OWASP AppSec USA 2013: Full Schedule

9:00am EST

OWASP Media Project Introduction

The OWASP Media Project is an infrastructure project that gathers, consolidates, and promotes OWASP content in video format on a central appealing hub. The first and main instance of the project will be a YouTube channel.

The session will be used in order bring project leaders up to speed on how video sharing and live streaming can help promote your project and reach people. We will do that by presenting Google Hangout, and the official OWASP YouTube channel.

Then, we will gather potential sources and existing videos in order to populate the OWASP channel. This summit experience will not just be about promoting the Media Project itself, but also about the exposure of any other projects with video content.

Speakers

Jonathan Marcil

Sr. AppSec Engineer, Twitch

Jonathan has created over a hundred threat models during his career and enjoys sharing his experience. He currently co-leads the OWASP Threat Model Cookbook Project and is a board member of the OWASP Orange County chapter located in beautiful Irvine, California. Originally from Montreal... Read More →

Monday November 18, 2013 9:00am - 10:00am EST
Sky Lounge (16th Floor) NY Marriott Marquis

Project Summit

9:00am EST

Project Summit: OWASP Projects Review Session

During the OWASP Projects Review working session, attendees will be able to participate in the review of the entire inventory of OWASP Projects using the new assessment criteria developed by our team of Technical Project Advisors. The aim of this session is to establish a more accurate representation of OWASP project health and product quality. The session outline is as follows:

Overview of new assessment criteria to conduct reviews.
Team in small groups(2 to 3 max) based on experience and background to asses a set of Projects (Code, Tool or Documentation)
Fill in the Questionnaire (Google Forms) to complete assessment of Projects and provide the review with a final score and results (Project defined as Incubator, Lab or Flagship)
Review results of questionnaire with your team.
Present results and conclusions of assessment session.

Moderators

Samantha Groves

Program Manager, OWASP

Samantha Groves is the Project Manager at OWASP. Samantha has led many projects in her career, some of which include website development, brand development, sustainability and socio-behavioral research projects, competitor analysis, event organization and management, volunteer engagement... Read More →

Speakers

Johanna Curiel

Security Engineer and Researcher, Mobiquity

Johanna Curiel is a security engineer and researcher with 18 years experience in programming, testing and quality control. Her early encounters with hackers and cybercrime was a turning point in her career to work in the area of Cyber security.Between 2005 and 2007, she worked as... Read More →

Monday November 18, 2013 9:00am - 1:00pm EST
Sky Lounge (16th Floor) NY Marriott Marquis

Project Summit

Tags Project Summit Session

9:00am EST

2 Day Pre-Conference Training: Application Cryptanalysis with Bletchley

2 Day Class running Monday Nov 18 and Tuesday Nov 19

Abstract:
Use of cryptography permeates todays computing infrastructures. While few programmers attempt to implement sophisticated cryptosystems, many unwittingly develop simple protocols in every day applications without adequate knowledge of how cryptographic primitives should be combined. In this training we explore several techniques for analyzing and breaking the kinds of cryptographic protocols which are commonly found in modern applications. Attendees will first be presented with a brief review of cryptographic primitives and their uses, followed by an introduction of several techniques to analyze cryptographic systems in a black-box manner. In each case, the discussion will describe how programmers can avoid making the common mistakes that allow these attacks to succeed. Each lecture session will be followed by lab exercises where students will utilize the Bletchley toolkit and other open source tools to attack vulnerable applications.
Outline for two-day version:
Day 1
=====
1. Crypto refresher
A. Pseudorandom number generators
B. Block ciphers and their modes
C. Hashes and (H)MACs
2. Attacks on nonces
A. Statistical/structural analysis
B. Attacking weak seeds
C. Attacking weak algorithms
D. Examples of past flaws in real-world applications
3. Exercise: Weak nonces
A. Fun with Stompy
B. Attacking a linear congruential generator (LCG)
4. Attacks on encrypted tokens
A. Determining block size / mode
B. Basics of block swapping
C. Attacks on ECB and CBC modes
D. Algorithm Reuse
5. Exercise: Block swapping
A. Analyzing encoded blobs
B. Identifying algorithm reuse
C. Forging tokens
6. Padding oracle attacks
A. Theory
B. Real-world examples
7. Exercise: Asking the oracle
Day 2
=====
8. Hash length-extension attacks (3/4 hr)
A. Naive Hash-based MAC construction
B. The popular M-D hash method
C. Construction of an attack
9. Exercise: A simple HLE attack (1.5 hrs)
A. Identifying hashed elements
B. Constructing a message
10. Attacking unprotected stream ciphers (1 1/4 hr)
A. Refresher on synchronous ciphers and modes (OFB/CTR)
B. Identifying stream ciphers
C. Static IV decryption
D. Looking for decryption oracles
11. Exercise: Bit flipping for success (2 hrs)
A. Building a bit probe script
B. Modifying ciphertexts
12. Open lab time (1-2 hrs)
A. Bonus exercise: breaking a password generator; or
B. Finish implementations from previous exercises

Speakers

Timothy Morgan

Tim is credited with the discovery and responsible disclosure of several security vulnerabilities in commercial off-the-shelf and open source software including: IBM Tivoli Access Manager, Real Networks Real Player, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice... Read More →

Monday November 18, 2013 9:00am - 5:00pm EST
Chelsea (7th Floor) NY Marriott Marquis

Training

9:00am EST

2 Day Pre-Conference Training: Running A Software Security Program On Open Source Tools

2 Day Class running Monday Nov 18 and Tuesday Nov 19

Abstract:
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, Brakeman, Agnitio, w3af, OWASP Zed Attack Proxy (ZAP), and ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.
Outline: • So You Want To Roll Out A Software Security Program?
• The Software Assurance Maturity Model (OpenSAMM)
• ThreadFix: Overview
• Governance: Strategy and Metrics • ThreadFix: Reporting

• Governance: Policy and Compliance
• Governance: Education and Guidance • OWASP Development Guide
• OWASP Cheat Sheets
• OWASP Secure Coding Practices

• Construction: Threat Assessment
• Construction: Security Requirements
• Construction: Secure Architecture • ESAPI overview
• Microsoft Web Protection Library (Anti-XSS) overview

• Verification: Design Review • Microsoft Threat Analysis and Modeling Tool

• Verification: Code Review • FindBugs
• Brakeman
• Agnitio

• Verification: Security Testing • w3af
• OWASP Zed Attack Proxy (ZAP)

• Deployment: Vulnerability Management • ThreadFix: Defect Tracker Integration

• Deployment: Environment Hardening • Microsoft Baseline Security Analyzer (MBSA)

• Deployment: Operational Enablement • mod_security

Speakers

Dan Cornell

Vice President, Product Strategy, COALFIRE

A globally recognized software security expert, Dan Cornell has over 20 years of experience architecting, developing and securing software systems. As Vice President of Product Strategy at Coalfire, Dan works with customers and industry partners to help drive the direction of their... Read More →

Monday November 18, 2013 9:00am - 5:00pm EST
Gotham (7th Floor) NY Marriott Marquis

Training

9:00am EST

2 Day Pre-Conference Training: Securing Mobile Devices & Applications

2 Day Class running Monday Nov 18 and Tuesday Nov 19

Overview:
Mobile applications enable new threats and attacks which introduce significant risks to the enterprise, and many custom applications contain significant vulnerabilities that are unknown to the team that developed them. Considering the number of mobile applications available in the Google Play and Apple AppStore is nearing 1.5 million and vulnerabilities are skyrocketing it is imperative to perform typical application security practices. But, how is mobile different?
This two-day, hands-on course enables students to understand how easily mobile devices and applications can be successfully attacked. They will learn how to identify, avoid and remediate common vulnerabilities by walking through a threat analysis and learning critical security areas such as those identified in the OWASP Top Ten Mobile Risks and Controls. Using state-of-the-art testing tools, students will learn how to secure mobile devices across the enterprise. Students will be able to choose from iOS or Android hands-on labs throughout the course, while they learn how easily the bad guy can compromise applications and the data they contain.

Outline:
1) Mobile Devices and Applications
Section Overview: Introduction to Mobile Devices, their capabilities, and how to emulate mobile apps and use mobile testing tools.
1)     Device Types and Capabilities
2)     Mobile App Emulators / IDEs
3)     Running the Class Apps
4)     Using a Testing Proxy: Burp
5)     How to get Proxying to work
2) Mobile Application Architectures and Threat Model
Section Overview: An explanation of high-level threats, attack techniques and the impacts associated with mobile computing and how different architectures affect these.
1)     Different Mobile Architectures
2)     OWASP Mobile Security Resources
3)     Mobile Threat Model
4)     Top 10 Mobile Controls
5)     Risk Management
6)     Mobile Threats and Attacks on Users, Devices, and Apps
7)     Consequences
8)     AppStore Security / Malware Threats
9)     Hands On: Hacking Mobile URLs (iOS), or Intents (Android)
3) Mobile Application Architectures Deeper Dive
Section Overview: Different styles of computing in the mobile space, the core technologies involved, and how applications are built.
1)     Device Protections built into Android and iPhone
2)     Data Protection
3)     Encryption
4)     Client Only Architecture and Recommended Controls
5)     Client-Server Architecture and Recommended Controls
6)     Recommendation: Standard Security Controls
7)     Mobile Web Applications and Recommended Controls
8)     HTML 5 Risks
9)     JavaScript Framework Risks
10) Same Origin Policy
4) Securing the Device
Section Overview: We demonstrate how to harden mobile devices against attack and the issues related to managing security across an enterprise. We show students how to secure employee-owned devices.
1)     Mobile Device Management (MDM) Applications
2)     Password Requirements
3)     Data Protection
4)     Enterprise Security Management (ESM)
5) Securing Communications
Section Overview: What are all the different communications technologies used by mobile devices and what security threats do they pose?
1)     Threat: Unsafe wireless access points, sniffing, tampering
2)     Review mobile protocols and platforms
3)     How to use SSL Securely
6) Mobile Authentication
Section Overview: We explain how the user proves their identity to the phone, how server-side applications can authenticate the user, and how the phone can authenticate the services used.
1)     Threats: lost/stolen phone, remember me, sniffing
2)     Strong Authentication vs. User Usability
3)     Communicating credentials safely
4)     Storing credentials safely
7) Mobile Registration
Section Overview: How to register a device to a person and explain the need for mobile channel authentication.
1)     Threats: lost/stolen device, remember me, lost/stolen credentials
2)     Benefits of Registering the Device
3)     Methods for Authenticating the Device
4)     Avoiding use of UDID
8) Mobile Data Protection
Section Overview: All of the different places that sensitive data can be stored on phones, and how it can be protected.
1)     Identifying sensitive data
2)     Where and how is data stored on devices
3)     Hashing and encryption
4)     Storing keys
5)     Browser Caching
6)     Mobile specific ‘accidental’ data storage areas
7)     Where NOT to store your data on the device
8)     HTML5 local storage
9) Mobile Forensics
Section Overview:Where application data and configuration information typically gets stored on the mobile device.
1)     Forensics tools for Android and iPhone
2)     Exploring the file system (Android / iPhone)
3)     Jailbreaking grants more access
4)     Interesting areas of the file system (Android / iPhone)
5)     Application configuration files
6)     Autocomplete records / iPhone app screen shots
7)     Dumping Android Intents
8)     Scrounging in Backups
10) Mobile Access Control
Section Overview: The code-access security models to use in mobile apps.
1)     Threat: user attacks server
2)     Example attacks
3)     Documenting your access control policy
4)     Mapping enforcement to server side controls
5)     Presentation Layer Access Control
6)     Environmental Access Control
7)     Business Logic
8)     Data Protection
9)     Hands On: Access Other Peoples Accounts, Steal Funds
11) How to Protect Against Cross Site Scri

Speakers

Project Summit: ESAPI Hackathon Session

Take part in building the next generation of the Enterprise Security API. In this hackathon we will focus on building modular security controls that can be plugged in to the brand new ESAPI 3.0 framework allowing developers to quickly and easily integrate the security controls they need into their projects. During the hackathon, the ESAPI leaders will be on-site to get the effort kicked off, join in the coding fun, and to present awards for submitted components on the final day! Join us to leave your mark on one of the most visible OWASP Code Projects in our arsenal, and help make tomorrow's applications more secure!

Speakers

Chris Schmidt

Chief Architect, Contrast Security

Chris is currently the Project Leader for the OWASP ESAPI Projects and also served on the OWASP Global Projects Committee. He has been involved with OWASP for 6 years and has spoken at many OWASP events about the benefits of the Enterprise Security API as well as participated in Leadership... Read More →

Bug Bounty - Group Hack

The Great OWASP Bug Bash of 2013

CALLING ALL SECURITY NINJAS… Whether you’re attending Appsec in person or in spirit, you’re invited to join Bugcrowd and the OWASP team as we unite hackers across the world for the first everInternet-wide bug bash.

This collaborative hack-a-thon will feature testers and providers of public bug bounty programs finding bugs in the world’s largest Internet companies! Companies contributing to bounty programs, including Prezi, Facebook, Google and Yandex will be present to meet and greet those responsible for improving global application and internet security. No need to worry about protecting your identity, masks will be provided!

Featuring…
The Inaugural Wall of Bugz, music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!

Bug Bounty programs have been getting a lot of press lately, and for good reason. They work. Bugcrowd will be running this event live from 8-12 every night during Appsec USA 2013 and we actively encourage OWASP members around the world to participate.

Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/

Speakers

Dinis Cruz

AppSec, OWASP

Dinis Cruz is a Developer and Application Security Engineer focused on how to develop secure applications. A key drive is on 'Automating Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform. After many years (and multiple roles) Dinis... Read More →

Monday November 18, 2013 8:00pm - 11:59pm EST
Sky Lounge (16th Floor) NY Marriott Marquis

Breakers Project Summit

9:00am EST

Project Summit: Mobile Security Session

Just as the mobile security landscape has changed, so has the OWASP Mobile Project. Join us as we discuss the major milestones of 2013 and what is in store for the projects future. We will also go deeper in to the Mobile Top Ten project where we will discuss the decisions made on categories, vulnerability information, and look at some surprising vulnerability trends in mobile applications.

During this session, we will cover:

- OWASP Top 10 Mobile Risks, 2014 Refresh.

- Mobile project 2013 achievements and the 2014 roadmap.

- Increasing industry collaboration within the mobile security space.

Speakers

Jason Haddix

Head of Penetration Testing, Fortify

I currently facilitate information security consulting at HP which includes developing test plans for Fortune 100 companies and competing in "bake-offs" against other top tier consulting vendors. My strengths are web, network, and mobile assessments. I write for my own infosec website... Read More →

Jack Mannino

nVisium

Jack is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source... Read More →

Daniel Miessler

Principal Security Architect, HP

Daniel Miessler is Principal Security Architect with HP based out of San Francisco, California. He specializes in application security with specific focus in web and mobile application assessments, helping enterprise customers build effective application security programs, and speaking... Read More →

Tuesday November 19, 2013 9:00am - 1:00pm EST
Sky Lounge (16th Floor) NY Marriott Marquis

Project Summit

9:00am EST

Project Summit: Training Development Session

Training is an important part of OWASP's mission as it helps not only in increasing the awareness around application security but also in actually improving the security of applications. In the past, we have tried several training models (e.g. Training Days, Tours, etc.) and dozens of ideas have been put on the table. Nevertheless, we are still missing a viable training model that will be easy to reproduce and will provide added value to attendees.

During the Project Summit, we will discuss various training models, and the experience we have gained over the past years in order to build a model that will be subsequently used to train developers and anyone involved in securing applications.

Speakers

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE

Both trainers are Hackademic project leaders, long time OWASP members and application security professionals

Martin Knobloch

Member of the BoD / OWASP Netherlands Chapter Lead, OWASP

Tuesday November 19, 2013 9:00am - 1:00pm EST
Sky Lounge (16th Floor) NY Marriott Marquis

Project Summit

9:00am EST

2 Day Pre-Conference Training: Application Cryptanalysis with Bletchley

Speakers

Timothy Morgan

Tuesday November 19, 2013 9:00am - 5:00pm EST
Chelsea (7th Floor) NY Marriott Marquis

Training

9:00am EST

2 Day Pre-Conference Training: Running A Software Security Program On Open Source Tools

Speakers

Dan Cornell

Vice President, Product Strategy, COALFIRE

Tuesday November 19, 2013 9:00am - 5:00pm EST
Gotham (7th Floor) NY Marriott Marquis

Training

9:00am EST

2 Day Pre-Conference Training: Securing Mobile Devices & Applications

Speakers

Dan Amodio

Principal Consultant, Aspect Security

David Lindner

Managing Consultant and Global Practice Manager, Aspect Security

Tuesday November 19, 2013 9:00am - 5:00pm EST
Empire & Hudson (7th Floor) NY Marriott Marquis

Training

9:00am EST

2 Day Pre-Conference Training: The Art of Exploiting Injection Flaws

Speakers

Sumit Siddharth

Founder, NotSoSecure

Tuesday November 19, 2013 9:00am - 5:00pm EST
Brecht (4th Floor) NY Marriott Marquis

Training

9:00am EST

2 Day Pre-Conference Training: Web Application Defender's Cookbook: LIVE

Speakers

Ryan Barnett

Lead Security Researcher, Trustwave SpiderLabs

Tuesday November 19, 2013 9:00am - 5:00pm EST
Odets (4th Floor) NY Marriott Marquis

Training

10:30am EST

Project Summit: ESAPI Hackathon Session

Speakers

Chris Schmidt

Chief Architect, Contrast Security

Kevin Wall

Senior Application Security Engineer, Verisign

Jeff Williams

Cofounder and CTO, Contrast Security

Tuesday November 19, 2013 10:30am - 5:00pm EST
Sky Lounge (16th Floor) NY Marriott Marquis

Project Summit

1:00pm EST

Project Summit: Academies Development Session

The OWASP Academies program aims to bring together academic institutions from all over the world in order to collaborate towards increasing awareness on application security. The OWASP Academy Portal is the actual deliverable of this process: a portal that will provide various types of content (presentations, labs, etc.) to students and faculty who wish to learn or teach application security.

During the Projects Summit we intend to kick start the Academy Portal, complete the intial design and add some actual content. The OWASP Academy Portal will then serve as the meeting point for application security in academia.

Moreover, the Projects Summit will serve as a meeting point for several members of the academic community and a unique opportunity to exchange ideas and experience.

Speakers

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE

Both trainers are Hackademic project leaders, long time OWASP members and application security professionals

Martin Knobloch

Member of the BoD / OWASP Netherlands Chapter Lead, OWASP

Tuesday November 19, 2013 1:00pm - 5:00pm EST
Sky Lounge (16th Floor) NY Marriott Marquis

Project Summit

3:00pm EST

OWASP O2 Documentation Session

The objective of this session is to discuss the development of a Book about the O2 Platform Web Automation capabilities. Join us during our initial discussion, and get your ideas heard.

Speakers

Dinis Cruz

AppSec, OWASP

Michael Hidalgo

Software Developer Engineer, Security Innovation

Software Developer Engineer based on San José, Costa Rica. With more than 6 years of experience building financial applications and with his high sense of responsibility and quality, Michael always work hard to do things better. Currently Michael works as a Software Developer Engineer... Read More →

Tuesday November 19, 2013 3:00pm - 6:00pm EST
Sky Lounge (16th Floor) NY Marriott Marquis

Project Summit

3:00pm EST

Registration

Tuesday November 19, 2013 3:00pm - 9:00pm EST
Empire & Hudson (7th Floor) NY Marriott Marquis

Registration

6:00pm EST

Tuesday Night Reception

Moderators

Sarah Baso

Former Executive Director, OWASP Foundation I am based in San Francisco, Californa, USA and served as the Executive Director of the OWASP Foundation from April 2013 through July 2014. In this role, I supervise the paid OWASP staff in addition to administering all programs and operations... Read More →

Kate Hartmann

OWASP Foundation, OWASP Foundation

Kate joined the OWASP Foundation May 2008 Kate's Ongoing Job Duties Kates work within the OWASP Foundation includes supervising and facilitating the completion of operationally critical tasks. She provides direction to the operational team by mapping out cross-committee objectives... Read More →

Kelly Santalucia

Tuesday November 19, 2013 6:00pm - 9:00pm EST
Empire & Hudson (7th Floor) NY Marriott Marquis

7:00pm EST

Hands-on Ethical Hacking: Preventing and Writing Exploits for Buffer Overflows

Limited Capacity seats available

** YOU MUST RSVP FOR THIS TRAINING BY EMAILING RALPH.DURKEE@OWASP.ORG. CAPACITY IS LIMITED TO 24 ATTENDEES **

A ntense 2.5 hours hands-on course where you will find a buffer overflow vulnerability and then develop an exploit for a stack based buffer overflow. We'll also discuss and test mitigating techniques such as address randomization, stack protections mechanisms, non-executable stacks and of course programming to prevent buffer overflows.

The course will use a virtual Linux system with the required tools running on your own laptop. Students must be comfortable with the Linux command line, and be familiar with basic C/C++ programming. We'll be using the Gnu development tools such as g++. gcc, gdb, and make. Vim, Emacs and Eclipse will all be installed for your editing and exploit writing pleasure. We'll be looking at assembly code in order to develop the final exploit, so some familiarity with assembler languages is helpful, but not required. You must bring your own laptop. The laptop can be MS Windows, Mac or Linux, just make sure you have a recent version of VirtualBox installed and working. Having a DVD reader is helpful for transferring the VM, but a flash drive will also be available.

Laptop Requirements:

At least 4Gb RAM
8 Gb of free disk space
Virtual Box 4.2.16 or newer installed.
Administrator or root privileges for the laptop.
Comfortable with Linux Command Line and g++ / gcc.
SomeC/C++programming

Speakers

Ralph Durkee

Principal Security Consultant, Durkee Consulting, Inc.

Ralph Durkee is the principal security consultant and president of Durkee Consulting, Inc since 1996. Ralph founded the OWASP Rochester, NY chapter and has served on the board since 2004. Ralph served on the ISSA chapter board to start the Rochester ISSA chapter as well as starting... Read More →

Tuesday November 19, 2013 7:00pm - 11:00pm EST
Brecht (4th Floor) NY Marriott Marquis

Training

8:00pm EST

Bug Bounty - Group Hack

The Great OWASP Bug Bash of 2013

Featuring…
The Inaugural Wall of Bugz, music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!

Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/

Speakers

Dinis Cruz

AppSec, OWASP

Tuesday November 19, 2013 8:00pm - 11:59pm EST
Sky Lounge (16th Floor) NY Marriott Marquis

Breakers Project Summit

7:00am EST

Registration

Wednesday November 20, 2013 7:00am - 5:00pm EST
3rd Floor

Registration

8:30am EST

Welcome to OWASP AppSecUSA - Updates

Let us get this event started!

Presentation will include kick-off with details about the activities that will happen, changes to the event schedule and regarding AppSec USA 2013.

Speakers

Israel Bryski

IT Security, Nomura

Israel Bryski has over 7 years of experience in technology and information risk management. He is currently working in IT Security at Nomura and is Chapter Leader for the NYC OWASP Chapter.

Peter Dean

Sr Account Executive, Aspect Security

Volunteers

Sarah Baso

Kate Hartmann

OWASP Foundation, OWASP Foundation

Kelly Santalucia

Wednesday November 20, 2013 8:30am - 8:50am EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

Keynote

9:00am EST

Computer and Network Security: I Think We Can Win!

Some think that computer and network security is a lost cause. I have spent forty years in the field, and it is discouraging that we have made few advances, and lost a lot of ground: our current technologies and practices are clearly unable to keep attackers out of our business.

Bob Morris said that security people are paid to think bad ideas, and I have had a lot of them. The threats are persistent, but not really advanced in most cases. I remain optimistic: it is still early in the game. These are our computers, our software, our network wiring. We have plenty of CPU cycles and storage and daunting cryptography. We ought to be able to win this battle---we have the home field advantage!

Some things are pretty clear to me at this point: user education and strict edicts are an inadequate substitute for good engineering; a good scientific measure of security still eludes us and is probably an intractable problem; standards compliance and checklists don't solve the problem; and our industry has not improved over the decades.

What does a cure look like? It is still early in the game, our software designs and user interfaces are still at the level of the Ford Model T. I will try to describe some of the technology and scenarios that may be part of the solutions.

Speakers

William Cheswick

I am interested in visualization, user interfaces, security and security usability, typography, tinkering, and science, medicine, and technology in general. Felix, qui potuit rerum cognoscere causus. - Virgil; (“Happy is he who knows the cause of things.”) I love living in... Read More →

Wednesday November 20, 2013 9:00am - 9:50am EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

Keynote

9:00am EST

Project Summit: Writing and Documentation Review Session

OWASP Documentation Projects are a key element in the industry. They are broadly adopted and used.

This session aims to review the below documents, and give recommendations on where they can be improved.

->OWASP AppSensor Project.

->OWASP Development Guide Project.

->OWASP Code Review Guide Project.

->OWASP Testing Guide Project.

->OWASP Code of Conduct.

During this session, the objectives we will be covering are:

1. Figure out what needs to be done for each project.

2. Assign sections to each participant

3. Finish various sections assigned to you.

4. Consolidate all finished sections.

Join us today!

Moderators

Samantha Groves

Program Manager, OWASP

Speakers

Prior to beginning his career in Application Security he was both a Technical Recruiter and Entrepreneur with a passion for Technology. As an entrepreneur, he founded a small computer company that provided services to the Real Estate Industry. Currently, he is also President and a... Read More →

Wednesday November 20, 2013 10:00am - 10:50am EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

Defenders

10:00am EST

How To Stand Up an AppSec Program - Lessons from the Trenches

We all know the importance of building security into the development of a company’s applications. Most of us know many of the steps needed for an effective Application Security Program. In this talk, we will discuss the best practices for implementing an AppSec Program, we’ll list all the moving parts, and we’ll talk about what worked and what didn’t work in various organizations.
Risk Management
Metrics
Training
SDLC
Requirements
Design Review
Development
Testing
Pre-Production
Production
Lessons Learned

Speakers

Joe Friedman

Director, Security Architecture and Planning, NYSE Euronext

NYSE Euronext - Application Security Program, Security Architecture; Merrill Lynch - Pentest Program, Security Architecture; Johnson & Johnson - Risk Assessments and Pentests of M&A targets & Operating Companies, Development of Security Processes; Various financial firms, startups... Read More →

Wednesday November 20, 2013 10:00am - 10:50am EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

Management-Metrics

10:00am EST

PANEL: Aim-Ready-Fire

Audio recording of panel:
https://www.youtube.com/watch?v=ZWARRluApsA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=22

Software assurance in the past 5 - 6 years has emerged as the key focus area for information security professionals. The C - suite has recognized software assurance to be more than a hygiene problem as the application security breaches have started making impact to the bottom line of the companies. The international regulators are demanding systems that are more resilient. The number and complexity of cyber breaches keeps on increasing, there is no relief in sight... lets learn what is working and what is not.

Moderators

Wendy Nather

Research Director, Enterprise Security Practice, 451 Research

Wendy Nather is Research Director, Security, within 451 Research's Enterprise Security Program, providing analysis on the current state of security from the perspective of a veteran CISO. Wendy's primary areas of coverage are on application security and security services. Wendy joined... Read More →

Speakers

Sean Barnum

Cyber Security Principal, MITRE

Sean Barnum is a Principal and Cyber Threat Intelligence Community Lead at The MITRE Corporation where he acts as a thought leader and senior advisor on information security topics to a wide variety of players within the US government, commercial industry and the international community... Read More →

Pravir Chandra

Security Architect at Bloomberg, Bloomberg

Pravir Chandra is a veteran in the security space and a long-time OWASP contributor, including his role as the creator and leader of the Open Software Assurance Maturity Model (OpenSAMM) project. Currently as security architect for the CTO of Bloomberg, he drives proactive security... Read More →

Suprotik Ghose

Head of Security, Risk & Control, Americas, RBS

Suprotik Ghose Head of Security, IT Risk & Control, M&IB Americas Head of Security Operations, Global M&IB Suprotik Ghose has over 22 years of experience (18 years in financial services), in infosec policy, privacy, compliance and IT risk. Since June 2012, Mr. Ghose has been... Read More →

Ajoy Kumar

Head of Application Security, UBS

Extensive experience in designing, implementing, and managing enterprise Software Security Program from ground up. Strong innovation skills have led in many value delivery systems in the enterprise. Strong believer in implementing security process and technology controls over... Read More →

Jason Rothhaupt

Broadridge

Leader of technology risk management functions for financial service companies. Currently focused on reducing the risk that insecure application pose to critical business functions and processes.Specialties:Application Security Information Security Technology Risk Management Business... Read More →

Ramin Safai

Chief Information Security Officer, Jefferies

Ramin Safai is the first Chief Information Security Officer at the Jefferies. AS CISO, Ramin is responsible for Jefferies global cyber security and IT risk management programs. Prior to joining Jefferies, Ramin was Americas CISO at Barclays and had global responsibilities for rollout... Read More →

Wednesday November 20, 2013 10:00am - 10:50am EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

Panel

10:00am EST

Project Talk: Project Leader Workshop

The Project Leader Workshop is a 45 minute event activity that brings together current and potential OWASP project leaders to discuss project related issues and topics. The Project Leader Workshop is an optional event activity for our leaders that takes on a presentation and discussion format. It is an interactive tool used to bring together project leaders from across the globe in an effort to have participants share valuable insights and recommendations with their fellow members.

Leaders can expect to learn more about the OWASP Projects Infrastructure, the benefits of having an OWASP Project, and how they can leverage the infrastructure to help promote their project to the community and beyond. OWASP Project Manager, Samantha Groves, will lead the session.

Speakers

Samantha Groves

Program Manager, OWASP

Wednesday November 20, 2013 10:00am - 10:50am EST
Edison (5th floor) NY Marriott Marquis

Project Talk

11:00am EST

OWASP PCI toolkit Session

Join us and learn how to help organizations achieve PCI-DSS compliance with OWASP tools & Documentation by creating an interactive scope toolkit app.

Speakers

Johanna Curiel

Security Engineer and Researcher, Mobiquity

Wednesday November 20, 2013 11:00am - 11:45am EST
Sky Lounge (16th Floor) NY Marriott Marquis

Project Summit

11:00am EST

From the Trenches: Real-World Agile SDLC

Ideally, all organizations would incorporate security into their Agile development processes; however, best-practices Agile SDL models typically assume a simplified, idealized model of how software is built. These models also impose impractical requirements without providing the necessary support or expertise. In reality, software development often involves multiple Agile teams working on various components of a larger product, and only the most well-resourced enterprises or ISVs have the bandwidth to execute on the ideal Agile SDL, while smaller organizations are forced to adapt and make tradeoffs.
In this session, we’ll discuss how Veracode has incorporated security into our own Agile development lifecycle for a product that involves anywhere from two to seven Scrum teams working in concert to ship monthly releases. We do this without designating any security experts full-time to the project. We’ll explain how we’ve evolved our practices to optimize the way our security research team interacts with our engineering teams and accommodates their processes. We’ll also talk about some of the lessons we’ve learned along the way, including things that haven’t worked or wouldn’t scale, and how other organizations can use our experience to integrate security practices into their own Agile development programs.

Speakers

Chris Eng

VP Research, Veracode

Chris Eng is vice president of research at Veracode, where he leads the team responsible for integrating security expertise into Veracode’s core product offerings. Prior to Veracode, he was technical director at Symantec (formerly @stake) and an engineer at the National Security... Read More →

Wednesday November 20, 2013 11:00am - 11:50am EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

Builders

11:00am EST

Securing Cyber-Physical Application Software

Researchers and practitioners have not historically addressed sufficiently the fact that software engineers responsible for IT systems have very different approaches from those who design and build industrial control systems. When Web-facing and distributed information systems are interconnected with legacy industrial control systems, which usually do not include effective security requirements, two major issues arise: one is the possibility of someone gaining access to control systems via Web applications and public networks, and the other is the potential for the transfer of fallacious information from the control systems to the information systems, as ostensibly occurred with Stuxnet. In this presentation we take a new approach to processes and technologies for mitigating the threats and hazards that impinge on, or result from, systems such as the smart grid. The presentation is based in part on the author's book Engineering Safe and Secure Software Systems (Artech House, 2012).

Speakers

VP, Coalfire

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group... Read More →

Wednesday November 20, 2013 11:00am - 11:50am EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

Management-Metrics

11:00am EST

Project Talk: OWASP Enterprise Security API Project

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. Learn more about the OWASP ESAPI Project from Project Leaders, Chris Schmidt and Kevin Wall.

Speakers

Chris Schmidt

Chief Architect, Contrast Security

Kevin Wall

Senior Application Security Engineer, Verisign

Wednesday November 20, 2013 11:00am - 11:50am EST
Edison (5th floor) NY Marriott Marquis

Project Talk

12:00pm EST

All the network is a stage, and the APKs merely players: Scripting Android Applications

Video of session:
https://www.youtube.com/watch?v=yh4-F90XONI&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=7

The existance of open well defined APIs for many popular websites has been a boon to spammers, but as they have grown in popularity the operators have begun to care more about the integrity of the network. 3rd party access to these APIs is becoming increasingly restricted, while at the same time desires for a frictionless mobile experience have led to much looser restriction in their own applications.
We'll leverage this, along with the ability to load and execute Android APKs within JRuby sessions to create and control a social botnet.
Beginning with a brief overview of tools for disassembling, understanding, modifying, and rebuilding APKs. We will then move onto scripting portions of the application in a JRuby session, along the way covering key recovery, bypassing custom cryptographic routines, and general exploration of the code in a dynamic environment.
We'll conclude with leveraging what we've discovered to create and control thousands of accounts. Building on available information sources, such as the US census, and streams provided by the targetted network itself these accounts will have realistic characteristics and interact with the network in believable ways.

Speakers

Daniel Peck

Principle Research Scientist, Barracuda Networks

Peck is principle research scientist at Barracuda Networks, he is currently focused on studying uses of social networks as a medium for attacks. Previous research includes comparing content and non content based systems to identify malicious accounts on Twitter/Facebook, exploiting... Read More →

Wednesday November 20, 2013 12:00pm - 12:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

Breakers

12:00pm EST

BASHing iOS Applications: dirty, s*xy, cmdline tools for mobile auditors

Video of session:
https://www.youtube.com/watch?v=Ef_YeULnw1k&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=8

The toolchain for (binary) iOS application assessment is weak BUT, like an island of misfit toys, there can be stregnth in numbers. Join us as we explore what actually needs to be done in a mobile assessment and how we can do it right from our SSH prompt on our iOS device. Our tool is simple yet effective and as you learn to do mobile assessments you'll also teach yourself the fundamentals of the OWASP Mobile Top 10. Topics explored will be binary analysis, app decryption, data storage, endpoint parsing, class inspection, file monitoring, and more! Heck we might even release some sort of ghetto BASH Obj-c source parser!

Speakers

Video of session:
https://www.youtube.com/watch?v=aXMcLO4dNwQ&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=2

Speaker(s): Joshua Corman and Nicholas Percoco

Description: In the Internet of Things, security issues have grown well

beyond our day jobs. Our dependence on software is growing faster than our

ability to secure it. In our efforts to find the grown-ups who are paying

attention to these risks, one painful truth has become clear: The Cavalry

Isn¹t Coming. Our fate falls to us or to no one. At BSidesLV and DEF CON

21, a call was made and many of you have answered. At DerbyCon, we begin

the work of shaping our futures. Here at AppSec, we have the opportunity

to level-up and reframe our role in all of this. As the initiated, we face

a clear and present danger in the criminalization of research, to our

liberties, and (with our increased dependence on indefensible IT) even to

human safety and human life. What was once our hobby became our profession

and (when we weren¹t looking) now permeates every aspect of our personal

lives, our families, our safetyŠ Now that security issues are mainstream,

security illiteracy has lead to very dangerous precedents as many of us

are watching our own demise. It is time for some uncomfortable

experimentation.

This session will both frame the plans to engage in Legislative, Judicial,

Professional, and Media (hearts & minds) channels and to organize and

initiate our ³constitutional congress² working sessions. The time is now. It will not be easy, but

it is necessary, and we are up for the challenge.

It¹s high time we make our dent in the universe. For background, please

watch the video of the launch of @iamthecavalry : http://bit.ly/16YbpC1 >

Join the conversations also at: google group:

https://groups.google.com/d/forum/iamthecavalry

Speakers

Josh Corman

Director of Security Intelligence, Akamai Technologies

Joshua Corman is the Director of Security Intelligence for Akamai. Most recently he served as Research Director for Enterprise Security at The 451 Group. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across... Read More →

Nicholas J. Percoco

Director, Information Protection, KPMG

With more than 16 years of information security experience, Nicholas is a Director in KPMG's Information Protection practice. Prior to KPMG, Percoco led the global SpiderLabs organization for more than a decade that performed more than 2000 computer incident response and forensic... Read More →

Wednesday November 20, 2013 12:00pm - 12:50pm EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

Keynote

12:00pm EST

OWASP NIST NSTIC IDecosystem Initiative: Initial Discussion Meeting

Bev Corwin, Member Representative for the OWASP IDESG Identity Ecosystem initiative is holding a first meeting discussion forum at AppSec USA to elaborate on the foundation's involvement with the NSTIC Identity Ecosystem Steering Committee. Please contact Bev Corwin (Bev.Corwin@owasp.org) if you wish to attend.

Moderators

Bev Corwin

Volunteer, ARC

http://www.linkedin.com/in/bevcorwinRed Cross email: bev.corwin2@redcross.orgMobile: 347-908-7098

Wednesday November 20, 2013 12:00pm - 12:50pm EST
Edison (5th floor) NY Marriott Marquis

Project Talk

12:00pm EST

Project Summit: ESAPI Hackathon Session

Speakers

Chris Schmidt

Chief Architect, Contrast Security

Kevin Wall

Senior Application Security Engineer, Verisign

Jeff Williams

Cofounder and CTO, Contrast Security

Wednesday November 20, 2013 12:00pm - 5:00pm EST
Sky Lounge (16th Floor) NY Marriott Marquis

Project Summit

1:00pm EST

Mantra OS: Because The World is Cruel

Video of session:
https://www.youtube.com/watch?v=aWByCj8qfFE&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=28

OWASP Mantra OS was developed under the mantra of “OWASP because the world is cruel”;
The reason this mantra is used for a underlying principle for the development of Mantra OS is because simply it is better for the pen tester to find the exploit then the hacker. The tool-set of Mantra OS v13 contains the same tools many hackers use to exploit web applications such ddos, SQL injection, man in the middle attacks, and poisoning attacks. The purpose of this presentation is to show practical testing methodologies using Mantra OS and how to run these test in a controlled environment. In this talk we will discuss and demo:

• Demo of tool-set of Mantra OS
• Maltego and Intelligence collection.
• DDoS using LOIC, Slow HTTP poisoning and ping of death with scampy.
• SQL injection with burp and sqlmap.
• Man in the Middle with SSL stripping.
• Arp Poisoning, ICMP poisoning and Smurf attacks.
• How to deploy these attacks in controlled environment.

In addition we will discuss why and how hackers use these tools, methods of mitigation these style attacks by hackers, and how to turn pen testing into a risk mitigation plan.

Speakers

Greg Disney-Leugers

Platform Security Engineer, Hytrust

Wednesday November 20, 2013 1:00pm - 1:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

Breakers

1:00pm EST

Open Mic - Birds of a Feather --> Cavalry

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.

Speakers

Josh Corman

Director of Security Intelligence, Akamai Technologies

Global Board Member, OWASP

Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and... Read More →

Marco Morana

Director Head of Security Architecture, JPMC

Dr. Morana is SVP at Citi's Information Security based in Tampa focusing on bringing emerging technologies for cybersecurity and FinTech to the level of maturity required for adoption by Citi and Citi clients. In his day to day job his focus is document internal technology standards... Read More →

Wednesday November 20, 2013 1:00pm - 1:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

Management-Metrics

1:00pm EST

PANEL: Privacy or Security: Can We Have Both?

Often confused with each other, security and privacy are both interdependent (privacy generally requires robust security) and sometimes at odds with each other (security may require sacrificing privacy). While the public’s online privacy has taken a big hit in the past decade, it is at least defended by an army of public-interest groups and legal experts. Meanwhile, to many, the public’s online security often remains shrouded in technical jargon and barely present in public policy discussions.This panel will explore issues such as these: -When do security measures go “over the line” and begin encroaching on individual privacy? -What privacy rights is the public (or should it be) willing to trade for more security?- Online anonymity gets a lot of lip service. Has it outlived its usefulness? Political dissidents aside, is it now doing more harm than good by shielding criminals while hardly protecting the average user?- Major private and public institutions often fall down on the job of ensuring either cybersecurity or cyberprivacy. What combination of self-regulation, government oversight, and market accountability (in the form of cyber insurance, auditing, and litigation) would most effectively push them to better meet their responsibility to the public and shareholders? Moderator: Jeff Fox, Technology Editor, Consumer Reports and ConsumerReports.org

Moderators

Jeff Fox

Electronics Deputy Content Editor, Consumer Reports Magazine

Jeff Fox is an Electronics Deputy Content Editor at Consumer Reports magazine and ConsumerReports.org. He has covered online security and privacy for 19 years and edited the annual Consumer Reports State of the Net investigative report for the past 9 years. Prior to joining Consumer... Read More →

Speakers

Joseph Concannon

Joseph R. Concannon brings his leadership, program management skills and endless energy to the helm of Integris Security LLC., a boutique security startup firm. Mr. Concannon, with his experience, brings to Integris Security information and physical security, disaster recovery/business... Read More →

James Elste

CEO & Co-Founder, Cognitive Extension, Inc.

James is CEO and Founder of Cognitive Extension, Inc., leading the development of inqiri.com and the Decision Optimization Engine technology platform. He has extensive experience developing and managing enterprise cyber-security programs, in both the public and private sectors having... Read More →

Jim Manico

Founder and Lead Instructor, Manicode Security

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for 10Security, Aiya, MergeBase, Nucleus Security, KSOC and Inspectiv. Jim is a frequent speaker on secure software practices... Read More →

Amy Neustein

Author; Editor-in-Chief, International Journal of Speech Technology

Amy Neustein, Ph.D., is Editor-in-Chief of the International Journal of Speech Technology (Springer), a member of De Gruyter’s STM Editorial Advisory Board, and Editor of their new series, Speech Technologyand Text Mining in Medicine and Healthcare. Dr. Neustein is also Series Editor... Read More →

Jack Radigan

Owner, Centrych Systems LLC

Jack is a Navy veteran who's IT career has taken him from independant and corporate software development, to multi-national messaging infrastructure design and deployment, to information security. He's worked as a contributor and manager for companies in archival data, business information... Read More →

Steven Rambam

Founder and CEO, Pallorium, Inc

Steven Rambam is the founder and CEO of Pallorium, Inc. (http://www.pallorium.com), a licensed Investigative Agency with offices and affiliates worldwide. Since 1981, Pallorium's investigators have successfully closed more than 10,500 cases, ranging from homicide and death claim investigations... Read More →

Wednesday November 20, 2013 1:00pm - 1:50pm EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

Panel

1:00pm EST

Project Talk: OWASP OpenSAMM Project

The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in:

◊ Evaluating an organization’s existing
software security practices

◊ Building a balanced software security program
in well-defined iterations

◊ Demonstrating concrete improvements
to a security assurance program

◊ Defining and measuring security-related activities
within an organization

SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project.

Project Leader, Sebastien Deleersnyder, will be speaking about the project in depth in this talk.

Speakers

Video of session:
https://www.youtube.com/watch?v=eHSNT8vWLfc&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=9

The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects. Certain features built into the design of XML, namely inline schemas and document type definitions (DTDs) are a well-known source of potential security problems. Despite being a publicly discussed for more than a decade, a significant percentage of software using XML remains vulnerable to malicious schemas and DTDs. This talk will describe a collection of techniques for exploiting XML external entities (XXE) vulnerabilities, some of which we believe are novel. These techniques can allow for more convenient file content theft, sending of arbitrary data to arbitrary internal TCP services, uploads of arbitrary files to known locations on a vulnerable system, as well as several possible denial of service attacks. We hope this talk will raise awareness about the overall risk associated with XXE attacks and will provide recommendations that developers and XML library implementors can use to help prevent these attacks.

Speakers

Timothy Morgan

Wednesday November 20, 2013 2:00pm - 2:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

Breakers

2:00pm EST

Open Mic: Making the CWE Approachable for AppSec Newcomers

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Speakers

Hassan Radwan

Secure Decisions

Hassan Radwan is a developer by trade with a passion for consumable application security. He is the project lead on OWASP Code Pulse, a real-time code coverage tool, and leads the engineering effort on Code Dx, a commercial SAST correlation tool. Hassan has worked in the application... Read More →

Wednesday November 20, 2013 2:00pm - 2:50pm EST
Booth (5th Floor) NY Marriott Marquis

Builders Defenders TBD - Open Mic Session

2:00pm EST

"What Could Possibly Go Wrong?" - Thinking Differently About Security

Video of session:
https://www.youtube.com/watch?v=bIn-tzGezqM&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=16

Almost all security professionals have one or more headshaking security stories caused by everything from sloppy design to execrable coding to insanely asymmetric risk assumption. Technical acumen is not enough if we want to improve actual security (instead of improving our job security): we need to think about, and talk about, security differently. This means absorbing the language, constructs and lessons of other disciplines from economics (systemic risk) to military history and tactics (force multipliers). It means understanding the limits of technology, that there are "unknown unknowns" and that humans are all too fallible (and there's no upgrade coming). Lastly, it requires the techno-proficient among us to learn to de-geek our speak so that we can express security concerns in terms that decision makers and policy makers can understand: "barbarians are at the gate" is so much more understandable and actionable than "there's a manifestation of a theoretic weakness in the Visigoth detection protocol."

Speakers

Mary Ann Davidson

Chief Security Officer, Oracle

Mary Ann Davidson is the chief security officer at Oracle, responsible for Oracle software security assurance. She represents Oracle on the board of directors of the Information Technology Information Sharing and Analysis Center (IT-ISAC), and serves on the international board of... Read More →

Wednesday November 20, 2013 2:00pm - 2:50pm EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

Keynote

2:00pm EST

PANEL: Cybersecurity and Media: All the News That's Fit to Protect?

It's no longer possible to be in the news media without being security savvy.

Edward Snowden's NSA leaks, FBI subpoenas of reporters' phone records, and frequent hack attacks directed against news organizations -- all of these prove that we're living in a time when journalists need cybersecurity skills.

Whether to protect the sacred bond between reporters and sources or to protect the credibility and availability of a major news website, those in the media must know what security tools are available and how to use them. And the security industry must know what journalists need, and how existing tools fall short.Cybersecurity and Media: All the News That's Fit to Protect?

In this panel, reporters and IT pros will describe how security issues have affected them. We'll discuss leading-edge software and best practices to protect the newsroom. And we'll create a wishlist for the software and services needed to protect journalism's role as the 24/7, real-time, global clearinghouse of the information economy.

Moderators

Dylan Tweney

Executive Editor, VentureBeat

Dylan Tweney is Executive Editor of VentureBeat (http://venturebeat.com), an independent tech news site that reaches 5 million readers per month. Previously, he was senior editor at Wired.com, where he was responsible for the site’s gadget news and product reviews from 2008 to 2011, and launched the site’s business coverage in 2007 In the past, he... Read More →

Speakers

Michael Carbonne

Michael is Manager of Tech Policy and Programs at Access, an international human rights organization fighting to defend and extend the digital rights of users at risk around the world. There he manages projects that analyze digital attacks on civil society and media organizations... Read More →

Rajiv Pant

CTO, New York Times

Rajiv Pant is Chief Technology Officer & VP at The New York Times. Prior to his promotion to CTO, Rajiv joined The Times as Vice President of Digital Technology. He supervises a staff of 250+, including the Vice Presidents of Web & Mobile Engineering, CMS & Publishing, and Ecommerce & Customer Service; the Directors of Business Intelligence... Read More →

Gordon Platt

President, GothamMedia

Gordon Platt is the Founder and President of Gotham Media. He is an attorney, television producer and was the Executive Producer of the Poliak Center for First Amendment Issues at Columbia Journalism School. Platt launched Gotham Media in 2007 as a conference company with a focus... Read More →

Space Rogue

Strategist, Tenable

Space Rogue and his colleagues created the first security research think tank known as L0pht Heavy Industries and was a co-founder of the Internet security consultancy @Stake. While at L0pht Heavy Industries Space Rogue created the widely popular Hacker News Network, which quickly... Read More →

Nico Sell

CEO & Co-Founder, Wickr/r00tz

Nico Sell is a professional artist, athlete and entrepreneur based in California. She is CEO and cofounder of r00tz and Wickr. Wickr is a free messaging app enabling anyone to send self-destructing messages that are anonymous, private, and secure. r00tz is a nonprofit dedicated... Read More →

Wednesday November 20, 2013 2:00pm - 2:50pm EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

Panel

2:00pm EST

Project Talk: The OWASP Education Projects

The OWASP Education project is meant to centralize all educational initiatives of OWASP. The project will not deliver education material as such, but define standards and guidelines on education material. Furthermore, this project aims to create an easy entrance towards understanding application security and usage of the OWASP tooling. By creating education documentation papers, screen scrape video courses, and setting up an OWASP Boot camp, a controlled education process of a standardized quality can be created continuously.

Initiatives of the OWASP Education Project are:

OWASP Training
- OWASP Boot camp
- OWASP Training events

OWASP Academies
- OWASP Academy Portal
- OWASP University Outreach
- OWASP Student Chapter

Project Leaders, Martin Knobloch and Konstantinos Papapanagiotou, will be giving a talk on the various education projects within the OWASP Projects Inventory. Attend this talk for an excellent overview of each initiative.

Speakers

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE

Both trainers are Hackademic project leaders, long time OWASP members and application security professionals

Gotham Digital Science

Brian is a founding member of Gotham Digital Science. He has over 10 years of experience performing penetration testing and code review. Brian is also the team lead for SendSafely, an browser based encrypted file exchange platform. Brian has spoken at numerous security conferences... Read More →

Erik Larsson

Erik is a professional Java developer. In addition to writing code, Erik also consults with other developers on how to identify security flaws through code review and secure development patterns.Java Developer for SendSafely.com and Secure Development Consultant with Gotham Digital... Read More →

Wednesday November 20, 2013 3:00pm - 3:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

Builders

3:00pm EST

Making the Future Secure with Java

Video of session:
https://www.youtube.com/watch?v=L2Bgn6xMog0&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=13

The world is not the same place it was when Java started. It’s 2013, and attackers are intensely motivated, sophisticated, and well organized. Java security is a significant concern across many organizations as well as for individuals. Attend to learn more about Oracle’s progress on Java platform security and some our plans for the future.

Speakers

Milton Smith

Sr. Principle Product Security Manager - Java, Oracle

Milton Smith (Twitter, @spoofzu) Leads the strategic security program for Java platform products as Sr. Principal Security PM at Oracle. Milton is responsible for defining the security vision for Java and managing working relationships with security organizations, researchers, and... Read More →

Wednesday November 20, 2013 3:00pm - 3:50pm EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

Management-Metrics

3:00pm EST

PANEL: Mobile Security 2.0: Beyond BYOD

BYOD has moved quickly from technology concept to business reality. Today's workers bring the mobile devices they want into their organizations, freely accessing data and working from the most convenient network connections. While all this mobility has unleashed greater productivity for today's companies, it has introduced a new level of complexity for IT. IT professionals today need to move their mobility strategies from BYOD 1.0 -- the introduction of different devices and network connections into the enterprise -- to BYOD 2.0 -- a comprehensive framework that helps IT better monitor and secure data and networks without compromising the productivity of workers. This panel will tackle the issues IT now faces it evolves from the early era of BYOD into a more complex work world of multiple devices, social media, apps, and more.

Moderators

Stephen Wellman

Vice President and Editor-in-Chief, Slashdot Media

Stephen Wellman is Vice President and Editor-in-Chief of Slashdot Media where he oversees all editorial content creation and operations across the company’s industry-leading media properties, including Slashdot, SourceForge and Freecode. Stephen works hands-on with the editors... Read More →

Speakers

Devindra Hardawar

National Editor; Lead Mobile Writer, VentureBeat

Devindra Hardawar is VentureBeat's National Editor and lead mobile writer, focusing on the latest news from Apple, Google, Samsung, Blackberry and Motorola, along with the hottest startups that are disrupting the industry. Devindra has been writing about technology since 2004, worked... Read More →

Daniel Miessler

Principal Security Architect, HP

Jason Rouse

Security Architect, Bloomberg LP

Jason Rouse is currently a member of the team responsible for the security of Bloomberg LP's products and services, exploring how to re-invent trusted computing and deliver on the promise of ubiquitous biometrics. Jason is passionate about security, splitting his time between... Read More →

Wednesday November 20, 2013 3:00pm - 3:50pm EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

Panel

3:00pm EST

Project Talk: OWASP AppSensor Project

The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities. Learn more about OWASP AppSensor Project by attending this talk by OWASP Co-Founder, Dennis Groves.

Speakers

Dennis Groves

Co-Founder, OWASP

Dennis Groves is the co-founder of OWASP and a well known thought leader in application security who's work focuses on multidisciplinary approaches to information security risk management. He holds an MSc in Information Security from Royal Holloway, University of London.

John Melton

Principal Security Researcher, WhiteHat Security

Wednesday November 20, 2013 3:00pm - 3:50pm EST
Edison (5th floor) NY Marriott Marquis

Project Talk

4:00pm EST

OWASP Top Ten Proactive Controls

Video of session:
https://www.youtube.com/watch?v=Cg5dN8Pyn_c&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=4

You cannot hack your way secure!
The OWASP Proactive Controls is a "Top 10 like document" aimed to help developers build secure applications. This project is phrased and built in a positive, testable manner that describes the Top 10 software control categories that architects and developers should absolutely, positively include 100% of the time in every software project.
This talk will cover the fundamental controls in critical software categories such as Authentication, Access Control, Validation, Encoding, Query Parameterization, Data Protection, Secure Requirements, Secure Architecture and Secure Design.

Speakers

Jim Manico

Founder and Lead Instructor, Manicode Security

Wednesday November 20, 2013 4:00pm - 4:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

Builders

4:00pm EST

Open Mic: Struts Ognl - Vulnerabilities Discovery and Remediation

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Speakers

Eric Kobrin

Wednesday November 20, 2013 4:00pm - 4:50pm EST
Booth (5th Floor) NY Marriott Marquis

Builders TBD - Open Mic Session

4:00pm EST

Big Data Intelligence (Harnessing Petabytes of WAF statistics to Analyze & Improve Web Protection in the Cloud)

Video of session:
https://www.youtube.com/watch?v=afMvndBEv-I&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=6

Presentation Title: "Big Data Intelligence"
Subtitle: "Harnessing Petabytes of WAF statistics to Analyze & Improve Web Protection in the Cloud"
As web application attacks turn into massive campaigns against large corporations across the globe, web application firewall data increases exponentially, leaving security experts with a big data mess to analyze. Pinpointing real attacks in a sea of security event noise becomes an almost impossible tedious task. In this presentation, we will unveil a unique platform for collecting, analyzing and distilling Petabytes of WAF security intelligence information. Using the collected data, we will discuss the OWASP ModSecurity Core Rule Set project's accuracy, and reveal common attack trends, as well as our impressions and suggestions for how to wisely make the best out of the CRS project.
Topic covered in this presentation: • Using Big Data for analyzing web application security trends
• Akamai's Cloud Security Intelligence (CSI) platform - collecting Petabytes of WAF events with near-real time analysis capabilities
• Sample data analysis - Top 10 web application attacks and trends, as collected by the system
• Short demo of a unique user interface for navigating and analyzing big WAF data (SARA - Security Analytics Research Application)
• Measuring the accuracy of the OWASP CRS project?
• Analyzing the accuracy of CRS - precision, recall & accuracy statistics against real world traffic
• Frequent real world false positives scenarios, and how to remediate them
• Top 10 triggering rules statistics

Presentation Length: 45 minutes

Speakers

Tagging Your Code with a Useful Assurance Label

Video of session:
https://www.youtube.com/watch?v=FCyUwyjIoBE&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=14

With so many ways for software to be vulnerable, businesses needs a way to focus their assurance efforts on those potential vulnerabilities that are most dangerous to them and their software. This talk will offer a new way to focus and organize your software vulnerability assessment and assurance efforts across the entire life-cycle of a project so that you target the most impactful weaknesses when they are most visible. The approach can be done consistently across your enterprise and will have you looking for specific weaknesses at the point where you can gain the most assurance that you have dealt with them successfully. Matched to the activities of your development effort, this approach will have your team looking for those security weaknesses (CWEs) that are most discernable/findable in each of the different stages of a software development effort. For example, when you have a live exemplar system available you should look for the weaknesses in design, configuration, code, or architecture that are findable through dynamic analysis, pen testing, or red teaming of that living system. Similarly, in the coding phase you want the emphasis to be looking for weaknesses that are findable by static analysis tools. The follow-on step to this approach is to use what you found and what you did to create “An Assurance Tag for Binaries", basically an assurance "food label" for the code of that project. This talk will conclude with a discussion of what such a tag could look like, what it could capture, how the information could be obtained, whom would/could create them, and how they could be represented for humans and machines to use.

Speakers

Sean Barnum

Cyber Security Principal, MITRE

Robert (Bob) Martin

Senior Principal Engineer, MITRE Corporation

Robert (Bob) Martin is a Senior Principal Engineer at the MITRE Corporation and has dedicated his career to solving some of the world’s most difficult problems in systems and software engineering. His work focuses on the interplay of risk management, cyber security, and quality... Read More →

Wednesday November 20, 2013 4:00pm - 4:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

Management-Metrics

4:00pm EST

Healthcare Security Forum

The Healthcare Security Discussion Forum is offered to provide security application developers an opportunity to discuss and share perspective on a vital industry sector where their work is gaining traction. The Healthcare Forum is an open discussion of activities underway to adopt secure applications (apps) and mobility in the Healthcare sector. It includes guidance from the Office of the National Coordinator (ONC) for Health Information Technology (HIT), from the Healthcare Committee of the National Strategy for Trusted Identities in Cyberspace (NSTIC), from Health Level Seven (HL7), and from the U.S. National Institute for Standards and Technology (NIST), such as Special Publication 800-53-4,"Recommended Security Controls for Federal Information Systems and Organization.” All are welcome to participate in this open discussion of trends, issues, and other topics of interest in the healthcare security sector. A bibliography will be provided to Forum participants.

Moderators

Judith Fincher, PhD

Senior Security Engineer, Electrosoft Services, Inc.

Judith A. Fincher, PhD, is a Senior Security Engineer at Electrosoft Services, Inc., a boutique identity management firm offering security services to federal and non-federal clients. In that role she provides security architecture consulting services to the Veterans Health Administration... Read More →

Amy Neustein

Author; Editor-in-Chief, International Journal of Speech Technology

Wednesday November 20, 2013 4:00pm - 4:50pm EST
Edison (5th floor) NY Marriott Marquis

Panel

4:30pm EST

4:30pm - 8:00pm AppSec USA 2013 Networking & Reception

Wednesday November 20, 2013 4:30pm - 8:00pm EST
5th Floor Ballroom Foyer NY Marriott Marquis

AppSec USA 2013 Reception

5:30pm EST

OWASP Jeopardy

This interactive activity will be a fun filled event where top security professionals will get a chance to sit on a panel and answer a wide ranging set of questions relating to the world of OWASP.
Unanswered questions will be presented to the audience, giving everyone a chance to participate and have fun. Questions and answers will be also synchronized through twitter to add to the participation. Join us for a night of special guest appearances, prizes, fun and drinks.

Bring your squeeze balls!

Moderators

Jerry Hoff

VP, Static Code Analysis Division, WhiteHat Security

Jerry Hoff is the VP of the Static Code Analysis Division at WhiteHat Security. In addition to WhiteHat, he is a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where... Read More →

Wednesday November 20, 2013 5:30pm - 7:00pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

Builders

6:00pm EST

Silk, Webservers, Exploits and RATz by M4v3r1ck

Limited Capacity seats available

Disclaimer: If you have trigger issues -- please do not attend this talk.

Now that the statute or limitations has run out on walk with me as I discuss the industry, the people and the events.

From warelords, to the conference that was meant to be a one-time party to say good-bye to BBSs OG. Todays web applications still provide the perfect place for logic bombs. We will talk about current news events including carderprofit.cc and the newest threat to turning a profit.

Face it.. the computer security industry is a JOKE, Vă veţi bucura acest talk.

pssssss buddy you want to buy a shell... what'ca want what'ca need?

Speakers

Yuri

sysop

Hacker for Profit

Wednesday November 20, 2013 6:00pm - 6:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

Breakers Builders Defenders Keynote

8:00pm EST

Bug Bounty - Group Hack

The Great OWASP Bug Bash of 2013

Featuring…
The Inaugural Wall of Bugz, music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!

Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/

Moderators

Serg Belokamen

Founder and CTO, Bugcrowd, Inc., Bugcrowd

Serg is a co-founder and a CTO of Bugcrowd. Bugcrowd delivers ad-hoc, ongoing and objective-based bug bounties. Our clients can elect to engage the full crowd, or run a private bounty with just the top ranked testers. Our service let's you test web, mobile and client-side applications... Read More →

Dinis Cruz

AppSec, OWASP

Casey Ellis

Founder, Bugcrowd

As Founder of Bugcrowd, Casey Ellis brings over 14 years of information security experience to lead the company’s technology vision and strategic operation. Prior to Bugcrowd, he served as chief security officer at ScriptRock and as an information security specialist and account... Read More →

Simon Roses Femerling

Simon Roses holds a B.S. from Suffolk University (Boston), Postgraduate in E-Commerce from Harvard University (Boston) and Executive MBA from IE Business School (IE, Madrid). Frequent speaker at security industry events including BLACK HAT, RSA, OWASP, SOURCE. DeepSec and Microsoft... Read More →

Jeremiah Grossman

Founder, WhiteHat Security

Jeremiah Grossman is the Founder and iCEO of WhiteHat Security, where he sets overall company vision and oversees day to day operations. Over the last decade, Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the... Read More →

Wednesday November 20, 2013 8:00pm - 11:59pm EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

Breakers Project Summit

8:00am EST

Registration

Thursday November 21, 2013 8:00am - 12:00pm EST
5th Floor Ballroom Foyer NY Marriott Marquis

Registration

9:00am EST

') UNION SELECT `This_Talk` AS ('New Exploitation and Obfuscation Techniques’)%00

This talk will present some of the newest and most advanced optimization and obfuscation techniques available in the field of SQL Injections. These techniques can be used to bypass web application firewalls and intrusion detection systems at an alarming speed. This talk will also present the ALPHA version of an open-source framework called Leapfrog which Roberto is developing; Leapfrog is designed to assist security professionals, IT administrators, firewall vendors and companies in testing their firewall rules and implementation to determine if they are an adequate enough defense measure to stop a real cyber-attack.

Speakers

ROBERTO SALGADO

Co-Founder and CTO, Websec

Roberto is the co-founder and CTO of Websec, an Information Security company. He was born in Harlingen, Texas in 1986, but was raised on the island of Cozumel, Mexico. At the age of 17 Roberto moved to Vancouver Island and has lived there ever since. In 2010 Roberto founded Websec... Read More →

Thursday November 21, 2013 9:00am - 9:50am EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

Breakers

9:00am EST

Defeating XSS and XSRF using JSF Based Frameworks

During several recent code review engagements, I have discovered that developers sometimes gain a feeling of comfort when they read that frameworks protect them from certain attacks. This sometimes leads to the assumption that if you use this framework, you are protected.
This presentation will focus on Frameworks built upon JSF API component of JEE and two specific vulnerabilities which frameworks commonly advertise built-in mitigation; cross site scripting and cross site request forgery.
It is very common for a framework to provide ways to prevent XSS and XSRF so to begin the session, I will take a few minutes to describe at a high level what these frameworks are and what we assume their capabilities are regarding these two vulnerabilities.
During the course of this presentation, I will demonstrate what happens when these frameworks are used out-of-the-box by exploiting a sample application. Since this code is open source, we will look at the framework code to confirm or deny that they have automatically protected you against these attacks. I will then proceed to give you a couple of options which will close these gaps and secure the application from these attacks.
You should leave this presentation with an awareness of what these frameworks are capable of and how to take advantage of their features to help secure the application.

Speakers

Stephen Wolf

I have spent the last 6 years of my development career evangelizing application security and am currently working as an application security engineer in the San Francisco bay area. I’ve been a developer for over 20 years with my hands into everything from embedded systems and assembly... Read More →

Thursday November 21, 2013 9:00am - 9:50am EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

Builders

9:00am EST

Contain Yourself: Building Secure Containers for Mobile Devices

Video of session:
https://www.youtube.com/watch?v=siVS2jmPABM&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=31

In today's world, everyone wants access to information from his or her personal mobile device. As a business, this includes your customers and/or employees. What if the information they want access to is highly sensitive? While it's tempting to resist these pressures for security reasons, providing mobile access can be a significant competitive advantage and most importantly keep your customers and employees happy and productive. The reality is that in order to survive in a connected world, we must provide a way to meet these demands without sacrificing security.

Organizations have begun moving from "managed devices" to a Bring Your Own Device (BYOD) model where company resources can be accessed and stored on unmanaged devices. As you can imagine, there are some inherent risks with this approach due to the organizations inability to enforce policies on personal devices. There is currently a huge market for solutions that allowing enterprises protect their data on unmanaged devices. Enter "Secure Containers” and “Application Wrapping". The basic premise of these solutions is that it allows organizations enforce policies at the application layer rather than the device layer. For example, authentication, remote wipes, lockouts and data encryption can now be enforced on a per application basis. Application Wrapping is a technique, which allows the ability inject their own code into existing iOS applications. Once injected, existing iOS method implementations can be overwritten to enforce these policies. In a nutshell, you can have an existing application and have it wrapped so that it enforces various defined policies and secure it without developers having to manually implement it.

We have performed security assessments of various commercial BYOD solutions and custom secure containers. Additionally, we have also provided guidance in the development and design of such solutions. We plan to share our experiences through various case studies showcasing the various security issues encountered and testing techniques used throughout these assessments. We expect to cover and provide the audience with newfound knowledge in the following topics:

What is Application Wrapping and How It Is Implemented
- Dynamic Library Injection
- iOS Method Swizzling

Walkthrough of Common Designs for Secure Containers
- Weak Crypto Key Storage and Generation
- Common Crypto Implementation Flaws
- Online and Offline Authentication Designs

Leveraging iOS Runtime Analysis for Reversing Implementations
- Common iOS Reversing Techniques
- Writing Mobile Substrate Hooks

Completeness of the Implementation
- Preventing Common Mobile Security Plaintext Storage Issues
- Inadvertent Caching of Sensitive Data
- Jailbreak Detection
- Weaknesses in Policy Enforcement and Remote Wipes

Attendees will leave with an understanding of the advantages and disadvantages of using "secure container" solutions. The presentation will be delivered from the point of view of a security tester with experience in assessing various implementations. Organizations can leverage this knowledge in order to perform informed decisions when choosing or developing solutions. Security testers will leave with baseline checks and testing techniques for assessing secure container implementations.

Speakers

Ronald Gutierrez

Senior Security Engineer, Gotham Digital Science

Ron Gutierrez is a senior engineer at Gotham Digital Science (GDS), where he specializes in a application security code reviews, mobile application assessments, black box application testing and threat modeling. Ron is a member of the SendSafely development team and a frequent contributor... Read More →

Thursday November 21, 2013 9:00am - 9:50am EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

Defenders

9:00am EST

Mobile app analysis with Santoku Linux

Video of session:
https://www.youtube.com/watch?v=cmVRCWbo0jU&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=26

Did you think there were a lot of mobile devices and platforms out there? Check out the hundreds of mobile tools being developed. We calculated it would take more time to install, test and maintain the various mobile tools than to actually fuzz the hell out all existing mobile operating systems. So, we created Santoku Linux, a F/OSS, bootable Linux distro to make life easier for mobile hackers.
We pre-install not only the mobile platforms but promising tools in development. Santoku covers mobile forensics, mobile malware analysis and mobile security testing. The distribution is based on Lubuntu 12.04 x86_64 and we recently moved to .deb support for simplified upgrades. The Santoku website contains useful information on Santoku, notable: • Tools: https://santoku-linux.com/features
• HOWTOs: https://santoku-linux.com/howtos
• Changelog: https://santoku-linux.com/download/changelog

This talk will introduce Santoku and provide live demos of 1) how to forensically acquire and analyze Android and iOS devices, 2) several tools to perform security audits of mobile devices and apps, and 3) how to analyze mobile malware analysis. All demos will leverage tools preinstalled on Santoku Linux and will cover both the iOS and Android platforms.

Speakers

Andrew Hoog

Founder / Board Member, NowSecure

I’m a computer scientist, mobile security and forensics researcher, and co-founder of NowSecure. I’m also a testifying expert witness, author of two books on mobile forensics for Android and iOS, and hold two patents in the areas of forensics and data recovery.

Thursday November 21, 2013 9:00am - 9:50am EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

Defenders

9:00am EST

AppSec at DevOps Speed and Portfolio Scale

Video of session:
https://www.youtube.com/watch?v=cIvOth0fxmI&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=23

Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops.
Unfortunately, software assurance hasn’t kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002. Here are some of the technologies and practices that today’s best software assurance techniques *can’t*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development.
Although we’re making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It’s not just security tools – application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all.
Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect realtime data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowingall the stakeholders in security to collaborate and finally become proactive.

Speakers

Jeff Williams

Cofounder and CTO, Contrast Security

Thursday November 21, 2013 9:00am - 9:50am EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

Management-Metrics

9:00am EST

OWN THE CON: How we organized AppSecUSA - come learn how you can do it too

Volunteers

Sarah Baso

Israel Bryski

IT Security, Nomura

Israel Bryski has over 7 years of experience in technology and information risk management. He is currently working in IT Security at Nomura and is Chapter Leader for the NYC OWASP Chapter.

Peter Dean

Sr Account Executive, Aspect Security

Thursday November 21, 2013 9:00am - 10:00am EST
Booth (5th Floor) NY Marriott Marquis

TBD - Open Mic Session

9:00am EST

Project Summit: ZAP Hackathon Session

This session is a chance for people to learn how to work on ZAP from the ZAP Project Leader.
ZAP is a community project, and as such participation is actively encouraged.

Simon will explain the numerous ways in which individuals and companies can contribute to ZAP.
He will also explain how the code is structured and explain how any part of the project can be changed.
Working on ZAP is a great way to learn more about web application security.

Being able to change the code means that you can add and change any features you want, either just for you own benefit or to contribute back to the community. There will be time set aside for hacking ZAP, with Simon on hand to answer any questions and give any guidance required.

This is a great opportunity to be part of the fastest growing and most active OWASP project.

During this session, Simon will:

Explain how people can contribute to ZAP.

Demonstrate how to set up a ZAP development environment.

Explain ZAP code structure.

Show people how to code scripts, active/passive scan rules, add-ons, core changes and improve the docs and localization.

Let people hack the ZAP code and docs with full support and guidance.

Please note that if you want to work on ZAP source code (including add-ons) then you should set up a ZAP development environment prior to attending this session.

You will need to download and install Eclipse and import the main ZAP project as well as the ZAP extension projects - for more details see http://code.google.com/p/zaproxy/wiki/Building

You will not need to set up a development environment if you just plan to work on scripts, documentation or translation.

Speakers

Simon Bennetts

ZAP Project Lead, Jit

Thursday November 21, 2013 9:00am - 1:00pm EST
Sky Lounge (16th Floor) NY Marriott Marquis

Project Summit

10:00am EST

Open Mic: OpenStack Swift - Cloud Security

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Speakers

Rodney Beede

Thursday November 21, 2013 10:00am - 10:50am EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

Breakers TBD - Open Mic Session

10:00am EST

iOS Application Defense - iMAS

Video of session:
https://www.youtube.com/watch?v=TRDT8O2G56o&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=32

iOS application security can be *much* stronger and easy for developers to find, understand and use. iMAS (iOS Mobile Application Security) - is a secure, open source iOS application framework research project focused on reducing iOS application vulnerabilities and information loss. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which in turn pushes enterprises to augment iOS deployments with commercial solutions. The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS has released five security controls (researching many more) for developers to download and use within iOS applications. This talk will walk through various iOS application vulnerabilities, iMAS security controls, OWASP Mobile top10 and CWE vulnerabilities addressed, and demonstrate the iMAS App Password control integrated into an application.

Speakers

Gregg Ganley

Principal Investigator iOS Security Research, MITRE Corp

23+ software development and management experience Education: MSCS, BSEE. Active research and development in iOS security, Android development, Ruby on Rails web apps, and project leadership. For the past five years his passion has been in the mobile field and in particular mobile... Read More →

Thursday November 21, 2013 10:00am - 10:50am EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

Builders

10:00am EST

PiOSoned POS - A Case Study in iOS based Mobile Point-of-Sale gone wrong

Video of session:
https://www.youtube.com/watch?v=CAtc7Z1VD2I&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=18

Mobile Point of Sale (POS) are becoming more and more common in a wide variety of retail outlets. And why not, it adds speed and convenience to shopping and can increase a retailers ability to sell. But POS and Mobile are hard to get right and secure. What happens when you try to combine the two on trendy iOS devices and rush your solution out the door?
Based on multiple mobile tests conducted by Trustwave SpiderLabs' application security, Mike Park will walk through the typical mobile POS apps for iOS and show how and why they can be attacked, often with no sign an attack is going on.
Mike will cover technological shortcomings, coding mistakes and the common misunderstanding of the underlying platform that almost always occur and result in an insecure application. This will include some hardware card reader devices that default to allowing almost no security.
Outline

1. Introduction
2. Why Mobile POS?
3. Why iOS?
4. The Problem
Poorly written apps
Speed of jailbreaking
Ability to hide the jailbreak
The Card Reader
5. A walk through of the PiOSon POS demo app
What the app does
How the app reads CHD
How the app processes and send the data to the backend
How typical is this
6. Hacking the POS - Demo
Jailbreak
Intro to Method Swizzling
Setting up the device
Adding the reader
Installing the malware
Capture the Track data
7. How to improve this
Understand the underlying platform
Understand the way your card reader works
Why is this so insecure?
View a safer version of the app – AntidOte POS
8. What to do
Coding best practices
Choosing a card reader
Outside the device – MDM?
9.Conclusion

Speakers

Mike Park

Managing Consultant, Trustwave SpiderLabs

Mike Park is a Managing Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 12 years experience building and securing software for a variety of companies... Read More →

Thursday November 21, 2013 10:00am - 10:50am EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

Builders

10:00am EST

OWASP Chapter Lifecycle

Thursday November 21, 2013 10:00am - 10:50am EST
Booth (5th Floor) NY Marriott Marquis

Chapter Workshop

10:00am EST

Accidental Abyss: Data Leakage on The Internet

Video of session:
https://www.youtube.com/watch?v=kuBtCoYj6zA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=27

PII is personally identifiable information. In the information age, seemingly useless bits of PII can be found everywhere on the web from Facebook to Amazon to county records. Using purely legal methods and nothing more than artful searching I will show you the art of the low-tech, high-targeted recon. How much of your identity is scattered around on the internet? In this ambitious talk we will look at better hacking through television, how to combine crumbs to build thorough dossiers and learn some tricks on how to do some basic information reconnaissance. By the end of the talk you’ll have some frightening statistics, something good to think about and some tools that will make you a more effective social engineer, an aware user and a more thoughtful security expert.

Speakers

Kelly FitzGerald

Kelly has a BS in Computer Science from CSUSB. She was awarded a full academic scholarship from the National Science Foundation. In her senior year of college she took a job at EvidentData doing computer forensics. From there she fell in love with the dark side and purposely went... Read More →

Thursday November 21, 2013 10:00am - 10:50am EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

Defenders

10:00am EST

Leveraging OWASP in Open Source Projects - CAS AppSec Working Group

Video of session:
https://www.youtube.com/watch?v=Zf9xSsRHRNo&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=34

The CAS AppSec Working Group is a diverse volunteer team of builders, breakers, and defenders that is working to improve the security of Jasig CAS, an open source WebSSO project. This presentation will show how the team is leveraging OWASP resources to improve security, provide security artifacts for potential adopters, and implementing policy and processes for vulnerability analysis and notification. The story is significant in that it directly addresses OWASP A9 "Using components with Known Vulnerabilities / Secure Coding", and points towards a model that other open source projects could adopt.

Speakers

David Ohsie

David came to EMC 2005 in its acquisition of SMARTS. At SMARTS, he devised and implemented the lastest version of its automated root cause analysis algorithm. David received his Phd in Computer Sciences from Columbia University in 1997.4 years experience in product security assessment... Read More →

Bill Thompson

IAM Director, Unicon

Bill is the Director of the IAM Practice at Unicon, and leads a team of professionals providing IT consulting services to the Higher Education community with a focus on Identity and Access Management, CAS, Shibboleth, and Grouper. Prior to joining Unicon, Bill served as the Senior... Read More →

Aaron Weaver

Principal Security Analyst, Pearson Education

Aaron Weaver is Principal Security Analyst at Pearson Education, the leading learning and publishing company. He has played various roles including software developer, system engineer, embedded developer to IT security. He also leads OWASP Philadelphia. Experience includes mobile... Read More →

Thursday November 21, 2013 10:00am - 10:50am EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

Management-Metrics

10:00am EST

Project Talk and Training: OWASP O2 Platform

The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Application Security Knowledge and Workflows and to Allow non-security experts to access and consume Security Knowledge. Project Leader, Dinis Cruz, will be giving a talk along with a training session on how to use the platform.

Speakers

Dinis Cruz

AppSec, OWASP

Thursday November 21, 2013 10:00am - 10:50am EST
Edison (5th floor) NY Marriott Marquis

Project Talk

10:30am EST

Project Summit: ESAPI Hackathon Session

Speakers

Chris Schmidt

Chief Architect, Contrast Security

Kevin Wall

Senior Application Security Engineer, Verisign

Thursday November 21, 2013 11:00am - 11:50am EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

Builders

11:00am EST

Open Mic: Password Breaches - Why They Impact Your App Security When Other WebApps Are Breached

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Speakers

Michael Coates

Director of Product Security, Shape Security

Michael Coates is the Chairman of the OWASP board, an international non-profit organization focused on advancing and evangelizing the field of application security. In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack aware applications that... Read More →

Thursday November 21, 2013 11:00am - 11:50am EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

Builders TBD - Open Mic Session

11:00am EST

Chapter Handbook - 2013 Revisions

Moderators

Kate Hartmann

OWASP Foundation, OWASP Foundation

Thursday November 21, 2013 11:00am - 11:50am EST
Booth (5th Floor) NY Marriott Marquis

Chapter Workshop

11:00am EST

Chapter Handbook - 2013 Revisions

Thursday November 21, 2013 11:00am - 11:50am EST
Booth (5th Floor) NY Marriott Marquis

Chapter Workshop

11:00am EST

The State Of Website Security And The Truth About Accountability and “Best-Practices”

Whether you read the Verizon Data Breach Incidents Report, the Trustwave Global Security Report, the Symantec Internet Security Threat Report, or essentially all other reports throughout the industry, the story is the same -- websites and Web applications are one of, if not the leading target of, cyber-attack. This has been the case for years. Website breaches lead directly to financial fraud, identity theft, regulatory fines, brand damage, lawsuits, downtime, malware propagation, and loss of customers. Given modern society’s ever-increasing reliance on the Web, the impact of a breach and the associated costs are going up, and fast.
At WhiteHat Security we asked customers to answer roughly a dozen very specific survey questions about their SDLC and application security program. Questions such as:
• How often do you preform security tests on your code during QA?
• What is your typical rate of production code change?
• Do you perform static code analysis?
• Have you deployed a Web Application Firewall?
• Who in your organization is accountable in the event of a breach?
• We even asked: has your website been breached?
We received responses to this survey from 76 organizations, and then correlated those responses with WhiteHat Sentinel website vulnerability data. The results were both stunning and counter-intuitive. The connections from various software security controls and SDLC behaviors to vulnerability outcomes and breaches are far more complicated than we ever imagined.

This is exactly the kind of research the application security industry must gather in order to advance the state-of-the-art. To cost-effectively make applications and websites measurably more secure.

Speakers

Jeremiah Grossman

Founder, WhiteHat Security

Thursday November 21, 2013 11:00am - 11:50am EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

Management-Metrics

11:00am EST

Project Talk and Training: OWASP O2 Platform

Speakers

Program Manager, OWASP

Thursday November 21, 2013 12:00pm - 12:50pm EST
Booth (5th Floor) NY Marriott Marquis

Chapter Workshop

12:00pm EST

OWASP Periodic Table of Elements

Video of session:
https://www.youtube.com/watch?v=4GoLqNANlFg&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=11

After 25 years of software engineering since the first Internet worm was written to exploit a buffer overflow vulnerability, web developers are still building insecure software. It is time for a new approach. The vast majority of software bug classes can be eliminated by building protections into perimeter technologies, platform infrastructures, and application frameworks before a developer even writes a single line of custom code. By allowing developers to focus on just a small subset of bug classes, training and standards programs can be more targeted and effective so developers can write secure code much more efficiently.
Vulnerabilities and weaknesses from industry-recognized indexes including OWASP Top 10, WASC TCv2, and CWE-25 are analyzed to determine which of the protection options are ideal for solving the software security problem. Where changes to internet standards and protocols are required, alternatives in perimeter, framework, or custom code solutions are also provided until the internet-scale solutions are in place. If a solution can be completely implemented in perimeter or infrastructure technologies, only that solution is provided. Similarly, if any part of the solution can be provided in standard or custom frameworks, that solution is not recommended to be implemented in custom code. The guiding principle is essentially: "implement security controls as far from custom code as possible." Only if there is no other way to solve a particular security problem is a custom code solution recommended.

Speakers

James Landis

Thursday November 21, 2013 12:00pm - 12:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

Defenders

12:00pm EST

Application Security: Everything we know is wrong

Video of session:
https://www.youtube.com/watch?v=1r45Ro1g2Sg&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=24

The premise behind this talk is to challenge both the technical controls we recommend to developers and also our actual approach to testing and developing secure software.
This talk is sure to challenge the status quo of web security today.
"Insanity is doing the same thing over and over and expecting different results." - Albert Einstein
We continue to rely on a “pentest” to secure our applications. Why do we think it is acceptable to perform a time-limited test of an application to help ensure security when a determined attacker may spend 10-100 times longer attempting to find a suitable vulnerability?
Our testing methodologies are non-consistent and rely on the individual and the tools they use; Some carpenters use glue and some use nails when building a wooden house.
Which is best and why do we accept poor inconsistent quality.
Fire and forget scanners won’t solve security issues. Attackers take time and skill but our industry accepts the output of a software programme to help ensure security?
How can we expect developers to listen to security consultants when the consultant has never written a line of code?
Why don’t we ask ‘How much code development have you done, seen as you are assessing my code for security bugs?" Currently we treat vulnerabilities like XSS and SQLI as different issues but the root causes it the same. – it’s all code injection theory!! Why do we do this and make security bugs over complex?

Why are we still happy with “Testing security out” rather than the more superior “building security in”?

Speakers

Eoin Keary

CTO and Founder, BCC Risk Advisory Ltd.

Eoin Keary is an international board member of OWASP. He leads the OWASP code review project. Eoin is the CTO and founder of BCC Risk Advisory Ltd. He has also led global security engagements for some of the world’s largest financial services and consumer products companies. Eoin... Read More →

Thursday November 21, 2013 12:00pm - 12:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

Management-Metrics

12:00pm EST

PANEL: Women in Information Security: Who Are We? Where Are We Going? (Salon 1 & 2)

NPR reports that 80% of computer programmers are men. As an engaged group that believes in the benefits of gender diversity, OWASP wants to know what we can do to close that gap. In this session, we have invited women from different stages of their Information Security careers to share experiences and offer suggestion about what can be done to improve the situation. We will also hear from a stakeholder in the corporate community who offers best practices to manage diversity within organizations large and small. Moderator: Joan Goodchild, Editor, CSO Online.

Moderators

Joan Goodchild

Executive Editor, CSO Online

Joan Goodchild writes frequently about security leadership, social engineering, social media security and cybercrime in her role as Executive Editor, Online with CSO. Her previous experience in business journalism includes roles as broadcast and web editor with the Boston Business... Read More →

Speakers

Dawn-Marie Hutchinson

Sr. Manager IT Security, Urban Outfitters, Inc.

Dawn-Marie has over fourteen years’ experience in information technology starting her career in the Walt Disney World Merchandise Information Systems organization.She moved into IT Security in 2004 in the Philadelphia based Independence Blue Cross where she spent the following eight... Read More →

Gary Phillips

Senior Director, R&D, Symantec

Gary Phillips is Senior Director of Research and Development in the Office of the CTO for Symantec Corporation. In this position, Gary manages a diversity of responsibilities, including technology assurance, product security, software supply chain assurance, and customer assurance. Gary... Read More →

Carrie Schaper

Security Analyst/Penetration Tester/IR, Federal Government

Carrie Schaper is an Information Security Professional with over 12+ years of industry experience ranging from Penetration Testing Fortune 500 companies, the Banking Infrastructure, and Government to IncidentResponse and Continuous Monitoring. She has performed Threat-Mitigation against... Read More →

Valene Skerpac

Security Strategy and Risk Management Manager, Accenture

Valene Skerpac, CISSP CISM PMP, is Security Strategy and Risk Management Manager at Accenture. Previously, she was Director, IT Consulting Services Security, Application Solutions and Delivery, iBiometrics, Inc. and Director IT, Security Services at Triad Group. She has also held... Read More →

Thursday November 21, 2013 12:00pm - 12:50pm EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

Panel

12:00pm EST

Project Talk: OWASP Testing Guide

This project’s goal is to create a “best practices” web application penetration testing framework which users can implement in their own organizations. Contributors of this project are currently writing Version 4 of the guide, and are actively seeking authors. Learn more about the OWASP Testing Guide here by attending this talk by Project Leader, Andrew Muller.

Speakers

Chapter Workshop Promotion | 2014+ NYC/NJ Chapter Leaders Meet-Up

How to promote your chapter and increase attendance. This session will review different methods of promotion for your chapter all aimed at increasing meeting attendance. Topics will include social media, mailing list management, speaker selections, networking ideas. Geared for the new or re energized chapter leader looking to expand their reach.

Moderators

Kate Hartmann

OWASP Foundation, OWASP Foundation

Thursday November 21, 2013 1:00pm - 1:50pm EST
Booth (5th Floor) NY Marriott Marquis

Chapter Workshop

1:00pm EST

Open Mic: Vision of the Software Assurance Market (SWAMP)

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Thursday November 21, 2013 1:00pm - 1:50pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

Defenders TBD - Open Mic Session

1:00pm EST

NIST - Missions and impacts to US industry, economy and citizens

Video of session:
https://www.youtube.com/watch?v=jPA7ILovh84&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=36

Title: The US National Institute of Standards and Technology (NIST), Information Technology Lab (ITL). What we do, why we do it and what it means to you.

Founded in 1901 and now part of the U.S. Department of Commerce, NIST is one of the nation's oldest physical science laboratories. Congress established the agency to remove a major handicap to U.S. industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of England, Germany, and other economic rivals. Today, NIST measurements support the smallest of technologies—nanoscale devices—to the largest and most complex of human-made creations, from earthquake-resistant skyscrapers to wide-body jetliners to global communication networks.

In this session the NIST and ITL missions and impacts to US industry, economy and citizens will be presented. Attendees can learn about the current Programs, Projects and Research and Development activities in the US Governments premier scientific institutions.

Speakers

Rick Kuhn

Rick Kuhn is a computer scientist in the Computer Security Division of the National Institute of Standards and Technology. He has authored more than 100 publications on information security, empirical studies of software failure, and software assurance, and is a senior member of the... Read More →

James St. Pierre

Deputy Director, ITL, National Institute of Standards and Technology

James A. St. Pierre is Deputy Director of the Information Technology Laboratory (ITL). ITL is one of six research Laboratories within the National Institute of Standards and Technology (NIST) with an annual budget of $120 million, 367 employees, and about 160 guest researchers... Read More →

Thursday November 21, 2013 1:00pm - 1:50pm EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

Keynote

1:00pm EST

PANEL: Wait Wait... Don't Pwn Me!

Audio of panel:
https://www.youtube.com/watch?v=2F7wPQASWZY&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=43

Test your wits and current AppSec news knowledge against our panel of distinguished guests Joshua Corman, Chris Eng, Space Rogue and Gal Shpantzer. "Wait Wait... Don't Pwn Me!" is patterned after the NPR news quiz show where we challenge the panel and the audience with "Bluff the Listener", "This Week's Security News", "The Security Limerick Challenge" and "Lightning Fill In the Blank".

Think you know your stuff? Get selected as an audience participant and prove it! Join us for a rollicking hour as we test the panel and the audience on recent security stories in the news. Who knows? Maybe you can pwn the panel.

Moderators

Mark Miller

Founder and Curator, Trusted Software Alliance

Mark Miller, Senior Storyteller, is recognized internationally for weaving engaging tales to simplify the explanation of complex, technological solutions. He is a serial community builder, participating in the creation of global online communities such as NothingButSharePoint, EndUserSharePoint... Read More →

Speakers

Josh Corman

Director of Security Intelligence, Akamai Technologies

Chris Eng

VP Research, Veracode

Space Rogue

Strategist, Tenable

Gal Shpantzer

Gal Shpantzer has 12 years of experience as an independent security professional and is a trusted advisor to CSOs of large corporations, technology and pharma startups, Ivy League universities and non-profits/NGOs specializing in critical infrastructure protection. Gal is a Contributing... Read More →

Thursday November 21, 2013 1:00pm - 1:50pm EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

Panel

1:00pm EST

Project Talk: OWASP Development Guide

The Development Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure Web Applications and Web Services. The OWASP Developer Guide 2013 aims to focus the content from countermeasures and weaknesses to secure software engineering. Learn more about the OWASP Development Guide by attending this project talk. Project Leader, Andrew van der Stock, will be speaking.

Speakers

Andrew van der Stock

Executive Director, OWASP Foundation

Andrew van der Stock is a long-time security researcher and is the current co-lead of the OWASP Top 10 and OWASP Application Security Verification Standard, and is formerly an OWASP Global Board member. Andrew has trained or spoken at many conferences worldwide, including Black Hat... Read More →

Thursday November 21, 2013 1:00pm - 1:50pm EST
Edison (5th floor) NY Marriott Marquis

Project Talk

1:00pm EST

Project Summit: Open SAMM Session

OWASP Software Assurance Maturity Model (SAMM) is an open framework to help organizations start and implement a secure software development lifecycle that is tailored to the specific risks facing the organization. During the AppSec USA conference, the SAMM project team organises this workshop for you to influence in which direction SAMM evolves. The workshop is also an excellent opportunity to exchange experiences with your peers.
We will cover the following agenda:

Introduction / getting to know each other
Project status and goals
OpenSAMM inventory of tools and templates
Case studies / sharing experiences
What do we need (thinking about improvements, can be anything ranging from translations over tools to model improvements)
What do we need next (prioritization)
Call for involvement (responsibilities), identity teams for specific topics
Rough planning for the future
Extra topic: source/build control

Speakers

Sebastien Deleersnyder

CEO, Toreon

Thursday November 21, 2013 1:00pm - 5:00pm EST
Sky Lounge (16th Floor) NY Marriott Marquis

Project Summit

2:00pm EST

Buried by time, dust and BeEF

For those who do not listen Mayhem and black metal, the talk title
might seem a bit weird, and I can't blame you.
You know the boundaries of the Same Origin Policy, you know SQL injection and time-delays,
you know BeEF. You also know that when sending cross-domain XHRs you
can still monitor the timing of the response: you might want to infer
on 0 or 1 bits depending if the response was delayed or not.
This means it's possible to exploit every kind of SQL injection,
blind or not blind, through an hooked browser, if you can inject a time-delay
and monitor the response timing.
This works flawlessly in cross-domain situations,
you don't need a 0day or a particular SOP bypass to do this,
and it works in every browser.
The potential of being faster than a normal single-host multi-threaded SQLi
dumper will be explored. Two experiments will be shown: WebWorkers as well
as multiple synched hooked browsers, which split the workload communicating
partial results to a central server.
A pure JavaScript approach will be exlusively presented during this talk,
including live demos. Such approach would work for both internet facing targets as well as
applications available in the intranet of the hooked browser.
The talk will finish discussing the implications of such an approach
in terms of Incident Response and Forensics,
showing evidence of a very small footprint.

Speakers

Michele Orru

Michele Orru a.k.a. antisnatchor is an IT and ITalian security guy. Lead core developer of the BeEF project, he mainly focuses his research on application security and related exploitation techniques. He is one of the authors of Browser Hacker's Handbook, which will be out by late... Read More →

Thursday November 21, 2013 2:00pm - 2:50pm EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

Breakers

2:00pm EST

Go Fast AND Be Secure: Eliminating Application Risk in the Era of Modern, Component-Based Development

Organizations are exposed to significant risks caused by their increasing reliance on open-source components. Component flaws are exceedingly common – 71 percent of applications contain components with known security flaws classified as severe or critical. Everything from Big Data, to cloud and mobile applications are exposed to unmanaged risk. The pressure to add more features and put applications into production quickly comes at a devastating tradeoff – to go fast or be secure. Using never-before-seen data from the Central Repository – the industry’s primary source for open source components receiving 8 billion requests annually this presentation will examine how modern development is ushering in massive amounts of unmanaged risk demanding a new approach to mitigating the risk in modern, component-based applications – one that is significantly simpler to use, integrated throughout the software lifecycle and shows real, sustainable results.
Like automobile manufacturers, today’s software developers assemble applications using existing components or parts rather than writing applications from scratch. Open source component use has skyrocketed in recent years. In 2012, the Central Repository registered eight billion component downloads, doubling activity from 2011. 90% of a typical application today is now comprised of components, the bulk of these are open source, coming from dozens, if not hundreds, of individual suppliers. Yet, 71 percent of applications contain components with known security flaws classified as severe or critical, pointing to a major breakdown in application security. Unlike manufacturing, the software industry lacks the tools to manage the intricacy and risk associated with a complex and distributed software supply chain. When coupled with a trend toward agile development, enterprises are finding themselves with massive, unmanaged risk.
Few organizations have the controls or processes to identify which components are in use, to govern their usage or to eradicate flawed components from applications. In the annual Open Source Development Survey – the largest study of its kind surveying more than 3,500 developers, architects and IT managers using open source – 76 percent of respondents shared that they have no control over what components are being used in software development projects and more than half cited a failure to maintain an inventory of components used in production applications. Like operating systems or database, open-source components represent a rich attack vector for hackers to exploit given their commonality across organizations and applications.
New to the OWASP Top 10 Guidelines is A9: Use of Insecure Libraries, acknowledging the widespread use of open source components in today’s applications and the significant security risks that exists when organizations lack proper internal controls or fail to address security vulnerabilities throughout the software development lifecycle. Joint research from Aspect Security and Sonatype found the probability of having at least one vulnerability in an application due to a KNOWN insecure library is 95%.
In this presentation, Ryan Berg, CSO of Sonatype and Jeff Williams, CEO of Aspect Security will examine why traditional approaches to application security can’t protect today’s applications. Using exclusive data from the Central Repository and sharing the findings of joint research, Berg and Williams will show why organizations must extend defense-in-depth to the application layer and how to deploy new approaches to software assurance that are simple, quick and continuous.
Key topics and takeaways include: • How to empower developers to become the new frontline of defense in today’s cyber-security war
• Why securing the perimeter is not enough to protect the critical data housed in modern applications
• How to breakdown the traditional walls that exist between development teams and security and risk professionals
• Steps for introducing policy to govern component usage that will actually be adopted by developers
• How organizations can expedite development (go fast) and govern/manage (be secure) the entire application lifecycle to ensure the integrity of the software supply chain
• How to give developers the tools and authority to focus on security in real-time

Speakers

Ryan Berg

Chief Security Officer, Sonatype

Jeff Williams

Cofounder and CTO, Contrast Security

Thursday November 21, 2013 2:00pm - 2:50pm EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

Builders

2:00pm EST

Modern Attacks on SSL/TLS: Let the BEAST of CRIME and TIME be not so LUCKY

SSL/TLS is the core component for providing confidentiality and authentication in modern web communications. Recent vulnerabilities have undermined this and left much of web based communication vulnerable.
This talk will survey recent attacks such as BEAST, TIME, CRIME, LUCKY 13 and RC4 biases, highlighting the conditions required for exploitation as well as the current state of mitigations. Comprehensive recommendations will be provided highlighting the real world risks and mitigations taking all attacks into account instead of providing conflicting solutions to mitigate these attacks individually.
Finally, long term recommendations will be made as we move to a post TLS 1.0 world without overhauling the basic structure and operational infrastructure of modern web communication.

Speakers

Shawn Fitzgerald

Shawn Fitzgerald is a senior security consultant at iSEC Partners, an information security firm specializing in application, network, and mobile security. At iSEC, Shawn specializes in web based applications, client/server testing, cryptographic systems, security design and security... Read More →

Pratik Guha Sarkar

Security Consultant, iSEC Partners

Pratik Guha Sarkar is a Security Consultant with iSEC Partners. At iSEC, Pratik works in the areas of web application/web services security, practical cryptography, mobile security and client/server testing. Before iSEC, he was with IBM working in telecom domain. Pratik graduated... Read More →

Thursday November 21, 2013 2:00pm - 2:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

Builders

2:00pm EST

OWASP Broken Web Applications (OWASP BWA): Beyond 1.0

Video of session:
https://www.youtube.com/watch?v=0dxzGK1ZPxA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=39

The OWASP Broken Web Applications (OWASP BWA) Project produces a free and open source virtual machine (VM) loaded with more than twenty-five web applications with a variety of security vulnerabilities. The project VM is well suited for use as a learning and training environment or as a standard target for testing tools and techniques. After two years of betas, the project released version 1.0 of the VM in 2012. With that milestone behind us, this talk will focus on the project’s future, though it will include some background on the project and demonstrate key features in the current release.

Speakers

Chuck Willis

Mandiant

Mr. Willis is the leader of the OWASP Broken Web Applications project, which distributes a virtual machine with known vulnerable web applications for testing and training.

Thursday November 21, 2013 2:00pm - 2:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

Builders

2:00pm EST

Open Mic: Practical Cyber Threat Intelligence with STIX

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Speakers

Sean Barnum

Cyber Security Principal, MITRE

Thursday November 21, 2013 2:00pm - 2:50pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

Builders TBD - Open Mic Session

2:00pm EST

Vendor relationships

Vendors are not the bad guys. This session will include a lively discussion on vendor relationships within your chapter. Topics will include some benefits of vendor relationships, how to leverage neighboring companies, chapter fundraising, and Foundation guidelines on relationships with vendors/sponsors.

Moderators

Sarah Baso

Thursday November 21, 2013 2:00pm - 2:50pm EST
Booth (5th Floor) NY Marriott Marquis

Chapter Workshop

2:00pm EST

Project Talk: OWASP Security Principles Project

The OWASP Security Principles Project aims to distill the fundamentals of security into a set of concise principles that must be present in any system through out the requirements, architecture, development, testing, and implementation of a system. OWASP Co-Founder and Project Leader, Dennis Groves, will be giving a talk about the future of the project.

Speakers

Dennis Groves

Co-Founder, OWASP

Thursday November 21, 2013 2:00pm - 2:50pm EST
Edison (5th floor) NY Marriott Marquis

Project Talk

3:00pm EST

Open Mic: About OWASP - Executive Director, OWASP Foundation

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Speakers

Sarah Baso

Thursday November 21, 2013 3:00pm - 3:30pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

TBD - Open Mic Session

3:00pm EST

Larry is the co-project leader of the OWASP Code Review Guide. His current emphasis is in Microsoft .NET technologies including C#, VB.NET, and SQL Server. Recent project experiences include converting legacy VB software to .NET, creating and maintaining operational support web sites... Read More →

Thursday November 21, 2013 3:00pm - 3:50pm EST
Edison (5th floor) NY Marriott Marquis

Project Talk

3:30pm EST

Bug Bounty - Group Hack

The Great OWASP Bug Bash of 2013

Featuring…
The Inaugural Wall of Bugz, music, drinks, hacking contests, special prizes, the world’s largest gummy bug and more!

Just some of the targets to pick from: https://bugcrowd.com/list-of-bug-bounty-programs/

Speakers

Breakers Project Summit

4:00pm EST

Award Ceremony (Salon 1, 2, 3 & 4)

Don't miss the wrap-up, awards and highlights of AppSec USA 2013...it will be amazing!

Speakers

Peter Dean

Sr Account Executive, Aspect Security

Thursday November 21, 2013 4:00pm - 5:00pm EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

Management-Metrics