes work on Certification Authority systems, encryption devices, large CAD systems, Web scanners. Outside of work interests include Photography, and Ironman Triathlons.


    Thursday November 21, 2013 3:00pm - 3:50pm
    Salon 1 (5th Floor Ballroom) NY Marriott Marquis

    3:00pm

    Wassup MOM? Owning the Message Oriented Middleware
    Audio of session:
    https://www.youtube.com/watch?v=09uc435FEWY&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=29

    Message Oriented Middleware (MOM) allows disparate applications to communicate with each other by exchanging information in the form of messages. A MOM and its clients create an enterprise messaging application that forms the transactional backbone of several large organizations worldwide. Security is therefore an important aspect of these applications.
    This research analyzes enterprise messaging security from three different perspectives:
    1. The first perspective derives from the fact that most of the enterprise messaging products support the vendor-agnostic Java Messaging Service (JMS) API and therefore focuses on the offensive uses of the JMS API to attack an enterprise messaging application.
    2. The second perspective revolves around a JMS compliant message broker (or MOM) as message brokers form the core of the enterprise messaging. I chose ActiveMQ for my research as it is open source and among the most popular message brokers that support JMS API. I will discuss a few ActiveMQ 0days vulnerabilities, potential flaws in its various authentication schemes and its configuration defaults that can make it vulnerable to attacks.
    3. The third perspective focuses on a new tool JMSDigger that can be leveraged to engage and assess enterprise messaging applications. Several live demonstrations will show attacks such as authentication bypass, JMS destination dumps, 0day vulnerabilities and JMSDigger etc...

    Speakers
    avatar for Gursev Singh Kalra

    Gursev Singh Kalra

    Senior Principal, Foundstone Professional Services, McAfee
    Gursev Singh Kalra serves as a Senior Principal with Foundstone Professional Services, a division of McAfee. Gursev has authored several security related whitepapers and his research has been voted among the top ten web hacks for 2011 and 2012. He loves to code and he has authored several free security tools like TesserCap, Oyedata, SSLSmart and clipcaptcha. He has spoken at conferences like BlackHat, ToorCon, OWASP, NullCon, Infosec Southwest... Read More →


    Thursday November 21, 2013 3:00pm - 3:50pm
    Salon 4 (5th Floor Ballroom) NY Marriott Marquis

    3:00pm

    The 2013 OWASP Top 10
    Video of session:
    https://www.youtube.com/watch?v=bWqb3Hemepc&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=17

    The OWASP Top 10 has become the defacto standard for web application security and is referenced by numerous important standards and guidelines around the world, including the Payment Card Industry (PCI) standard, as just one example. 
    This presentation will explain how the OWASP Top 10 for 2013 changed from the previous version and why. It will then briefly go through each item in the OWASP Top 10 for 2013, explaining the risks each issue introduces to an enterprise, how attackers can exploit them, and what your organization can do to eliminate or avoid such risks in your application portfolio.

    Speakers
    avatar for Dave Wichers

    Dave Wichers

    COO, Aspect Security
    Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a company that specializes in application security services. He is also a long time contributor to OWASP including being a member of the OWASP Board since it was formed in 2003. | | | Dave has over 20 years of experience in the information security field, and has focused exclusively on application security since 1998. At Aspect, in addition to his COO... Read More →


    Thursday November 21, 2013 3:00pm - 3:50pm
    Salon 3 (5th Floor Ballroom) NY Marriott Marquis

    3:00pm

    The Invisible Chapter
    This session will focus on steps to take when there is a chapter that may be in need of some energy or starting a new chapter. As a community, we all share a responsibility to each other to build the OWASP community.

    Pre-Req: https://www.owasp.org/index.php/Category:Chapter_Handbook 

    Thursday November 21, 2013 3:00pm - 3:50pm
    Booth (5th Floor) NY Marriott Marquis

    3:00pm

    CSRF: not all defenses are created equal
    CSRF is an often misunderstood vulnerability. The standard way to protect against it is by implementing the singleton token pattern. This is usually done in the framework and not by the individual developer. For example .net applications can use the antiforgerytoken (for MVC applications) or viewstateuserkey. Tomcat web server and F5 load balancers also now include CSRF prevention filters. OWASP of course has the CSRF guard. All of these solutions though are slightly different and can lead to different side effects, some of which are little understood and poorly documented. Some side effects have even caused worse security problems (namely revealing the session cookie) while trying to defend against CSRF. In this talk I will introduce CSRF and the basic defenses against it. Then I will go through all of the various major solutions mentioned above and describe how they implement the general solution and the positives and negatives of each implementation.

    Speakers
    avatar for Ari Elias-Bachrach

    Ari Elias-Bachrach

    independant consultant, Defensium LLC
    In the course of implementing CSRF defenses in the extremely broad (over 3000 web applications) and diverse environment that is the NIH, I have found that not all CSRF defenses are created equal. A lot of research, experimentation, and conversations with vendors and developers have yielded an understanding of the wide variety of csrf defenses and their tradeoffs, which I would like to share with the industry at large.


    Thursday November 21, 2013 3:00pm - 3:50pm
    Salon 2 (5th Floor Ballroom) NY Marriott Marquis

    3:00pm

    Project Talk: OWASP Code Review Guide
    The Code Review Guide focuses on secure code reviews and tools that aim to support the developer community. Such an activity is very powerful as it gives the developer community a place to start regarding secure application development. Project Leader, Larry Conklin, will be giving a talk about the project, and what the current state of Version 2.0 is. 

    Speakers
    avatar for larry conklin

    larry conklin

    Sr. Software Developer, QuikTrip
    Larry is the co-project leader of the OWASP Code Review Guide. His current emphasis is in Microsoft .NET technologies including C#, VB.NET, and SQL Server. Recent project experiences include converting legacy VB software to .NET, creating and maintaining operational support web sites to help QuikTrip manage it’s 600+ stores. Larry is currently a Senior Software Developer for QuickTrip. 


    Thursday November 21, 2013 3:00pm - 3:50pm
    Edison (5th floor) NY Marriott Marquis

    3:30pm

    Bug Bounty - Group Hack
    The Great OWASP Bug Bash of 2013

    CALLING ALL SECURITY NINJAS… Whether you’re attending Appsec in person or in spirit, you’re invited to join Bugcrowd and the OWASP team as we unite hackers across the world for the first everInternet-wide bug bash.

    This collaborative hack-a-thon will feature testers and providers of public bug bounty programs finding bugs in the world’s largest Internet companies! Companies contributing to bounty programs, including Prezi, Facebook, Google and Yandex will be present to meet and greet those responsible for improving global application and internet security. No need to worry about protecting your identity, masks will be provided!

    Featuring…
    The Inaugural Wall of Bugz, music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!

    Bug Bounty programs have been getting a lot of press lately, and for good reason. They work. Bugcrowd will be running this event live from 8-12 every night during Appsec USA 2013 and we actively encourage OWASP members around the world to participate.

    Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/


    Speakers
    avatar for Tom Brennan

    Tom Brennan

    Consultant, ProactiveRISK
    Global Board of Directors OWASP Foundation | 2016 Chairman NYMJCSC Conference | Consultant for Hire @ Proactive Risk
    avatar for Dinis Cruz

    Dinis Cruz

    AppSec, OWASP
    Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis is still very active at OWASP, currently leading the O2 Platform project and helping out other projects and initiatives. After failing to scale his own security... Read More →
    avatar for Casey Ellis

    Casey Ellis

    Founder and CEO, Bugcrowd Inc
    Casey Ellis, CEO and founder of Bugcrowd has spent 14 years in information security, servicing clients ranging from startups to multinational corporations as a security and risk consultant and solutions architect. He has presented at Derbycon, Converge, SOURCE Conference, and the AISA National Summit. Before relocating from Sydney Australia to San Francisco with Bugcrowd, he founded White Label Security, a white-labelled penetration testing... Read More →
    avatar for Samantha Groves

    Samantha Groves

    Program Manager, OWASP
    Samantha Groves is the Project Manager at OWASP. Samantha has led many projects in her career, some of which include website development, brand development, sustainability and socio-behavioral research projects, competitor analysis, event organization and management, volunteer engagement projects, staff recruitment and training, and marketing department organization and strategy implementation projects for a variety of commercial and... Read More →


    Thursday November 21, 2013 3:30pm - 4:00pm
    Belasco & Broadhurst (5th Floor) NY Marriott Marquis

    4:00pm

    Award Ceremony (Salon 1, 2, 3 & 4)
    Don't miss the wrap-up, awards and highlights of AppSec USA 2013...it will be amazing!

    Speakers
    avatar for Tom Brennan

    Tom Brennan

    Consultant, ProactiveRISK
    Global Board of Directors OWASP Foundation | 2016 Chairman NYMJCSC Conference | Consultant for Hire @ Proactive Risk


    Thursday November 21, 2013 4:00pm - 5:00pm
    Salon 1 (5th Floor Ballroom) NY Marriott Marquis