Loading…

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Builders [clear filter]
Wednesday, November 20
 

10:00am EST

Hardening Windows 8 apps for the Windows Store
Security and privacy in mobile development has been a topic in the iOS and Android world for a few years now. Microsoft is entering the fray with be their first significant push into the mobile space. Will your apps be the next ones on the front page of Ars Technica (for the wrong reasons)? Bill would like to help you make sure that won’t happen. Learn the security considerations of HTML5, backend services, cloud computing and WinRT.

Speakers
avatar for Bill Sempf

Bill Sempf

Secure Software Architect, Products Of Innovative New Technology
Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. I help people write more secure software.


Wednesday November 20, 2013 10:00am - 10:50am EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

10:00am EST

The Perilous Future of Browser Security
Video of session:
https://www.youtube.com/watch?v=CzA1hCTkmFw&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=41

The tradeoffs required to make a secure browser are often largely poorly understood even amongst the best of security people.  It makes sense since so few people actually work on browsers.  There is little knowledge about what it requires to make a browser safe enough to use when viewing hostile websites - against all known adversaries.  In this presentation Mr. Hansen will cover how browsers are critically insecure, how they can be made to be secure, and what consumers forfeit in order to gain that extra level of security.  Lastly, the presentation will cover how to think about tradeoffs and what customers can live without.

Speakers
avatar for Robert Hansen

Robert Hansen

Director of Product Management & Technical Evangelist, WhiteHat Security
Robert Hansen (CISSP) is the Director of Product Management at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has... Read More →


Wednesday November 20, 2013 10:00am - 10:50am EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

11:00am EST

From the Trenches: Real-World Agile SDLC
Ideally, all organizations would incorporate security into their Agile development processes; however, best-practices Agile SDL models typically assume a simplified, idealized model of how software is built. These models also impose impractical requirements without providing the necessary support or expertise.  In reality, software development often involves multiple Agile teams working on various components of a larger product, and only the most well-resourced enterprises or ISVs have the bandwidth to execute on the ideal Agile SDL, while smaller organizations are forced to adapt and make tradeoffs.
In this session, we’ll discuss how Veracode has incorporated security into our own Agile development lifecycle for a product that involves anywhere from two to seven Scrum teams working in concert to ship monthly releases. We do this without designating any security experts full-time to the project.  We’ll explain how we’ve evolved our practices to optimize the way our security research team interacts with our engineering teams and accommodates their processes. We’ll also talk about some of the lessons we’ve learned along the way, including things that haven’t worked or wouldn’t scale, and how other organizations can use our experience to integrate security practices into their own Agile development programs.

Speakers
avatar for Chris Eng

Chris Eng

VP Research, Veracode
Chris Eng is vice president of research at Veracode, where he leads the team responsible for integrating security expertise into Veracode’s core product offerings. Prior to Veracode, he was technical director at Symantec (formerly @stake) and an engineer at the National Security... Read More →


Wednesday November 20, 2013 11:00am - 11:50am EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

11:00am EST

Securing Cyber-Physical Application Software
Researchers and practitioners have not historically addressed sufficiently the fact that software engineers responsible for IT systems have very different approaches from those who design and build industrial control systems. When Web-facing and distributed information systems are interconnected with legacy industrial control systems, which usually do not include effective security requirements, two major issues arise: one is the possibility of someone gaining access to control systems via Web applications and public networks, and the other is the potential for the transfer of fallacious information from the control systems to the information systems, as ostensibly occurred with Stuxnet. In this presentation we take a new approach to processes and technologies for mitigating the threats and hazards that impinge on, or result from, systems such as the smart grid. The presentation is based in part on the author's book Engineering Safe and Secure Software Systems (Artech House, 2012).

Speakers
avatar for Warren Axelrod

Warren Axelrod

40 years as an IT professional, mostly in financial services with the past 17 years in information security. Spent time at Mobil Oil in IT planning. Actively involved in cybersecurity at industry and national level. Testified before Congress in 2001. Honored by Computerworld (Premier... Read More →


Wednesday November 20, 2013 11:00am - 11:50am EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

12:00pm EST

Case Study: 10 Steps to Agile Development without Compromising Enterprise Security
Video of session:
https://www.youtube.com/watch?v=Y31qgnF-Bzg&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=30

In an Agile, fast paced environment with frequent product releases, security code reviews & testing is usually considered a delaying factor that conflicts with success. Is it possible to keep up with the high-end demands of continuous integration and deployment without abandoning security best practices?

We started our journey seeking a way to reduce friction, risk and cost driven from identifying vulnerabilities too late, when already in Production. After a long way and many lessons learned, we have successfully added in-depth security coverage to more than 20 SCRUMS and up to 1M lines of code. We are happy to share our insights, tips and experience from that process.

LivePerson is a provider of SaaS based technology for real-time interaction between customers and online businesses. Over 1.5 billion web visitors are monitored by the platform on a monthly basis. LivePerson's R&D center consists of hundreds of developers who work in an Agile and Scrum based methods, closely tied with our Secure Software Development Lifecycle.

In order to achieve best results and reduce friction, we have tailored the SSDLC to the standard SCRUM process and added security coverage (both operational + technical controls) for each phase starting with a mutual Security High Level Design post release planning with Software Architects, defining technical security controls and framework in sprint planning, implementation of ESAPI and Static Code Analysis at the CI, manual code reviews, Automated Security Tests during QA and a penetration test as part of the release.

This session will include detailed information about the methodologies and operational cycles as well as measureable key success factors and tips related to implementation of tools and technologies in our use (e.g. ESAPI package, Static Code Analysis as a Maven Step, Vulnerability Scanning plugins)

References:

OWASP ESAPI https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Writing Secure Code, Second Edition, Michael Howard and David LeBlanc, Microsoft Press The Burp Suite http://portswigger.net/burp/

OWASP Developer Guide http://ignum.dl.sourceforge.net/project/owasp/Guide/2.0.1/OWASPGuide2.0.1.pdf

Speakers
avatar for Yair Rovek

Yair Rovek

Security Specialist, LivePerson
A technical information security specialist with more than 25 years of experience and strong knowledge in Network and Web Applications.


Wednesday November 20, 2013 12:00pm - 12:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

1:00pm EST

Open Mic - Birds of a Feather --> Cavalry

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20  badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers
avatar for Josh Corman

Josh Corman

Director of Security Intelligence, Akamai Technologies
Joshua Corman is the Director of Security Intelligence for Akamai. Most recently he served as Research Director for Enterprise Security at The 451 Group. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across... Read More →
avatar for Nicholas J. Percoco

Nicholas J. Percoco

Director, Information Protection, KPMG
With more than 16 years of information security experience, Nicholas is a Director in KPMG's Information Protection practice. Prior to KPMG, Percoco led the global SpiderLabs organization for more than a decade that performed more than 2000 computer incident response and forensic... Read More →


Wednesday November 20, 2013 1:00pm - 1:50pm EST
Booth (5th Floor) NY Marriott Marquis

1:00pm EST

HTML5: Risky Business or Hidden Security Tool Chest?
Video of session
https://www.youtube.com/watch?v=fzjpUqMwnoI&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=15

The term "HTML5" encompasses a number of new subsystems that are currently being implemented in browsers. Most of these were created with a focus on functionality, not security. But the impact of these features is not all negative for security. Quite the oposit. New abilities to store data on the client, or having access to hardware sensors like geolocation and tilt sensors have the ability to enhance session tracking and make authentication more secure and easier to use. This talk will select a number of examples to demonstrate the positive, as well as sometimes negative, impact of these features for web application security. Code samples for any demonstrations will be made available.

Speakers
avatar for Johannes Ullrich

Johannes Ullrich

Dean of Research and a faculty member, SANS Technology Institute
Johannes Ullrich, dean of research at the SANS Technology Institute, is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. His research interests include IPv6, network traffic analysis and secure software development. In 2004, Network World named... Read More →


Wednesday November 20, 2013 1:00pm - 1:50pm EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

2:00pm EST

Open Mic: Making the CWE Approachable for AppSec Newcomers

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers
HR

Hassan Radwan

Secure Decisions
Hassan Radwan is a developer by trade with a passion for consumable application security. He is the project lead on OWASP Code Pulse, a real-time code coverage tool, and leads the engineering effort on Code Dx, a commercial SAST correlation tool. Hassan has worked in the application... Read More →


Wednesday November 20, 2013 2:00pm - 2:50pm EST
Booth (5th Floor) NY Marriott Marquis

3:00pm EST

Pushing CSP to PROD: Case Study of a Real-World Content-Security Policy Implementation
Video of session:
https://www.youtube.com/watch?v=9V64zQi2pX0&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=33

Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organizations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications.  In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5.
Our story will arm you with the knowledge you’ll want should you decide to go down the same path.  When we initially decided to implement CSP, the BETA version of our website was already live.  Like many sites, our platform grew from something we initially started as a pet project.  Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun.  
We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime.  
Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed.  We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks.

Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime.  Needless to say we were surprised by what was reported, and we’ll share the results.  
Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).

Speakers
avatar for Brian Holyfield

Brian Holyfield

Gotham Digital Science
Brian is a founding member of Gotham Digital Science. He has over 10 years of experience performing penetration testing and code review. Brian is also the team lead for SendSafely, an browser based encrypted file exchange platform. Brian has spoken at numerous security conferences... Read More →
avatar for Erik Larsson

Erik Larsson

Erik is a professional Java developer. In addition to writing code, Erik also consults with other developers on how to identify security flaws through code review and secure development patterns.Java Developer for SendSafely.com and Secure Development Consultant with Gotham Digital... Read More →


Wednesday November 20, 2013 3:00pm - 3:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

4:00pm EST

OWASP Top Ten Proactive Controls
Video of session:
https://www.youtube.com/watch?v=Cg5dN8Pyn_c&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=4

You cannot hack your way secure!
The OWASP Proactive Controls is a "Top 10 like document" aimed to help developers build secure applications. This project is phrased and built in a positive, testable manner that describes the Top 10 software control categories that architects and developers should absolutely, positively include 100% of the time in every software project.
This talk will cover the fundamental controls in critical software categories such as Authentication, Access Control, Validation, Encoding, Query Parameterization, Data Protection, Secure Requirements, Secure Architecture and Secure Design.

Speakers

Wednesday November 20, 2013 4:00pm - 4:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

4:00pm EST

Open Mic: Struts Ognl - Vulnerabilities Discovery and Remediation

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers

Wednesday November 20, 2013 4:00pm - 4:50pm EST
Booth (5th Floor) NY Marriott Marquis

5:30pm EST

OWASP Jeopardy
This interactive activity will be a fun filled event where top security professionals will get a chance to sit on a panel and answer a wide ranging set of questions relating to the world of OWASP.
Unanswered questions will be presented to the audience, giving everyone a chance to participate and have fun.  Questions and answers will be also synchronized through twitter to add to the participation. Join us for a night of special guest appearances, prizes, fun and drinks. 

Bring your squeeze balls!

Moderators
avatar for Jerry Hoff

Jerry Hoff

VP, Static Code Analysis Division, WhiteHat Security
Jerry Hoff is the VP of the Static Code Analysis Division at WhiteHat Security. In addition to WhiteHat, he is a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where... Read More →

Wednesday November 20, 2013 5:30pm - 7:00pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

6:00pm EST

Silk, Webservers, Exploits and RATz by M4v3r1ck
Limited Capacity seats available

Disclaimer: If you have trigger issues -- please do not attend this talk.

Now that the statute or limitations has run out on walk with me as I discuss the industry, the people and the events.

From warelords, to the conference that was meant to be a one-time party to say good-bye to BBSs OG.   Todays web applications still provide the perfect place for logic bombs. We will talk about current news events including carderprofit.cc and the newest threat to turning a profit.

Face it..  the computer security industry is a JOKE, Vă veţi bucura acest talk.

pssssss buddy you want to buy a shell... what'ca want what'ca need?








Speakers
avatar for Yuri

Yuri

sysop
Hacker for Profit


Wednesday November 20, 2013 6:00pm - 6:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis
 
Thursday, November 21
 

9:00am EST

Defeating XSS and XSRF using JSF Based Frameworks
During several recent code review engagements, I have discovered that developers sometimes gain a feeling of comfort when they read that frameworks protect them from certain attacks. This sometimes leads to the assumption that if you use this framework, you are protected.
This presentation will focus on Frameworks built upon JSF API component of JEE and two specific vulnerabilities which frameworks commonly advertise built-in mitigation; cross site scripting and cross site request forgery. 
It is very common for a framework to provide ways to prevent XSS and XSRF so to begin the session, I will take a few minutes to describe at a high level what these frameworks are and what we assume their capabilities are regarding these two vulnerabilities.
During the course of this presentation, I will demonstrate what happens when these frameworks are used out-of-the-box by exploiting a sample application.  Since this code is open source, we will look at the framework code to confirm or deny that they have automatically protected you against these attacks.  I will then proceed to give you a couple of options which will close these gaps and secure the application from these attacks. 
You should leave this presentation with an awareness of what these frameworks are capable of and how to take advantage of their features to help secure the application.

Speakers
avatar for Stephen Wolf

Stephen Wolf

I have spent the last 6 years of my development career evangelizing application security and am currently working as an application security engineer in the San Francisco bay area. I’ve been a developer for over 20 years with my hands into everything from embedded systems and assembly... Read More →


Thursday November 21, 2013 9:00am - 9:50am EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

10:00am EST

iOS Application Defense - iMAS
Video of session:
https://www.youtube.com/watch?v=TRDT8O2G56o&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=32

iOS application security can be *much* stronger and easy for developers to find, understand and use.  iMAS (iOS Mobile Application Security) - is a secure, open source  iOS application framework research project focused on reducing iOS application vulnerabilities and information loss.  Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which in turn pushes enterprises to augment iOS deployments with commercial solutions.  The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications.  iMAS has released five security controls (researching many more)  for developers to download and use within iOS applications.  This talk will walk through various iOS application vulnerabilities, iMAS security controls, OWASP Mobile top10 and CWE vulnerabilities addressed, and demonstrate the iMAS App Password control integrated into an application.

Speakers
avatar for Gregg Ganley

Gregg Ganley

Principal Investigator iOS Security Research, MITRE Corp
23+ software development and management experience Education: MSCS, BSEE. Active research and development in iOS security, Android development, Ruby on Rails web apps, and project leadership. For the past five years his passion has been in the mobile field and in particular mobile... Read More →


Thursday November 21, 2013 10:00am - 10:50am EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

10:00am EST

PiOSoned POS - A Case Study in iOS based Mobile Point-of-Sale gone wrong
Video of session:
https://www.youtube.com/watch?v=CAtc7Z1VD2I&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=18


Mobile Point of Sale (POS) are becoming more and more common in a wide variety of retail outlets. And why not, it adds speed and convenience to shopping and can increase a retailers ability to sell. But POS and Mobile are hard to get right and secure. What happens when you try to combine the two on trendy iOS devices and rush your solution out the door?
Based on multiple mobile tests conducted by Trustwave SpiderLabs' application security, Mike Park will walk through the typical mobile POS apps for iOS and show how and why they can be attacked, often with no sign an attack is going on.
Mike will cover technological shortcomings, coding mistakes and the common misunderstanding of the underlying platform that almost always occur and result in an insecure application. This will include some hardware card reader devices that default to allowing almost no security.
Outline

1. Introduction
2. Why Mobile POS?
3. Why iOS?
4. The Problem
    Poorly written apps
    Speed of jailbreaking
    Ability to hide the jailbreak
    The Card Reader
5. A walk through of the PiOSon POS demo app
    What the app does
    How the app reads CHD
    How the app processes and send the data to the backend
    How typical is this
6. Hacking the POS - Demo
    Jailbreak
    Intro to Method Swizzling
    Setting up the device
    Adding the reader
    Installing the malware
    Capture the Track data
7. How to improve this
    Understand the underlying platform
    Understand the way your card reader works
    Why is this so insecure?
    View a safer version of the app – AntidOte POS
8. What to do
    Coding best practices
    Choosing a card reader
    Outside the device – MDM?
9.Conclusion

Speakers
avatar for Mike Park

Mike Park

Managing Consultant, Trustwave SpiderLabs
Mike Park is a Managing Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 12 years experience building and securing software for a variety of companies... Read More →


Thursday November 21, 2013 10:00am - 10:50am EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

11:00am EST

An Introduction to the Newest Addition to the OWASP Top 10. Experts Break-Down the New Guideline and Offer Provide Guidance on Good Component Practice
Video of session:
https://www.youtube.com/watch?v=pNjDrcG4QDA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=25

Experts in the field of application security and open source software development discuss the new OWASP A9 guidelines, offering session attendees unique intelligence on component vulnerabilities and how to deploy new approaches to application security and risk management that address security at the component level, while simultaneously eliminating risk in the modern software supply chain. Panelists to include: Sonatype, Aspect Security, Two Senior Security Executives from Fortune 500 Companies
Most development teams don’t focus on security.  The 2013 Open Source Software Development Survey, the largest survey of OSS users with more than 3,500 participants, found that more than half of the developers, architects and managers surveyed don’t focus on security at all.  Nearly 20% of this group shared they know application security is important but they don’t have the time to spend on it, while almost one-third deferred responsibility to the security and risk management group entirely.  As open source component use continues to skyrocket with applications now more than 80% component-based, organizations continue to struggle with establishing policy to secure and govern component use.  According to the survey, an alarming 65% of organizations have no component management policies in-place.
This lack of internal controls and a failure to address security vulnerabilities throughout the software development lifecycle threatens the integrity of the software supply chain and exposes organizations to unnecessary risk.  Open source component vulnerabilities are exceedingly common, with more than 70% of applications containing components with vulnerabilities classified as severe or critical.  Virtually every application has these issues because most development teams don’t focus on ensuring their components stay up to date.  In many cases, developers don’t even know all the components they are using let alone the versions.  In fact, the Open Source Software Development Survey shows only 35% of organizations maintain inventories of the components in their production applications. 
This panel of industry experts will dissect the new OWASP A9 guidelines that look at the widespread use of insecure open source libraries in today’s modern application development.  Executives from Sonatype, will offer exclusive component usage data from the Central Repository – the industry’s largest source of open-source components receiving 8 billion requests annually.  With its deep history as leaders in open source development, Sonatype can also share with attendees its unmatched knowledge of open source development practices.  Jeff Williams, CEO of Aspect Security and founding member of OWASP, will offer best practices and advice to organizations looking to revamp their software assurance policies.  Lastly Jim Routh, the head of application and mobile security at Citibank will share with attendees the real-world challenges and resolutions faced by the financial institution in mitigating risk in agile, component-based development. 
Together, the panel will address the following key points and offer attendees important takeaways to jumpstart A9 compliance, including: • How software assurance is now largely incompatible with modern development and why new approaches to security must provide developers with immediate feedback on security context to act as the new frontline of defense;
• How to inform component choice throughout the development lifecycle, including how to pinpoint flaws early and how to deploy flexible remediation options for flawed components
• How to build-in component security and risk mitigation into the development process that can also be used by non-security experts; and
• How new security and risk mitigation approaches must be continuous to address ongoing threats in real-time and to ensure sustaining trust between development, risk management and the application end-user.

Speakers
avatar for Ryan Berg

Ryan Berg

Chief Security Officer, Sonatype
Ryan is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management... Read More →


Thursday November 21, 2013 11:00am - 11:50am EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

11:00am EST

Verify your software for security bugs
Video of session:
https://www.youtube.com/watch?v=i8nbESwT2DQ&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=19

Verification is an important phase of developing secure software that is not always addressed in depth that includes dynamic analysis and fuzzing testing. This step allows checking that security has been built in the implementation phase: secure coding and using compilers mitigations correctly.
This presentation will cover the current state of verification technologies that developers can use to check the lack of security mitigations (ASLR, DEP, SafeSEH, Stack Guard, PIE, etc.) and vulnerabilities (Missing Code Signing, Insecure API, DLL planting, poor coding, etc.) and how to implement a battery of tests in their organization to verify their products are safe before releasing as required by an Application Assurance process.
A new tool will be presented, BinSecSweeper, that performs security binary analysis, is open source and cross platform (Windows and Linux) and can scan PE & ELF file formats for x86-64 that can be used by developers to check their software includes security mitigations and is compliance with Application Assurance best practices or by IT pros to identify insecure applications in their networks. This technology was sponsored by DARPA Cyber Fast Track (CFT).
If you develop software or work in AppSec this is your talk!

Speakers
avatar for Simon Roses Femerling

Simon Roses Femerling

Simon Roses holds a B.S. from Suffolk University (Boston), Postgraduate in E-Commerce from Harvard University (Boston) and Executive MBA from IE Business School (IE, Madrid). Frequent speaker at security industry events including BLACK HAT, RSA, OWASP, SOURCE. DeepSec and Microsoft... Read More →


Thursday November 21, 2013 11:00am - 11:50am EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

11:00am EST

Open Mic: Password Breaches - Why They Impact Your App Security When Other WebApps Are Breached

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers
avatar for Michael Coates

Michael Coates

Director of Product Security, Shape Security
Michael Coates is the Chairman of the OWASP board, an international non-profit organization focused on advancing and evangelizing the field of application security.  In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack aware applications that... Read More →


Thursday November 21, 2013 11:00am - 11:50am EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

12:00pm EST

Insecure Expectations
Video of session:
https://www.youtube.com/watch?v=tU-IRg7Cwts&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=20

Many developers rely on tests or specs (with expectations) to verify that our code is working properly. Few of us leverage the tests we are already writing to demonstrate security controls are properly applied. In this technical talk, we will walk through hands on examples of tests that demonstrate how to test for common security issues against an example Rails application (though the concept is not Rails specific).  Although substantial testing is possible with existing tools, this talk will also present a new open source tool which provides developers with a simpler way to write security tests.
The goals are twofold: • To illustrate some common security issues.
• To give developers something concrete they can do about them.

In addition to the technical portion of the talk, the speaker will spend a short time challenging the audience to help OWASP find ways to reach developers.  The speaker has had success in a local community reaching developers through simple community organizing strategies, applied conscientiously over a long period of time.

Speakers
avatar for Matt Konda

Matt Konda

Founder, Jemurai
Matt Konda is a developer and application security expert. He founded Jemurai to focus on working with teams to deliver secure software. Jemurai works with clients on security automation, training, strategy, building AppSec teams and more. Matt is on the global board of OWASP... Read More →


Thursday November 21, 2013 12:00pm - 12:50pm EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

2:00pm EST

Go Fast AND Be Secure: Eliminating Application Risk in the Era of Modern, Component-Based Development
Organizations are exposed to significant risks caused by their increasing reliance on open-source components. Component flaws are exceedingly common – 71 percent of applications contain components with known security flaws classified as severe or critical.  Everything from Big Data, to cloud and mobile applications are exposed to unmanaged risk.  The pressure to add more features and put applications into production quickly comes at a devastating tradeoff – to go fast or be secure.  Using never-before-seen data from the Central Repository – the industry’s primary source for open source components receiving 8 billion requests annually this presentation will examine how modern development is ushering in massive amounts of unmanaged risk demanding a new approach to mitigating the risk in modern, component-based applications – one that is significantly simpler to use, integrated throughout the software lifecycle and shows real, sustainable results. 
Like automobile manufacturers, today’s software developers assemble applications using existing components or parts rather than writing applications from scratch.  Open source component use has skyrocketed in recent years.  In 2012, the Central Repository registered eight billion component downloads, doubling activity from 2011.  90% of a typical application today is now comprised of components, the bulk of these are open source, coming from dozens, if not hundreds, of individual suppliers.  Yet, 71 percent of applications contain components with known security flaws classified as severe or critical, pointing to a major breakdown in application security.  Unlike manufacturing, the software industry lacks the tools to manage the intricacy and risk associated with a complex and distributed software supply chain.  When coupled with a trend toward agile development, enterprises are finding themselves with massive, unmanaged risk. 
 Few organizations have the controls or processes to identify which components are in use, to govern their usage or to eradicate flawed components from applications.  In the annual Open Source Development Survey – the largest study of its kind surveying more than 3,500 developers, architects and IT managers using open source – 76 percent of respondents shared that they have no control over what components are being used in software development projects and more than half cited a failure to maintain an inventory of components used in production applications. Like operating systems or database, open-source components represent a rich attack vector for hackers to exploit given their commonality across organizations and applications. 
 New to the OWASP Top 10 Guidelines is A9: Use of Insecure Libraries, acknowledging the widespread use of open source components in today’s applications and the significant security risks that exists when organizations lack proper internal controls or fail to address security vulnerabilities throughout the software development lifecycle.  Joint research from Aspect Security and Sonatype found the probability of having at least one vulnerability in an application due to a KNOWN insecure library is 95%.
In this presentation, Ryan Berg, CSO of Sonatype and Jeff Williams, CEO of Aspect Security will examine why traditional approaches to application security can’t protect today’s applications.  Using exclusive data from the Central Repository and sharing the findings of joint research, Berg and Williams will show why organizations must extend defense-in-depth to the application layer and how to deploy new approaches to software assurance that are simple, quick and continuous. 
Key topics and takeaways include: • How to empower developers to become the new frontline of defense in today’s cyber-security war
• Why securing the perimeter is not enough to protect the critical data housed in modern applications
• How to breakdown the traditional walls that exist between development teams and security and risk professionals
• Steps for introducing policy to govern component usage that will actually be adopted by developers
• How organizations can expedite development (go fast) and govern/manage (be secure) the entire application lifecycle to ensure the integrity of the software supply chain
• How to give developers the tools and authority to focus on security in real-time

Speakers
avatar for Ryan Berg

Ryan Berg

Chief Security Officer, Sonatype
Ryan is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management... Read More →
avatar for Jeff Williams

Jeff Williams

Co-founder and CTO, Contrast Security
I've been in security since the late 1980's and have been blessed with the opportunity to help start three great application security organizations: Contrast Security, OWASP, and Aspect Security (recently sold to EY).I'm coming to LASCON to meet *you*. I'm easy to find :-) and love... Read More →


Thursday November 21, 2013 2:00pm - 2:50pm EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

2:00pm EST

Modern Attacks on SSL/TLS: Let the BEAST of CRIME and TIME be not so LUCKY
SSL/TLS is the core component for providing confidentiality and authentication in modern web communications. Recent vulnerabilities have undermined this and left much of web based communication vulnerable.
This talk will survey recent attacks such as BEAST, TIME, CRIME, LUCKY 13 and RC4 biases, highlighting the conditions required for exploitation as well as the current state of mitigations. Comprehensive recommendations will be provided highlighting the real world risks and mitigations taking all attacks into account instead of providing conflicting solutions to mitigate these attacks individually.
Finally, long term recommendations will be made as we move to a post TLS 1.0 world without overhauling the basic structure and operational infrastructure of modern web communication.

Speakers
avatar for Shawn Fitzgerald

Shawn Fitzgerald

Shawn Fitzgerald is a senior security consultant at iSEC Partners, an information security firm specializing in application, network, and mobile security. At iSEC, Shawn specializes in web based applications, client/server testing, cryptographic systems, security design and security... Read More →
avatar for Pratik Guha Sarkar

Pratik Guha Sarkar

Security Consultant, iSEC Partners
Pratik Guha Sarkar is a Security Consultant with iSEC Partners. At iSEC, Pratik works in the areas of web application/web services security, practical cryptography, mobile security and client/server testing. Before iSEC, he was with IBM working in telecom domain. Pratik graduated... Read More →


Thursday November 21, 2013 2:00pm - 2:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis

2:00pm EST

OWASP Broken Web Applications (OWASP BWA): Beyond 1.0
Video of session:
https://www.youtube.com/watch?v=0dxzGK1ZPxA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=39


The OWASP Broken Web Applications (OWASP BWA) Project produces a free and open source virtual machine (VM) loaded with more than twenty-five web applications with a variety of security vulnerabilities.  The project VM is well suited for use as a learning and training environment or as a standard target for testing tools and techniques.  After two years of betas, the project released version 1.0 of the VM in 2012.  With that milestone behind us, this talk will focus on the project’s future, though it will include some background on the project and demonstrate key features in the current release.

Speakers
avatar for Chuck Willis

Chuck Willis

Mandiant
Mr. Willis is the leader of the OWASP Broken Web Applications project, which distributes a virtual machine with known vulnerable web applications for testing and training.


Thursday November 21, 2013 2:00pm - 2:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

2:00pm EST

Open Mic: Practical Cyber Threat Intelligence with STIX

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers
avatar for Sean Barnum

Sean Barnum

Cyber Security Principal, MITRE
Sean Barnum is a Principal and Cyber Threat Intelligence Community Lead at The MITRE Corporation where he acts as a thought leader and senior advisor on information security topics to a wide variety of players within the US government, commercial industry and the international community... Read More →


Thursday November 21, 2013 2:00pm - 2:50pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

3:00pm EST

The 2013 OWASP Top 10
Video of session:
https://www.youtube.com/watch?v=bWqb3Hemepc&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=17

The OWASP Top 10 has become the defacto standard for web application security and is referenced by numerous important standards and guidelines around the world, including the Payment Card Industry (PCI) standard, as just one example. 
This presentation will explain how the OWASP Top 10 for 2013 changed from the previous version and why. It will then briefly go through each item in the OWASP Top 10 for 2013, explaining the risks each issue introduces to an enterprise, how attackers can exploit them, and what your organization can do to eliminate or avoid such risks in your application portfolio.

Speakers
avatar for Dave Wichers

Dave Wichers

COO, Aspect Security
Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a company that specializes in application security services. He is also a long time contributor to OWASP including being a member of the OWASP Board since it was formed in 2003. Dave has over 20... Read More →


Thursday November 21, 2013 3:00pm - 3:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis