Loading…

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Defenders [clear filter]
Wednesday, November 20
 

10:00am EST

Automation Domination
Building your application security automation program as part of the Software Development Lifecycle (SDLC) with architects, developers, and QA has always been challenging.  Automation Domination is the answer to that challenge, structuring a continuous integration framework around your portfolio of dynamic (DAST) and static (SAST) scanning products with integration into your software development stack.  We will explore how to take theory into practice with a proven, scalable enterprise solution with OWASP Projects, continuous integration (CI), bug-tracking, and content creation products.

Speakers
avatar for Brandon Spruth

Brandon Spruth

Prior to beginning his career in Application Security he was both a Technical Recruiter and Entrepreneur with a passion for Technology. As an entrepreneur, he founded a small computer company that provided services to the Real Estate Industry. Currently, he is also President and a... Read More →


Wednesday November 20, 2013 10:00am - 10:50am EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

11:00am EST

Why is SCADA Security an Uphill Battle?
Video of session:
https://www.youtube.com/watch?v=quhbhy7WkkA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=12

This talk will present technical security challenges faced by organizations that have SCADA, critical infrastructure or control systems installations. It will provide examples of attacks and examples of security controls that orginizations can implement to protect against these attacks. It will focus on how OWASP and SCADA are getting knit closely together. The talk will also introduce an updated version of an open-source tool to help identify and inventory SCADA systems. 
The presentation will begin by introducing SCADA systems under the hood including RTU, IED, PLC, FEP, PCS, DCS, HMI, sensors, data historians and other SCADA components. The presenter will categories these components into distinct groups based on the functionality that each component provides. We will review the security implications on each of these groups and identify where most of the threats lie. We will take a packet level dive into SCADA protocols and study their security implications. The presentation will give example of attacks that can be carried out against each group and component. The presenter will release an updated version of an open-source tool to identify and inventory SCADA systems using the protocols discussed in this presentation. It will then focus on real world examples of successful and not-so-successful implementations of security controls with SCADA systems which will include examples of what some large organizations have done. We will conclude with guidance on how control system owners can start implementing additional measures to get to an acceptable security.
Attendees who are in charge of control system infrastructure will get insight on what worked and what did not for other organizations. Engineers who are in-charge of security for control systems will get a better technical insight of SCADA protocols and components and can use the open source tool that is introduced. Attendees who are new to control systems will get an excellent overview of security complexities of control systems.

Speakers
avatar for Amol Sarwate

Amol Sarwate

Director of Vulnerability and Compliance Labs, Qualys Inc.
As Director of Vulnerability Labs at Qualys, Amol Sarwate heads a worldwide team of security researchers who analyze threat landscape of exploits, vulnerabilities and attacks. He is a veteran of the security industry who has worked for the last 15 years on firewalls, vulnerability... Read More →


Wednesday November 20, 2013 11:00am - 11:50am EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

12:00pm EST

Build but don't break: Lessons in Implementing HTTP Security Headers
Content Security Policy is a new standard from the WC3 that aims to help stop a mainstay of the OWASP top 10, cross-site scripting (XSS). The problem faced by many major sites today is how to craft a working content security policy that works for already existing applications. We will discuss real world techniques to simplify policy generation and testing, as well as discuss what changes are coming in CSP version 1.1. I will also discussion additional security headers such as X-Frame-Options to stop clickjacking and HTTP Strict Transport Security to stop man-in-the-middle attacks.

Speakers
avatar for Kenneth Lee

Kenneth Lee

Product Security Engineer, Etsy
AppSec Engineer @ Etsy. Loves pentests, code reviews, and a good cup of tea. Twitter: @kennysan Github: https://github.com/kennysan


Wednesday November 20, 2013 12:00pm - 12:50pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

1:00pm EST

Open Mic - Birds of a Feather --> Cavalry

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20  badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers
avatar for Josh Corman

Josh Corman

Director of Security Intelligence, Akamai Technologies
Joshua Corman is the Director of Security Intelligence for Akamai. Most recently he served as Research Director for Enterprise Security at The 451 Group. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across... Read More →
avatar for Nicholas J. Percoco

Nicholas J. Percoco

Director, Information Protection, KPMG
With more than 16 years of information security experience, Nicholas is a Director in KPMG's Information Protection practice. Prior to KPMG, Percoco led the global SpiderLabs organization for more than a decade that performed more than 2000 computer incident response and forensic... Read More →


Wednesday November 20, 2013 1:00pm - 1:50pm EST
Booth (5th Floor) NY Marriott Marquis

1:00pm EST

A Framework for Android Security through Automation in Virtual Environments

This session introduces a practical approach to securing Android applications through an automated framework. The framework uses a simple interface and automatically evaluates applications - even hundreds of them - harvesting behavioral data and run patterns, facilitating the vast majority of evolving security tests. Citing research from using this framework, this session will also answer some of today’s most pressing android security questions.
This presentation will address the limitations of real time security and fragmented security models for security evaluations of Android applications, and will demonstrate how to resolve this using an automated virtual environment that analyzes behavior of Android apps while providing a layer of transparency between Android apps and Android users.

Then it will present how I built an open source framework - the Android Security Evaluation Framework (ASEF) to help resolve security needs of a larger spectrum of Android users including researchers and developers. I will explain how to perform security evaluations on a bigger scale for app stores and large organizations by demonstrating scheduled automatic security evaluations that can be done remotely from an android device using ASEF and its agent.

Citing results from using ASEF, I will also recommend safe practices to follow by being proactive about security measures before installing an app, as well as tips for effective security management after android apps are installed. I will also discuss the importance of Behavioral Analysis and Vulnerability Management of android devices along with idea of integrating security tests in the plug and play framework of ASEF.
           Lastly, I will discuss the future of Android security through the eyes of automation and what tactics can be used to achieve conclusive and comprehensive coverage of upcoming Android security needs.


Speakers
avatar for Parth Patel

Parth Patel

Backend Developer / Security Engineer, Qualys
I find a programmatic way to replace myself at work and when I do, I explore new challenges to work on. Android Security is my most recent interest. Please visit my Open Source Project at (http://code.google.com/p/asef/)I have presented my research work at Security Conferences like... Read More →


Wednesday November 20, 2013 1:00pm - 1:50pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

2:00pm EST

Open Mic: Making the CWE Approachable for AppSec Newcomers

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Speakers
HR

Hassan Radwan

Secure Decisions
Hassan Radwan is a developer by trade with a passion for consumable application security. He is the project lead on OWASP Code Pulse, a real-time code coverage tool, and leads the engineering effort on Code Dx, a commercial SAST correlation tool. Hassan has worked in the application... Read More →


Wednesday November 20, 2013 2:00pm - 2:50pm EST
Booth (5th Floor) NY Marriott Marquis

4:00pm EST

Big Data Intelligence (Harnessing Petabytes of WAF statistics to Analyze & Improve Web Protection in the Cloud)
Video of session:
https://www.youtube.com/watch?v=afMvndBEv-I&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=6


Presentation Title: "Big Data Intelligence" 
Subtitle: "Harnessing Petabytes of WAF statistics to Analyze & Improve Web Protection in the Cloud"
As web application attacks turn into massive campaigns against large corporations across the globe, web application firewall data increases exponentially, leaving security experts with a big data mess to analyze. Pinpointing real attacks in a sea of security event noise becomes an almost impossible tedious task. In this presentation, we will unveil a unique platform for collecting, analyzing and distilling Petabytes of WAF security intelligence information. Using the collected data, we will discuss the OWASP ModSecurity Core Rule Set project's accuracy, and reveal common attack trends, as well as our impressions and suggestions for how to wisely make the best out of the CRS project.
Topic covered in this presentation: • Using Big Data for analyzing web application security trends
• Akamai's Cloud Security Intelligence (CSI) platform - collecting Petabytes of WAF events with near-real time analysis capabilities
• Sample data analysis - Top 10 web application attacks and trends, as collected by the system
• Short demo of a unique user interface for navigating and analyzing big WAF data (SARA - Security Analytics Research Application)
• Measuring the accuracy of the OWASP CRS project?
• Analyzing the accuracy of CRS - precision, recall & accuracy statistics against real world traffic
• Frequent real world false positives scenarios, and how to remediate them
• Top 10 triggering rules statistics

Presentation Length: 45 minutes

Speakers
avatar for Tsvika Klein

Tsvika Klein

Product Line Director, Akamai
Rich experience as a speaker in industry conferences and technical panels such as OWASP and academia.
avatar for Ory Segal

Ory Segal

Sr. Director, Threat Research, Akamai
Information about my history in the security industry can be found in the reflection blog post done on me: http://myappsecurity.blogspot.co.il/2007/04/reflection-on-ory-segal.html I have been a part of the security industry since 1996, and was closely involved in building some of... Read More →


Wednesday November 20, 2013 4:00pm - 4:50pm EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

4:00pm EST

Forensic Investigations of Web Explotations
Video of session:
https://www.youtube.com/watch?v=WpDSQ18xaXY&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=5

Investigation of hacking incidents often requires combine effort of different technologies. Evidence and forensics artifacts are often found in various forms and formats. Network Forensics is one of the components in the process of finding compromised hosts, capturing and reconstructing malicious sessions. Attacks on web vulnerabilities can be replayed and transmitted data uncovered. This session will cover open source tools used for investigation of web compromised hosts and network forensics. Variety of tools can produce quite significant supplement to electronic evidence, and in many cases also capture the malicious executables transmitted in the traffic, or ex-filtrated data. Various network protocols and their structure will be presented. Open source Network forensic tools will be used on the traffic captured from a hacked web server. Different tools will be introduced for specific tasks in the investigation process. Captured traffic will be analyzed and reconstructed, and various artifacts found in the investigation will be discussed.

Speakers
avatar for LIFARS LLC

LIFARS LLC

CEO, LIFARS LLC
Ondrej Krehel is principal and founder of LIFARS LLC, an international cyber security and digital forensics firm. He’s the former Chief Information Security Officer of Identity Theft 911, the nation’s premier identity theft recovery and data breach management service. He previously... Read More →


Wednesday November 20, 2013 4:00pm - 4:50pm EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

4:00pm EST

Sandboxing JavaScript via Libraries and Wrappers
The large majority of websites nowadays embeds third-party JavaScript into their pages, coming from external partners. Ideally, these scripts are benign and come from trusted sources, but over time, these third-party scripts can start to misbehave, or to come under control of an attacker. Unfortunately, the state-of-practice integration techniques for third- party scripts do not impose restrictions on the execution of JavaScript code, allowing such an attacker to perform unwanted actions on behalf of the website owner and/or website visitor.
In this paper, we present a two-tier sandbox architecture to enable a website owner to enforce modular fine- grained security policies for potential untrusted third-party JavaScript code. The architecture contains an outer sand- box that provides strong baseline isolation guarantees with generic, coarse-grained policies and an inner sandbox that enables fine-grained, stateful policy enforcement specific to a particular untrusted application. The two-tier approach ensures that the application-specific policies and untrusted code are by default confined to a basic security policy, with- out imposing restrictions on the expressiveness of the policies.
Our proposed architecture improves upon the state-of-the- art as it does not depend on browser modification nor pre-processing or transformation of untrusted code, and allows the secure enforcement of fine-grained, stateful access control policies. We have developed a prototype implementation on top of a open-source sandbox library in the ECMAScript 5 specification, and validated it with several real-world JavaScript applications such as Google Analytics, Google Maps, and jQuery UI.

Speakers
avatar for Phu Phung

Phu Phung

Research Associate, University of Illinois at Chicago
Dr Phu Phung is a Research Associate at the University of Illinois at Chicago from December 2012, employed by the University of Gothenburg, Sweden. From October, 2011 to December 2012, he was a postdoctoral researcher at Department of Computer Science and Engineering, Chalmers University... Read More →


Wednesday November 20, 2013 4:00pm - 4:50pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

6:00pm EST

Silk, Webservers, Exploits and RATz by M4v3r1ck
Limited Capacity seats available

Disclaimer: If you have trigger issues -- please do not attend this talk.

Now that the statute or limitations has run out on walk with me as I discuss the industry, the people and the events.

From warelords, to the conference that was meant to be a one-time party to say good-bye to BBSs OG.   Todays web applications still provide the perfect place for logic bombs. We will talk about current news events including carderprofit.cc and the newest threat to turning a profit.

Face it..  the computer security industry is a JOKE, Vă veţi bucura acest talk.

pssssss buddy you want to buy a shell... what'ca want what'ca need?








Speakers
avatar for Yuri

Yuri

sysop
Hacker for Profit


Wednesday November 20, 2013 6:00pm - 6:50pm EST
Salon 4 (5th Floor Ballroom) NY Marriott Marquis
 
Thursday, November 21
 

9:00am EST

Contain Yourself: Building Secure Containers for Mobile Devices
Video of session:
https://www.youtube.com/watch?v=siVS2jmPABM&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=31

In today's world, everyone wants access to information from his or her personal mobile device.  As a business, this includes your customers and/or employees.  What if the information they want access to is highly sensitive?  While it's tempting to resist these pressures for security reasons, providing mobile access can be a significant competitive advantage and most importantly keep your customers and employees happy and productive. The reality is that in order to survive in a connected world, we must provide a way to meet these demands without sacrificing security.  

Organizations have begun moving from "managed devices" to a Bring Your Own Device (BYOD) model where company resources can be accessed and stored on unmanaged devices. As you can imagine, there are some inherent risks with this approach due to the organizations inability to enforce policies on personal devices. There is currently a huge market for solutions that allowing enterprises protect their data on unmanaged devices. Enter "Secure Containers” and “Application Wrapping". The basic premise of these solutions is that it allows organizations enforce policies at the application layer rather than the device layer. For example, authentication, remote wipes, lockouts and data encryption can now be enforced on a per application basis. Application Wrapping is a technique, which allows the ability inject their own code into existing iOS applications. Once injected, existing iOS method implementations can be overwritten to enforce these policies. In a nutshell, you can have an existing application and have it wrapped so that it enforces various defined policies and secure it without developers having to manually implement it.  

We have performed security assessments of various commercial BYOD solutions and custom secure containers. Additionally, we have also provided guidance in the development and design of such solutions. We plan to share our experiences through various case studies showcasing the various security issues encountered and testing techniques used throughout these assessments. We expect to cover and provide the audience with newfound knowledge in the following topics:  

What is Application Wrapping and How It Is Implemented
    - Dynamic Library Injection
    - iOS Method Swizzling

Walkthrough of Common Designs for Secure Containers
    - Weak Crypto Key Storage and Generation
    - Common Crypto Implementation Flaws   
    - Online and Offline Authentication Designs

Leveraging iOS Runtime Analysis for Reversing Implementations
    - Common iOS Reversing Techniques
    - Writing Mobile Substrate Hooks

Completeness of the Implementation
    - Preventing Common Mobile Security Plaintext Storage Issues
    - Inadvertent Caching of Sensitive Data
    - Jailbreak Detection
    - Weaknesses in Policy Enforcement and Remote Wipes

Attendees will leave with an understanding of the advantages and disadvantages of using "secure container" solutions. The presentation will be delivered from the point of view of a security tester with experience in assessing various implementations. Organizations can leverage this knowledge in order to perform informed decisions when choosing or developing solutions. Security testers will leave with baseline checks and testing techniques for assessing secure container implementations. 

Speakers
avatar for Ronald Gutierrez

Ronald Gutierrez

Senior Security Engineer, Gotham Digital Science
Ron Gutierrez is a senior engineer at Gotham Digital Science (GDS), where he specializes in a application security code reviews, mobile application assessments, black box application testing and threat modeling. Ron is a member of the SendSafely development team and a frequent contributor... Read More →


Thursday November 21, 2013 9:00am - 9:50am EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

9:00am EST

Mobile app analysis with Santoku Linux
Video of session:
https://www.youtube.com/watch?v=cmVRCWbo0jU&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=26


Did you think there were a lot of mobile devices and platforms out there?  Check out the hundreds of mobile tools being developed.  We calculated it would take more time to install, test and maintain the various mobile tools than to actually fuzz the hell out all existing mobile operating systems.  So, we created Santoku Linux, a F/OSS, bootable Linux distro to make life easier for mobile hackers. 
We pre-install not only the mobile platforms but promising tools in development.  Santoku covers mobile forensics, mobile malware analysis and mobile security testing.  The distribution is based on Lubuntu 12.04 x86_64 and we recently moved to .deb support for simplified upgrades.  The Santoku website contains useful information on Santoku, notable: • Tools: https://santoku-linux.com/features
• HOWTOs: https://santoku-linux.com/howtos
• Changelog: https://santoku-linux.com/download/changelog

This talk will introduce Santoku and provide live demos of 1) how to forensically acquire and analyze Android and iOS devices, 2) several tools to perform security audits of mobile devices and apps, and 3) how to analyze mobile malware analysis.  All demos will leverage tools preinstalled on Santoku Linux and will cover both the iOS and Android  platforms.

Speakers
avatar for Andrew Hoog

Andrew Hoog

Founder / Board Member, NowSecure
I’m a computer scientist, mobile security and forensics researcher, and co-founder of NowSecure. I’m also a testifying expert witness, author of two books on mobile forensics for Android and iOS, and hold two patents in the areas of forensics and data recovery.


Thursday November 21, 2013 9:00am - 9:50am EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

10:00am EST

Accidental Abyss: Data Leakage on The Internet
Video of session:
https://www.youtube.com/watch?v=kuBtCoYj6zA&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=27

PII is personally identifiable information.  In the information age, seemingly useless bits of PII can be found everywhere on the web from Facebook to Amazon to county records.  Using purely legal methods and nothing more than artful searching I will show you the art of the low-tech, high-targeted recon.  How much of your identity is scattered around on the internet?   In this ambitious talk we will look at better hacking through television, how to combine crumbs to build thorough dossiers and learn some tricks on how to do some basic information reconnaissance.  By the end of the talk you’ll have some frightening statistics, something good to think about and some tools that will make you a more effective social engineer, an aware user and a more thoughtful security expert.

Speakers
avatar for Kelly FitzGerald

Kelly FitzGerald

Kelly has a BS in Computer Science from CSUSB. She was awarded a full academic scholarship from the National Science Foundation. In her senior year of college she took a job at EvidentData doing computer forensics. From there she fell in love with the dark side and purposely went... Read More →


Thursday November 21, 2013 10:00am - 10:50am EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis

12:00pm EST

OWASP Periodic Table of Elements
Video of session:
https://www.youtube.com/watch?v=4GoLqNANlFg&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=11

After 25 years of software engineering since the first Internet worm was written to exploit a buffer overflow vulnerability, web developers are still building insecure software. It is time for a new approach. The vast majority of software bug classes can be eliminated by building protections into perimeter technologies, platform infrastructures, and application frameworks before a developer even writes a single line of custom code. By allowing developers to focus on just a small subset of bug classes, training and standards programs can be more targeted and effective so developers can write secure code much more efficiently.
Vulnerabilities and weaknesses from industry-recognized indexes including OWASP Top 10, WASC TCv2, and CWE-25 are analyzed to determine which of the protection options are ideal for solving the software security problem. Where changes to internet standards and protocols are required, alternatives in perimeter, framework, or custom code solutions are also provided until the internet-scale solutions are in place. If a solution can be completely implemented in perimeter or infrastructure technologies, only that solution is provided. Similarly, if any part of the solution can be provided in standard or custom frameworks, that solution is not recommended to be implemented in custom code. The guiding principle is essentially: "implement security controls as far from custom code as possible." Only if there is no other way to solve a particular security problem is a custom code solution recommended.

Speakers

Thursday November 21, 2013 12:00pm - 12:50pm EST
Salon 3 (5th Floor Ballroom) NY Marriott Marquis

1:00pm EST

Open Mic: Vision of the Software Assurance Market (SWAMP)

Question: I noticed on the schedule there are "OPEN-MIC" sessions, what exactly are they and how do I present during those time slots?

Answer: During the morning hours of Wednesday, Nov. 20 badge-holding conference attendees interested in presenting an AppSec related topic may sign up for the Open Mic slots. There will be large voting boards near registration where you can post your submission proposal (session title, mini abstract and name) on a post-it note. Depending on the amount of submissions, we may be hosting 2-3 "speed talks" during each Open Mic session. All badge-holding conference attendees will use little sticky dots, included in their conference registration bag, to vote on the talks they'd be interested in attending. Voting will be open until Noon on each day, at that time the conference organizers will post the accepted submissions on the AppSec USA Schedule webpage.


Thursday November 21, 2013 1:00pm - 1:50pm EST
Belasco & Broadhurst (5th Floor) NY Marriott Marquis

3:00pm EST

CSRF: not all defenses are created equal
CSRF is an often misunderstood vulnerability. The standard way to protect against it is by implementing the singleton token pattern. This is usually done in the framework and not by the individual developer. For example .net applications can use the antiforgerytoken (for MVC applications) or viewstateuserkey. Tomcat web server and F5 load balancers also now include CSRF prevention filters. OWASP of course has the CSRF guard. All of these solutions though are slightly different and can lead to different side effects, some of which are little understood and poorly documented. Some side effects have even caused worse security problems (namely revealing the session cookie) while trying to defend against CSRF. In this talk I will introduce CSRF and the basic defenses against it. Then I will go through all of the various major solutions mentioned above and describe how they implement the general solution and the positives and negatives of each implementation.

Speakers
avatar for Ari Elias-Bachrach

Ari Elias-Bachrach

independant consultant, Defensium LLC
In the course of implementing CSRF defenses in the extremely broad (over 3000 web applications) and diverse environment that is the NIH, I have found that not all CSRF defenses are created equal. A lot of research, experimentation, and conversations with vendors and developers have... Read More →


Thursday November 21, 2013 3:00pm - 3:50pm EST
Salon 2 (5th Floor Ballroom) NY Marriott Marquis