Chrome Health and the Art of Software Security
Chrome is a browser built for the modern web and driven by three guiding principles: speed, simplicity, and security. This talk will focus on Chrome’s approach to the latter while highlighting parallels between software security and medicine. I’ll review Chrome’s vitals and architecture, some of our healthy engineering habits, facets of our immune response, genetic susceptibility to insecurity (and how we manage risk), and more. You’ll leave with a better understanding of Chrome and probably a few bits of trivia about human health.
Parisa Tabriz is Google’s “Security Princess” – that’s her real job title! She has worked on information security at Google for more than 8 years, starting as a “hired hacker” software engineer for Google’s security team. As an engineer, she found and closed security holes in Google’s web applications, and taught other engineers how to do the same.
Today, Parisa manages Google’s Chrome security engineering team, whose goal is to make Chrome the most secure browser and keep users safe as they surf the web. In 2012, she was selected by Forbes as one of the 30 under 30 pioneers in technology and has the rare distinction of being profiled by both ELLE and Wired in the same year. In 2014, she spent vacation time with the White House U.S. Digital Service to enhance the security of government technology, but typically, she prefers to spend vacations up in the mountains and away from digital signals.
Making SSL Warnings Work
HTTPS is an important tool for protecting the privacy of online communication. However, SSL warnings are a weak point in this system. Often, the browser can’t tell whether a certificate validation error is indicative of an attack or a simple server misconfiguration. The user is asked to decide what to do, even though s/he probably isn’t equipped to make that decision. My team is trying to make SSL warnings more effective (and helpful) in Chrome. In this talk, I’ll describe how we’re trying to automatically identify and resolve common sources of false positive warnings. I’ll also discuss how we redesigned SSL warnings to be more understandable by end users.
Adrienne Porter Felt is a software engineer on the Google Chrome security team. Her mission is to make it easy to stay safe on the web. Adrienne leads Chrome’s usable security efforts, including: making security warnings understandable, improving warning accuracy, and encouraging developers to use HTTPS correctly. Previously, she was a research scientist on Google’s security research team.
OWASP Top Ten Proactive Controls
The major cause of web insecurity is poor development practices. We cannot “firewall” or “patch” our way to secure websites. Programmers need to learn to build websites differently. No company or industry is immune.
The OWASP Ten Ten Proactive Controls Project is a Top-Ten like document that focuses directly on informing developers of necessary secure coding techniques. This talk describes the bare minimum required of a development team if they wish to have even a small chance of producing secure software.
– Whitelist Validation (struggles with internationalization)
– URL validation (as part of redirect features)
– HTML Validation (as part of untrusted content from features like TinyMCE)
– Password storage, HMAC’s for scale
– Multi-factor AuthN implementation details
– Forgot password workflow
– Limits of access control
– Permission-based access control
– Output encoding for XSS
– Query Parameterization
– Other encodings for LDAP, XML construction and OS Command injection resistance
– Secure number generation
– Certificate pinning
– Proper use of AES (CBC/IV Management)
– Core requirements for any project (technical)
– Business logic requirements (project specific)
Secure Architecture and Design
– When to use request, session or database for data flow
Jim Manico authors and delivers developer security awareness training and has a 20 year history building software as a developer and architect. Jim is also a global board member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and several secure coding projects.
The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers
Joint work with Zhiwei Li, Warren He, Dawn Song.
We conduct a security analysis of five popular web-based password managers. Unlike “local” password managers, web-based password managers run in the browser. We identify four key security concerns for web-based password managers and, for each, identify representative vulnerabilities through our case studies. Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS. Our study suggests that it remains to be a challenge for the password managers to be secure. To guide future development of password managers, we provide guidance for password managers. Given the diversity of vulnerabilities we identified, we advocate a defense-in-depth approach to ensure security of password managers.
Dev is a security engineer at Dropbox. Previously, he was a grad student at UC Berkeley interested in web application security. His research focuses on web application security, browser security, and other related topics. He is also an editor of the Sub Resource Integrity spec and is always happy to talk about Content Security Policy.
Evolution Of Penetration Testing
Penetration testing came about because of real world attacks. The industry quickly realized that we need to behave like the attackers to learn how to defend against them, and thus the penetration testing industry was born. Back then if an exploit was found it was released in raw format, possibly/probably perfected by others, and released. Our methodologies and detections for defense against these attacks were derived from this type of approach. This approach became very paint by numbers! The initial onset of penetration testing was derived from real world attacks, and we evolved the penetration testing concept but then stopped a few years ago. We quit mimicking real attackers. Why did we do this? It isn’t because as an industry we didn’t want to continue to advance it, but it was because it became too difficult. Why so difficult? Because the times have changed, and people don’t just give out things like they used to (Attackers especially). True attackers find a vulnerability/exploit and they treat it very special, they understand it, they research all aspects of it, and then they weaponize it. This approach takes time and money. When money got involved the penetration testing industry went in a different direction than real world attacks. Yes our tools replicate “bad” things on networks, but they don’t replicate everything.
We will cover the not so common tactics, techniques, and procedures (TTP) scenarios from real world attacks and show the differences between true attackers and current penetration testers. This talk will focus on the binary and forensic aspects of these scenarios to show the significant differences of true attacks and penetration testers.
Russ Gideon has many years of experience in information security, having fulfilled diverse roles from being a core component of an Incident Response operation to managing an effective Red Team. Russ excels at malware reverse engineering, which enables him to deeply understand how the attackers do what they do, as well as at high end Red Teaming where he has to penetrate sophisticated and well protected high value systems. Russ currently serves as the Director of Malware Research at Attack Research.
Stephan Chenette is the Founder and CTO of AttackIQ, Inc., where he and his team work on adversarial modeling and automated security control validation. Previous to AttackIQ, Stephan held positions as Director of Research for IOActive, Manager of Labs for Websense, and Security Engineer at both SAIC and eEye Digital Security
Ilja van Sprundel is experienced in exploit development and network and application testing. As IOActive’s Director of Penetration Testing he performs primarily gray-box penetration testing engagements on mobile (specializing in iOS) and runtime (specializing in Windows kernel) applications that require customized fuzzing and source code review, identifying system vulnerabilities and designing custom security solutions for clients in technology development telecommunications, and financial services.
van Sprundel specializes in the assessment of low-level kernel code and architecture/infrastructure design, having security reviewed literally hundreds of thousands of lines of code. However, as a Director, he also functions in a managerial capacity by overseeing penetration testing engagements, providing oversight regarding technical accuracy, serving as the point of contact between technical consultants and technical stakeholders, and ensuring that engagements are delivered on time and in alignment with customer’s expectations.
van Sprundel also is responsible to mentor and guide Associate-level consultants as they grow both their penetration testing and general consulting skillsets. He is the driver behind the team’s implementation of cutting-edge techniques and tools, guided by both research and successful exploits performed during client engagements.
Why Your AppSec Experts Are Killing You
Software development has been transformed by practices like Continuous Integration and Continuous Delivery, while application security has remained trapped in expert-based waterfall mode. In this talk, Jeff will show you how you can evolve into a “Continuous Application Security” organization that generates assurance automatically across an entire application security portfolio. Jeff will show you how to bootstrap the “sensor-model-dashboard” feedback loop that makes real time, continuous application security possible.
He will demonstrate the approach with a new *free* tool called Contrast for Eclipse that brings the power of instrumentation-based application security testing directly into the popular IDE. Check out “Application Security at DevOps Speed and Portfolio Scale” for some background.
CTO of Contrast Security. Continuous Application Security. OWASP. DevOps
.NET Reversing and Exploitation for Cool Kids
Java isn’t the only managed language with bugs. This talk will cover the current state of .NET reverse engineering and exploitation, including practical examples of both application-level and framework vulnerabilities. We’ll cover the various strengths and weaknesses of .NET security features, including bypassing strong-name signing including the GAC. Finally, I will provide a short demo on how to modify the behavior of the .NET framework through DLL byte patching.
Kelly Lum has “officially” worked in Information Security since 2003. She recently left an eight-year stint as a code auditor/ penetration tester/ application security director/ bad-ass M.C. in the financial security sector to become a Security Engineer at Tumblr.
Misconceptions in the Cloud
This presentation will discuss common misconceptions and issues that affect companies moving to the cloud. These aren’t the large, obvious issues when moving to the cloud such as, “Do you have a plan for secure, centralized, scalable logging?” Instead, these are more subtle, smaller issues that can affect whether you are conceptualizing your problem statements correctly. As seasoned security professionals, our pre-cloud experiences lead to certain implicit assumptions that do not always hold true when working with cloud-based teams. This talk will highlight a few of those assumptions and their risks.
Peleus Uhley is the Platform Security Strategist within Adobe’s Secure Software Engineering Team (ASSET). His primary focus is advancing Adobe’s Secure Product Lifecycle (SPLC) within Adobe platform technologies, including Flash Player and AIR. Prior to joining Adobe, Peleus started in the security industry as a developer for Anonymizer, Inc., and went on to be a security consultant for @stake and Symantec.
DevOps for the Discouraged
You got DevOpsed! Your sysadmin team got renamed as the DevOps team. Developers got prod access. Code deploys to prod happen multiple times a day now. In the eyes of the business, things are great. Yet, the security team continues to be left out and really nothing seems to be better. In fact it feels worse.
Time to learn how to hack some devops for great good.
This talk will equip you with advice and tools to join in on the devops. You will also leave with a sample continuous delivery pipeline that is armed to dangerous and ready to identify security issues in a typical web application stack.
We’ll use a range of open source technology including OWASP ZAP, gauntlt, brakeman, nmap, sqlmap, arachni and more.
James is an innovative thought leader in the DevOps and InfoSec communities and has a passion for helping big companies work like startups to deliver products in the cloud. He got his start in technology when he ran a Web startup company as a student at University of Oklahoma and since then has worked in environments ranging from large, web-scale enterprises to small, rapidly growth startups. As a Senior DevOps Engineer, James is currently working on launching cloud based-products for the Embedded Software division of Mentor Graphics.
James is a dynamic speaker on topics in cloud computing, cloud security and Rugged DevOps. He is the creator and founder of the Lonestar Application Security Conference which is the largest annual security conference in Austin, TX. He holds the following security certifications: CISSP, GWAPT, GCFW, GSEC and CCSK.
API = Authentication’s Poorly Implemented
Who doesn’t love a robust, easy-to-use, well-documented API? The ability to plug right into an application, a service, an infrastructure, especially in a secure way, is a marvelous feeling. But, what about those mild (and not so mild) oversights? Implementation flaws? Security bugs? Legacy APIs being “integrated” with new, flashy RESTful APIs?
In this talk, we’ll highlight some real-world examples of web-related API security problems, notably surrounding authentication and authorization issues in targets ranging from a big online payment shop to an embedded device’s backend infrastructure (and a slew of things in between).
Zach Lanier is a Senior Research Scientist with Accuvant Labs, specializing in various bits of network, mobile, and application security. Prior to joining Accuvant, Zach most recently served as a Senior Security Researcher with Duo Security. He has spoken at a variety of security conferences, such as Black Hat, CanSecWest, INFILTRATE, ShmooCon, and SecTor, and is a co-author of the “Android Hackers’ Handbook” (Wiley, April 2014).
Devil in the Haystack
Application security lies in the core of Salesforce.com’s products, for which the reason is obvious. As much as one has strengthened on perimeter defenses, an in-depth defense strategy that lies right in the app is much needed.
This talk focuses on the application of statistics and machine learning techniques on in-app events to detect and eventually prevent attacks and abuses on Salesforce platform.
OWASP group laid out a framework of intrusion detection response in applications – Appsensor. Our work is distinct from the Appsensor project in that the data-driven statical approaches are built with online learning methodologies and adaptive behavior modeling techniques; it thus require as little configuration and supervision as possible. Unsupervised learning and bootstrapping are established techniques within machine learning. This research dramatically differs from the previous detection techniques for two reasons: 1) The in-app detection inspects transactions in the context of the application’s semantics, interaction and enhanced information about their users, whereas an IDS or IPS usually operates on the perimeters at the firewall or at the network gateway. They have no to little knowledge of the behavior within an application. 2) Our methods are adaptive to behavior changes, while the previous techniques largely rely on signature-based misuse detection with rather stale configuration that are thus susceptible to a higher level of false positives. One example of the adaptive behavior based detections include detecting a fraud user who is stepping through a multi-step business process in an anomalous order. The determination of the anomaly is based on firstly a learned regular behavior over time, and secondly automatically adjusted by evidences of changes in a user’s role or business process. Other examples include alerting on abnormal timing or volume of certain in-app activities or geolocation abnormality of user’s access points in a single session.
In this talk, we will also give our experience of the big data technologies around the Apache Hadoop ecosystem, in particular, Apache Spark as the major enabling technologies for in-depth app platform threat detection.
Ping spent nearly a decade conducting academic and applied research, innovating algorithmic models in various domains, from consumer behavior modeling to algorithmic security detection. Her works were published as journal articles, monographs and books.
Ping has her PhD degree in Management Information System from University of Arizona with a focus on machine learning, consumer analytics and healthcare surveillance.
She spoke at various academic conferences in the field of management science such as ICIS, WITS, BioSecure among others, and InfoSec events including BayThreat, BSidesSF and CanSecWest 2014.
Leveling up an application security program
In this talk, David will relay lessons learned from his first year working in the application security program at Riot Games.
David will explain how he assessed the level of the program when he joined, and what gaps he identified. He will give an overview of how Riot approaches application security in a fast paced, agile environment. This will include how Riot implements controls which do not negatively impact product development or player experience. David will explain how Riot provides secure coding guidance to software engineers, works with QA, and maintains an application security community of practice.
There are many options when it comes to understanding and improving an application security program. This talk will address Riot’s efforts in this regard.
David Rook is a Security Engineer focusing on Application Security at Riot Games in Dublin. He has held various application security roles in the financial services industry since 2006 before moving into the computer games industry in early 2014. He is a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at leading information security conferences including DEF CON, BlackHat USA and RSA Europe. In addition to his work with OWASP David created a security resource website and blog called Security Ninja.
The Security Ninja blog was been nominated for five awards including the best technology blog at the Irish Blog Awards, the Computer Weekly IT Security blog award and was a finalist for the Irish Web Awards Best Technology Site. David received a Developer Security MVP award from Microsoft in 2011, 2012 and 2013 as well as the SC Magazine Europe 2012 Rising Star award. David strives to practice what he preaches and has backed up his work experience by developing two open source security code review tools called Agnitio and the Windows Phone App Analyser.
Unicodes Gone Wild
This talk will discuss the oddities of proper Unicode handling, as well as revealing some common problems with handling Unicode in various operating systems, applications, and frameworks.
Christien Rioux, also known by his handle DilDog, is the co-founder and chief scientist for the Burlington, Massachusetts based company Veracode, for which he is the main patent holder. Educated at MIT, Rioux was a computer security researcher at L0pht Heavy Industries and then at the company @Stake. While at @stake he looked for security weaknesses in software and led the development of Smart Risk Analyzer. He co-authored the best-selling Windows password auditing tool @stake LC and the AntiSniff network intrusion detection system.
Building a Modern Security Engineering Organization
Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering:
– Practical advice for building and scaling modern AppSec and NetSec programs
– Lessons learned for organizations seeking to launch a bug bounty program
– How to run realistic attack simulations and learn the signals of compromise in your environment
Zane Lackey is the Founder/CSO at Signal Sciences and serves on the Advisory Boards of the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund. Prior to Signal Sciences, Zane was the Director of Security Engineering at Etsy and a Senior Security Consultant at iSEC Partners. – See more at: http://www.crunchbase.com/person/zane-lackey#sthash.lgAeIHkY.dpuf
Malicious MDM: Fun with iOS MobileConfigs
MDM can be great way to put security controls on smart phones, but what happens when an attacker brings your device into their MDM domain. From smartphone manufacturers to cell phone service providers, everyone seems to be developing a solution for managing smart phones. We will be covering the basics of how MDM works and how you can abuse the Apple MDM service to gain control over iOS devices. This attack will demo how to deploy malicious MDM configurations and how to abuse company phones to gain access to a company’s internal domain. Additionally, we will be covering the steps you should take to protect your business from malicious MDM profiles.
Karl is a senior security consultant at NetSPI. This role has allowed Karl to work in a variety of industries, including financial services, health care, and hardware manufacturing. Karl specializes in network and web application penetration testing. In his spare time, Karl likes to volunteer at THOTCON and DEF CON. Karl can be found on Twitter at @kfosaaen.
Fixing XSS with Content Security Policy
“Cross-site scripting (XSS) has been dominating OWASP Top 10 for many years. Although input validation and output encoding are good traditional defenses against XSS, it is often difficult to ensure that they are used in all required places in large applications. Content Security Policy (CSP) is a promising new HTML5 feature that can help prevent traditional and DOM-based XSS on your website. If you keep dynamic data and static code separate, you can have conforming browsers enforce your CSP to ensure that the data never gets interpreted as code. The intricacies of the technology are in how CSP policies are combined and what limitations they place on web development.
• What the differences between CSP 1.0 and CSP 1.1 are, and what these mean for web application developers?
• How CSP protects web applications from cross-site scripting?
• Whether input validation and output encoding are necessary if CSP is used properly.
• What is the different browser support for this technology?
• How you can get started with using CSP on your website?”
Ksenia Dmitrieva is a Senior Security Consultant at Cigital with over six years of experience developing and securing web applications. Ksenia holds a M.S. in Computer Science from George Washington University. As a Senior Consultant, she performs penetration testing and code review focusing on web applications, web services, new web technologies and frameworks for clients in financial services, entertainment, telecommunications, and enterprise security industries. Ksenia’s current concentration is on researching HTML5 technologies, their security implications and how their vulnerabilities could be discovered and remediated. Ksenia often delivers training sessions and has previously presented at Nullcon, BSides Security London, and LASCON.
Anatomy of memory scraping, credit card stealing POS malware
Credit card payment processing and point-of-sale (POS) systems are like a black box for most people without knowledge of its internal workings. But recent data breaches of thousands of credit cards have shown that determined attackers have not only mastered ways to steal magnetic stripe cards, but also targeted EMV chip cards.
The session will start by explaining the architecture of different type of POS systems along with its components, operation and integration. This includes magnetic stripe track data format, technology behind credit card readers, point-of-sale hardware and software. A common element in POS attacks is the credit card swipe. Swiping refers to the process of reading un-encrypted credit card data from the magnetic strip of the card by a card reader and communication between the POS terminal. I will explain various malware attack techniques used for exploitation and exfiltration of credit card data. This will include RAM scraping, process hooking and injection, keyboard hooks, command and control techniques as well as Luhn algorithm. A live demo of a PoC ram scraping malware and its internal working will be shown along with explanation of key concepts. A live demo of a working POS system compromise based on a malware that I created for research purpose will be shown. This will be followed by Q&A which will conclude the session.
Amol heads Qualys’ worldwide security engineering team responsible for vulnerability and compliance research. His team tracks emerging threats and develops software which identifies new vulnerabilities and insecure posture for Qualys’ VM, PC, PCI and QBC services.
Amol is a veteran of the security industry and has devoted his career to protecting, securing and educating the community from security threats. Amol has presented his research on Vulnerability Trends, Security Axioms, SCADA security, Malware and other security topics at numerous security conferences, including RSA Conference, BlackHat, Hacker Halted, SecTor, BSides, InfoSec Europe, NullCon, GrrCon, ISSA, Homeland security Network HSNI and FS/ISAC. He regularly contributes to the SANS Top 20 expert consensus identifying the most critical security vulnerabilities. He writes the “HOT or NOT” column for SC Magazine and holds a US patent for Systems and Methods for Performing Remote Configuration Compliance Assessment of a Networked Computer Device
10 Deadly Sins of SQL Server Configuration
Databases are the backbone of the applications that run our world and store our personal data. Microsoft’s SQL Server one of the primary database platforms used in enterprise environments today. This talk will cover 10 common weak SQL Server configurations and the practical attacks that help hackers gain unauthorized access to data, applications, and systems. This will include a few demonstrations of the techniques that are used during real-world attacks and penetration tests. This should be interesting to developers, new database admins, and aspiring penetration testers looking to gain a better understanding of the risks associated with weak SQL Server configurations.
Scott Sutherland is a principal security consultant responsible for the development, and execution of penetration test services at NetSPI. His role includes researching and developing tools, techniques, and methodologies used during network and application penetration tests. As an active participant in the information security community Scott performs security research in his free time and contributes technical security blog posts, presentations, and tools on a regular basis through NetSPI. You can find Scott blogging on the NetSPI website and on Twitter.
Legacy Java Vulnerabilities – Ignore at Your Own Risk
Java is one of the longest standing and most widely deployed enterprise programming languages in the world. It is also frequently attacked due to its numerous and well documented security vulnerabilities, many of which have a very high CVSS (Common Vulnerability Scoring System).
This problem is amplified by the fact that countless data center applications are still running on older, legacy versions of the platform. Although the original promise of Java was application portability, in reality most core enterprise applications were written for execution on a specific version of Java, and that’s where they’ve stayed.
This session will discuss the two primary reasons that legacy Java security risks persist, namely the cost of mitigation and operational impacts. The obvious way to deal with legacy Java issues is to update the Java runtime. But this process is costly since it requires extensive application modifications, testing and re-qualification. Meanwhile, the risk of downtime is an even bigger problem. No matter how much testing is done, it’s impossible to guarantee that changes to the application will not break it.
Using several documented Java server vulnerabilities, the speaker will explain and evaluate the merits of the current approaches to addressing them, including network based tools, code analysis and run-time application self-protection. Attendees will gain a deeper understanding of legacy Java security risks, the alternatives available to address them and how to choose the right approach for their particular application environment.
Jonathan Gohstand is the security strategist for Waratek. A 20-year veteran of the IT industry, he was previously with PacketMotion, driving the creation of the User Activity Management category, until the company’s acquisition by VMware. He has worked in Cisco Systems’ Security Technology Group, where he was responsible for IOS-based security. Mr. Gohstand has held international positions with Chevron Oil and FORE Systems, in addition to consulting and channel roles. He holds a Bachelor’s of Science degree in Electrical Engineering and Computer Science from the University of California, Berkeley, and an MBA from St. Mary’s College. He has given numerous talks on security, compliance and IT audit at venues such as SANS, ISACA, and VMworld.
Caspr and Friends (Content-Security-Policy Reporting and Aggregation)
“Caspr, a free and open source tool for collecting, aggregating and analyzing Content-Security-Policy (CSP) violation reports was released near the end of summer. This talk will cover the background of CSP and violation reports, give an overview of Caspr and how it can be used, and then talk about some of the other tools surrounding CSP violation reports. The tools include Enforcer, a chrome extension for forcing CSP on websites, and csp-tools, a suite of tools for managing CSP reports from command line.
A report-uri can be specified so that when a CSP violation occurs, a report will be sent out describing the violation. These reports can be extremely important in gauging the effectiveness and coverage of your policy.
As of the summer (2014), there weren’t any popular tools for gathering these reports, or doing analysis and policy generation. And thus Caspr was born.
Caspr handles the collection, aggregation, and analysis of these reports. It runs on Heroku, so it’s as simple as a button click to have your own instance of Caspr up and running.
A few tools have been released for dealing with CSP violation reports. This talk will also give a brief intro to those tools.
– Enforcer: Chrome Extension for forcing a policy on a website
– csp-tools: A suite of tools for testing/setting up/analyzing reports from command line
“Hai I’m c0nrad.
I started programming about 10 years ago on my TI-84 so I could cheat on exams. I’ve been cheating (and sometimes programming) ever since. I graduate this December (2014) with a degree in Electrical Engineering from Michigan Technological University.
Before then I used to work at Solar and Heliospheric Research Group doing data and algorithmic analysis, Air Force Research Labs doing security research on highly assured systems, Fog Creek Software as a intern software developer, MongoDB as a Security Intern, and a part time security contractor at IncludeSecurity.
When not writing software, I can be found drinking cheap and sweet wine, doing Crossfit, and pretending to be social. But I’m usually just programming.
Hackazon – Stop hacking like its 1999
“Applications have changed, but your test apps havent!
Its about time for a test app that’s a little more current than circa 2002. Enter Hackazon.
Hackazon, is a modern vulnerable web application. It looks like an online storefront with a modern AJAX interface, strict workflows and RESTful API’s used by a companion mobile app. And, its here to replace the old Web 1.0 test apps (WebGoat, DVWA, Hackme Bank and Hackme Casino) that no longer mirror the applications we see in the wild. Will your application security scanner successfully test this site? Doubt it! Even manual pen testers will have their hands full testing their skills against it.
There are vulnerabilities scattered throughout Hackazon, and each vulnerable area is configurable so that users can change the vulnerability landscape to prevent “known vuln testing” or any other form of cheating. To find all the vulnerabilities in Hackazon it will require proper handling of not only classic web security, but will require testing RESTful interface formats that power AJAX functionality and mobile clients (JSON, XML, GwT, and AMF). It will also require tedious testing of strict workflows common in todays business applications.
Hackazon is an open source application that will ultimately be contributed to OWASP to be included with the other vulnerable test applications.
Join Dan for this talk where he will demonstrate Hackazon and the techniques required to find the vulnerabilities in the different interfaces and formats.”
co-CEO and CTO, NT OBJECTives
Dan has been with NTO for more than 10 years and is responsible for the strategic direction and development of products and services. He also works closely with technology partners to make sure our integrations are both deep and valuable. As a result of Dan’s dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most accurate because of its sophisticated automation techniques.
Dan joined NTO from Foundstone, where he was a key developer of FoundScane’s scan management, and remediation capabilities. Before Foundstone, Dan was the founder of the Information Security team in the United States branches of Fortis.
When Dan’s not working on NTO products or screen sharing with our customers to help them solve their application security challenges, you’ll find him blogging, co-hosting An Information Security Place Podcast and speaking at conferences like B-Sides, OWASP AppSecUSA, HouSecCon, ToorCon and more. He also works with industry groups and contributes to many open source development projects. Little known fact about Dan, he was a founder of the phpGroupWare project and creator of podPress.”
The Savage Curtain : Mobile SSL Failures
Organizations are all so anxious to reach their “mobile moment”, but are failing miserably at securing the mobile application traffic, in a variety of ways. We will review some of the common pitfalls with mobile application transport layer encryption, how to test for vulnerabilities and a fool-proof method on how to prevent your organization from falling victim to these all too common errors. We will also be presenting a novel SSL/TLS attack, which could be used for a semi-permanent, nearly undetectable MitM attacks.
Tony has been working in the IT industry for nearly 20 years and has been focused on application security for the last 5 years. He is currently an in-house penetration tester for LinkedIn, running point on their mobile security initiatives. When he’s not hacking, he enjoys thinking about astrophysics, playing devil’s advocate and has been known to dust his skateboard off from time-to-time.
Tushar loves breaking web applications and ceramic bowls. Tushar Dalvi is a security enthusiast, and currently works as a Senior Information Security Engineer at LinkedIn. He specializes in the area of application security, with a strong focus on vulnerability research and assessment of mobile applications. Previously, Tushar has worked as a security consultant at Foundstone Professional Services (McAfee) and as a Senior developer at ACI Worldwide.
Scaling Security in Agile Scrum
Agile Scrum is here to stay, and security teams are finding themselves under-resourced and unprepared for the pace of modern software development. “Best-practices” models for Agile security make too many simplifying assumptions about how software is built. These models impose impractical requirements without providing the necessary support or expertise.
In the real world, development teams know that software development often includes multiple Scrum teams working on various components of a larger project that will eventually be integrated. They also recognize that only the most well-funded and resourced enterprises and ISVs have the bandwidth to execute on the idealized Agile SDL. Smaller organizations, or development teams without vast resources are forced to adapt and make tradeoffs that often include sacrificing security.
In this session, I’ll discuss how our company has incorporated security into our own Agile development lifecycle for a product that involves about ten Scrum teams working in concert to ship monthly releases. I’ll explain how we’ve optimized the way our security research team interacts with our engineering teams and accommodates their processes. I’ll also share some of the lessons we’ve learned along the way, including things that haven’t worked as well as we thought. I’ll also describe how we’re organically “growing” more security experts within the organization. Security practitioners will be able to leverage our experiences to work more effectively with their own Agile Scrum teams.
Chris Eng has over 15 years of application security experience. As vice president of research at Veracode, he leads the team responsible for integrating security expertise into Veracode’s technology. Throughout his career, he has led projects breaking, building and defending web applications and commercial software for some of the world’s largest companies.
Chris is a frequent speaker at premier industry conferences, such as BlackHat, RSA, OWASP, and CanSecWest, where he has presented on a diverse range of application security topics, including cryptographic attacks, agile security, mobile application security, and security metrics. Chris has been interviewed by Bloomberg, Fox Business, CBS, and other media outlets with regard to security trends and noteworthy events. Additionally, he has served on the advisory board of the SOURCE Boston conference since its inception.
Chris holds a B.S. in Electrical Engineering and Computer Science from the University of California. He is an unabashed supporter of the Oxford comma and hates it when you use the word “ask” as a noun.
How building a better hacker accidentally built a better defender
In the world of cybersecurity, there are two very important players. There are the builders. The folks who spend their time developing, writing source code for and launching products. And there are the breakers. The folks who spend their time testing for, identifying and fixing vulnerabilities in said code.
For the builder, development deadlines are constantly evolving and security measures tend to be seen as a hindrance, often slowing down the development process. And developers, by nature of their job descriptions, are responsible for contributing to products which make money. Without developers, there are no products, and thus no revenue stream.
For the builder/fixer, the challenge lies in making the builders take their concerns seriously. From the security team’s perspective, security efforts help minimize risk. Without security measures, there are increased chances of security flaws and breaches.
Where the problem lies is in the inability for the builders to not only speak the language of the breakers, but also to accurately understand their motivations; thereby creating a chasm in the way security is managed and executed.
But the real developer problem is that builders don’t believe in “The Bogeyman”. And the real security problem is that the breakers/fixers don’t have the time or resources to spend convincing developers that “The Bogeyman” is real. The Bogeyman, in this case, represents the very real possibility that your company will be hacked. After all, the most security aware a company will ever be is immediately after a breach.
In this presentation, Bugcrowd’s co-founder and CEO, Casey Ellis, will deep-dive into the hacker mentality, and how acknowledging the existence of The Bogeyman gets developers and security folks one step closer to implementing an effective security program. He’ll also discuss several security measures, outside the traditional penetration testing model, that can aid developers and security teams in leveling the playing field against potential threats.
The Bogeyman is real. But through acknowledgement, understanding and proactivity, you can be the hero in this cybersecurity story, not the victim.
Casey Ellis is the CEO and co-founder of Bugcrowd, the innovator in crowdsourced security testing for the enterprise. He has been in the information security industry for 14 years, working with clients from the very small to the very large, and has presented at Derbycon, Converge, SOURCE Conference, and the AISA National Summit. Before relocating from Sydney Australia to San Francisco with Bugcrowd, he founded White Label Security, a white-labelled penetration testing company; and served as the CSO of Scriptrock. A former penetration tester, he likes thinking like a bad guy without actually being one.”
We All Know What You Did Last Summer: Privacy and the Internet of Things
The devices we carry and systems we interact with on a daily basis generate a lot of information about us. This data includes financial and medical information, location data, personal connections, images and other data. Although you may think this information is private and secure, the data is often accessible to advertisers, hackers and others with malicious intent. One small piece of data is all it takes to unlock a wealth of information about you. Security researcher Ken Westin will be illustrating this point showing tools and techniques he has used in actual cases to track and convict criminals and then how those same tools can be used by criminals to track you. He will also show how personal data compromised in data breaches is sold and used against us as well and the role businesses can play in mitigating these risks to their customers.
Ken is a security researcher with 14 years experience building and breaking things through the use/misuse of technology. His technology exploits and endeavors have been featured in Forbes, Good Morning America, Dateline, New York Times, The Economist and has won awards from MIT, CTIA, Oregon Technology Awards, SXSW, Entrepreneur and named in Portland Business Journal’s 2013 “40 Under 40″. He has worked with law enforcement and journalists utilizing various technologies to unveil organized crime rings, recover stolen cars, even a car jacking amongst other crimes.
Medical Device Security: An Infectious Disease
Medical devices touch almost every one of us, whether through personal experience or that of a close friend or family member. They save countless lives and ensure a better quality of life for many. Although medical devices are key to quality care and undergo rigorous testing, many are not sufficiently tested for adversarial resiliency. Some question whether our dependence on these life-saving medical devices has grown more quickly than our ability to secure them.There is no question that medical devices save countless lives, but is insecure design or deployment of these devices putting patients at risk? Join us for an in-depth presentation on a three year research project that shows numerous medical devices and healthcare organizations are vulnerable to direct attack vectors that can impact patient safety and human life.
Scott Erven is a healthcare security visionary with more than 15 years’ experience in information technology and security. He is currently an Associate Director with Protiviti, where he focuses on medical device and healthcare security. His research on medical device security has been featured in Wired and numerous media outlets worldwide. Mr. Erven has presented his research and expertise in the field internationally. He has been involved in numerous IT certification development efforts as a subject matter expert in information security. His current focus is on research that affects human life and public safety issues inside today’s healthcare landscape.
No Better ROI: HTTP Headers for Security
Eli Goldratt asks us to always keep in mind, “What’s the Goal?” If our goal is to help the business succeed, how can I make the biggest impact using web application security with the least effort? This turbo talk will reveal extra powerful, very low cost, and extremely under utilized HTTP headers to help the business win.
Caleb Queern is the Chief Scientist at Cyveillance, and the creator of securityheaders.com.
Modern Malvertising and Malware web-based exploit campaigns
The purpose of this presentation will be to introduce the audience to new techniques attackers are using to target users of web applications for exploitation.
The first part of this presentation will be an introduction to the modern Malware landscape, with a breakdown of the top 5 types of malware being actively used in campaigns to target end users of web applications. Of interest, though perhaps unsurprising – the top three are not what we traditionally think of as “malware” in the sense of exploitative code or remote backdoors – but aimed at direct monetization of the user.
The second part of this presentation will be a technical walkthrough a real-world modern malvertising & malware campaign, and break down each step of the attack, and each distribution & obfuscation layer. This walkthrough will be the bulk of the presentation (30 minutes), leaving time for Q & A at the end.
Time permitting, we may provide more examples of modern campaigns/malware.
Arian Evans is a recognized expert in information and application security, software development, systems architecture and financial services. He previously ran operations and product strategy for
WhiteHat Security and built the company’s world-renowned Threat Research Center. In addition to managing the global application security practice for consulting firm FishNet Security, Arian has worked on global security projects for the Center for Internet Security, NIST, the FBI, and the U.S. Secret Service. As VP of Product Strategy, Arian is responsible for ensuring RIskIQ technology enables enterprises to accurately visualize their enterprise beyond the firewall and actionably detect and respond to threats to their brand and customers. In this role he draws upon his previous 12 years in creating software solutions and methodologies for discovering and managing application security across the enterprise, and throughout the SDLC.
Threat Modeling for the Gaming Industry
“Modern games are complex pieces of software, running on multiple platforms across many different genres, and with a variety of player goals dependent on the game. Despite the complexity of modern games, many common security issues exist that we can identify and expand upon during the planning, development, and testing phases of the development process. Threat modeling is a security activity that maps threats and their respective attack vectors, assets, and controls to a system to help identify vulnerabilities and assist with secure system design.
If you’re working with games then this talk will help you understand how issues around client-side logic, proprietary network protocols, user account management, and playing on an untrusted platform can impact the overall security and user’s experience. By addressing security issues during the design and development stages and then reinforcing them during testing, we can move the industry towards creating a more secure gaming experience.”
Robert Wood is a Technical Manager and the Red Team Practice Director at Cigital, with over 5 years of experience in a variety of roles including application security consultant, network penetration tester, red teamer, and digital forensics analyst. Robert has worked with organizations across a variety of verticals including gaming and entertainment, financial services, healthcare, ISVs, military, and defense. Specific to the gaming industry, Robert has performed comprehensive assessments on gaming consoles, mobile games, PC-based MMORPGs, online multiplayer console games, and a variety of game development frameworks. Robert’s experience in the gaming industry focuses on security from a holistic perspective, bridging his system design, embedded systems development, reverse engineering, and network security experience together. As a Technical Manager at Cigital, Robert has lead and performed assessments that span across the software development lifecycle and security operations, including but not limited to: secure code reviews, architecture risk analysis, penetration tests, and red team assessments.
When Geo goes Wrong; a Case Study
“Mobile apps are truly ubiquitous and enhance our lives in countless ways. However, many either leak or insecurely handle geolocation data, affording an attacker the ability to locate or track users. Here, we present an intriguing case study of a widespread social dating app that was vulnerably to a surprising number of OWASP mobile risks. Weak server side controls? check! Insufficient Transport Layer Protection? check!
Unintended data leakage? check! …and on and on.
Our case study will present research performed on Grindr (a common social dating app), and illustrate a myriad of geolocation bugs that placed its users in harms way (see: ‘Grindr vulnerability places men in harm’s way’ http://goo.gl/dg4cs6). First, due to the lack of SSL pinning, we present a MitM attack that reveals the user’s exact location. Following this, we demonstrate a far simpler and generic attack. This attack combined several bugs, including the fact that the app reported (to anybody), the precise relative distance of all ‘near-by’ users. With these distances and the ability to spoof one’s location and perform unlimited requests, trilateration could precisely locate and track users world-wide. Unfortunately, (though we responsibly reported the bugs) patches only appeared after it was reported that the Egyptian government was tracking and arresting Grindr users.
Besides illustrating location-specific bugs and providing real-world examples, the talk will provide suggestions best practices to ensure applications are developed in a manner that does not put users at risk. Such suggestions include precision limiting of geolocation data, rate limiting APIs (in order to make large-scale data harvesting difficult), and limiting the speed and magnitude of user location changes (to prevent harvesting of distances from arbitrary points). For companies or anybody developing location-aware apps, these suggestions will be directly applicable.”
Colby Moore is a Security Research Engineer at Synack where he works mainly on special projects. His most recent focus has been on Internet of Things security, mobile device software vulnerabilities, and automation. More specifically, research surrounding location based privacy vulnerabilities and the reverse engineering home automation devices.
A Mechanical Engineer by trade, he prefers to focus on the realm where physical world and software meet. He has identified countless 0-day vulnerabilities in embedded systems, major social networks, and consumer devices.
Colby’s previous work includes security research at VRL as well as mentoring students at the USNA to develop a mission specific UAS platform. In his spare time you will probably find him reverse engineering access control systems or hacking satellites.
Proactively defending your business against security protocol attacks and implementation flaws
“HTTPS/SSL/TLS has been under fire for years. BEAST, CRIME, problems with the weakness of the CA system, problems with various versions of the protocol – and more – have plagued HTTPS to be less than satisfactory, at best, as a transport security protocol. Some of the most popular algorithms used to secure communications are getting close to their end of life. Proper protection of information in the upcoming years will require adoption of new technology and standards.
Recent enhancements in browsers have made encryption in transit over the web viable for the first time in history and it’s imperative that everyone understand them. This presentation will start by reviewing some of the most recent cases related to security protocols flaws and weaknesses of cryptografic standards that should be proactively phased out. This pragmatic presentation will then discuss possible mitigations and their limitations, along with valuable implementation advice.
Cassio Goldschmidt is a globally recognized information security leader with strong background in both product and program-level security. Outside work, Cassio is known for his contributions to Open Web Application Security Project (OWASP) , Software Assurance Forum for Excellence in Code (SAFECode), the Common Weakness Enumeration (CWE)/SysAdmin, Audit, Network, Security (SANS) Top 25 Most Dangerous Software Errors, along with contributing to the security education curriculum of numerous universities and industry certifications. Cassio was one of the three finalist in the first (ISC)² Americas Information Security Leadership (ISLA) Awards 2011 in the Information Security Practitioner category and endowed with the special Community Service Star award during the same occasion. In 2012 Cassio was one of the finalists of the first OWASP Web Application Security Person of the Year (WASPY) Awards. Cassio holds a number of US patents and is an accomplished writer and presenter in the field of application security
Cassio holds a bachelor degree in computer science from Pontificia Universidade Catolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.
Jim Manico authors and delivers developer security awareness training and has a 20 year history building software as a developer and architect. Jim is also a global board member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and several secure coding projects.
IoT: Taking PKI Where No PKI Has Gone Before
“Traditional PKI focuses on binding a public key to the keyholder’s identity, which is implicitly assumed to be a well-defined, relatively static thing (such as individual’s full name or email address, or the hostname of a public webserver). However, in the envisioned smart grid, for example, the relevant properties of the keyholder are not just the device’s identity (i.e. this is a meter made by ACME or this is a refrigerator made by GE) but its context: This is a refrigerator in the apartment rented by Alice, who buys power from X.
This context information will not necessarily be known until device installation and also may change dynamically. What if Alice sells her fridge on Craigslist or sublets her apartment to Bob? What if repair personnel replace Alice’s meter? This information may also not be particularly simple. What if Alice’s landlord owns many apartment buildings, and changes power vendors to get a better rate?
If our cryptographic infrastructure is going to enable relying parties to make the right judgments about IoT devices (such as the example provided using Smart Grid), this additional contextual information needs to be available. We can try to modify a traditional identity-based PKI to attest to these more dynamic kinds of identities, and we can also try to adapt the largely experimental world of attribute certificates to supplement the identity certificates in the smart-grid PKI. Either of these approaches will break new ground.
Alternatively, we can leave the identity PKI in place and use some other method of maintaining and distributing this additional data; which would require supplementing our scalable PKI with a non-scalable database.
In any of these approaches, we also need to think about who is authorized to make these dynamic updates or who is authoritative for making these types of attestations. Who witnesses that Alice has sold her refrigerator? Thinking about this organizational structure IoT devices also complicates the revocation problem. If we can’t quite figure out who it is that speaks for where a device currently lives, how will we figure out who it is who is authorized to say it has been compromised?
In this presentation, all of these issues and more will be explored and actionable guidelines will be proposed to build a secure and scalable system of IDs and attributes for the complex networked world that awaits us all.”
Scott Rea is the Sr. PKI Architect at DigiCert. He and his team provide policy and technology subject matter expertise during the design and architecture of emerging PKI systems and work with DigiCert executive management in strategic planning and forecasting. Rea is an innovative thought leader and sought-after public speaker who participates in, and influences the development of, emerging PKI policies, practices, and applications. Rea previously operated the HEBCA, is founding member and current Vice Chair of TAGPMA, and is also the previous Chair of both the TAGPMA and IGTF. Rea is a Board Member and Co-Chair of the Certificate Policies and Practices Working Group within DirectTrust.org and also serves as a Board Member and director/administrator of the REBCA.
SQLViking: Pillaging your Data
On every network there are is a set of highly desired assets which every pentester strives to compromise. One of those assets are databases which house sensitive information. The default settings of most databases are to communicate over unencrypted channels. Because of this, why bother attempting to compromise the database server itself when all the information you could ever want is already flying over the wire? SQLViking is a tool which takes advantage of this in two ways. The first piece, dubbed ‘scout,’ passively sits on a network segment logging any SQL queries it sees and and the corresponding result set. The active piece, called ‘pillage,’ leverages TCP injection for executing arbitrary SQL queries without credentials. SQLViking is available as a standalone python tool and can be easily loaded onto a small device with a LAN tap such as a Raspberry Pi for physical pentests. The tool is still very much in the beta testing stages and only supports the MySQL and SQL Server (Tabular Data Stream) network protocols at this time. We’re also investigating ways to increase the likelihood of a successful TCP injection attack on very busy networks.
“Jonn Callahan has spent the last two years rooting out web application flaws both at the source code level and dynamically. When not actively researching whatever topic has piqued his interest, he’s losing money on the cryptocoin market and getting beat up by his two dogs.
Ken Toler is a Senior Application Security Consultant at nVisium specializing in web application penetration testing and static analysis in Ruby, Java, and .NET. He also comes with a network security background and has worked closely with growing startups in the DC area. ”
Securing Software’s Future: Why API Design Matters
Writing secure software is far cheaper for society as a whole than fixing vulnerable software after it is released. Teaching developers how to write secure software can be very effective in the short term, but over time security knowledge becomes less relevant, some security-conscious developers move into management, and additional uninitiated developers join the work force each year. While secure software development training will always play a role in helping secure application development, are there ways we can prevent even the least security-savvy developers from regularly shooting themselves (and their customers) in the foot? Yes. By providing development environments and APIs that subtly guide developers down a secure implementation path, we can prevent whole classes of vulnerabilities with very little effort. This talk will discuss the properties that tend to exist in safe development environments and will propose some guiding principles that API designers should consider.
“Tim has been taking deep technical dives in security for over a decade. In that time, he has been credited with the discovery and responsible disclosure of numerous security vulnerabilities in a variety of software products, including: IBM Tivoli Access Manager, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, Oracle WebLogic Application Server, and IBM Websphere Commerce. His current research interests include applied cryptanalysis, IPv6 security, and XML external entities attacks. Tim develops and maintains several open source forensics tools in addition to Bletchley, an application cryptanalysis toolkit.
Tim works to secure his customers’ environments through black box testing, code reviews, social engineering exercises, security training, and a variety of other services. Tim earned his computer science degrees from Harvey Mudd College and Northeastern University and currently resides in Portland, Oregon where he leads the local OWASP chapter.”
marshalling pickles: how deserializing objects will ruin your day
Object serialization technologies allow programs to easily convert in-memory objects to and from various binary and textual data formats for storage or transfer – but with great power comes great responsibility, because deserializing objects from untrusted data can ruin your day. We will look at historical and modern vulnerabilities across different languages and serialization technologies, including Python, Ruby, and Java, and show how to exploit these issues to achieve code execution. We will also cover some strategies to protect applications from these types of attacks.
“Chris Frohoff is a Cyber Security Engineer at Qualcomm with a focus on Application Security; he performs Application Security Assessments and Penetration Tests, and sometimes dabbles in Incident Response, Reverse Engineering, and general research mischief. In a former life, Chris developed enterprise web applications and services at Sony Network Entertainment and UC San Diego. His primary areas of geekdom include programming languages, parsers/compilers/interpreters, crypto, covert channels, HTTP/REST, and JVM stuff.
Gabriel Lawrence leads the Application Security team at Qualcomm, doing Application Security Assessments, Penetration Tests, Incident Response, Reverse Engineering, and anything else that comes his way. He’s developed enterprise applications, founded three startups, and run Information Security for UC San Diego.”
Uncovering OWASP’s Mobile Risks in iOS Apps
“Mobile apps are ever more ubiquitous, but their widespread adoption comes at a cost. Seemingly every week, a new vulnerability is discovered that jeopardizes the security and privacy of mobile users. Examples include the popular dating app Tinder (leaked the exact location of its users), the photo messaging app SnapChat (exposed connections between phone numbers and users’ accounts) and CitiMobile (stored sensitive account information without encryption). These vulnerabilities (and many more) were not found by the developers of the applications, but rather by reverse-engineers who took it upon themselves to dissect said applications.
Unfortunately, at least for iOS applications, reverse-engineering is still viewed by many as somewhat of a black art. This is due to a myriad of reasons; iOS apps are encrypted, written in a difficult-to-reverse-engineer language (Objective-C), and run on a mostly closed-sourced proprietary OS.
This talk will detail the process of reverse-engineering iOS apps in order to perform security audits and identify common mobile-specific vulnerabilities (e.g. OWASP Mobile Risks). Specifically, the talk will describe how to extract an application’s unencrypted binary code, analyze the ARM disassembly, and identify vulnerabilities that commonly affect iOS apps. Real-life cases from iOS applications in the App Store will be presented to provide a more ‘hands-on’ feel to the reversing procedure and to show some actual security vulnerabilities.”
“Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Currently, his focus is on automated vulnerability discovery and the emerging threats of malware on OS X and mobile devices.
Patrick previously worked at NASA, the NSA, and Vulnerability Research Labs (VRL). While working at the NSA as a global network exploitation and vulnerability analyst, Patrick received several classified patents and helped lead a team which received NSA’s highest civilian team award.
Patrick has extensive experience analyzing malware and has authored several sophisticated malware detection tools. He also enjoys hunting for bugs, and has found exploitable 0days in major operating systems and several popular client applications.”
Wi-Fi Hacking for Web Pentesters
There is an ever-increasing trend with Internet Service Providers of all sizes providing open wireless hotspots nationwide, many of which are bridged off of existing customers personal access points and others are made available through restaurants, hotels, and other businesses. Many of these guest networks have recently spurred discussion within the security community over the insecurity of open access points in general and the ethics of their deployment methods. The talk will cover the many gaping insecurities of wireless hotspots and dive in to how these can be leveraged to attack clients, gain free Internet access, hijack accounts, steal sensitive information, and more. This will progress into how web penetration testers can leverage their existing skill-sets to design, build, and deploy malicious targeted access points. All of the attacks that will be demonstrated live during the talk can be deployed on various platforms, making it easy for the audience to reproduce regardless of hardware available.
Greg Foss is a Senior Security Research Engineer with the LogRhythm Labs Threat Intelligence Team, where he focuses on developing defensive strategies, tools and methodologies to counteract advanced attack scenarios. He has over 7 years of experience in the Information Security industry with an extensive background in Security Operations, focusing on Penetration Testing and Web Application Security. Greg holds multiple industry certifications including the OSCP, GPEN, GWAPT, GCIH, and C|EH, among others. He has presented at national security conferences such as DerbyCon, AppSecUSA, and BSidesLV to name a few; along with actively participating in the Denver security community.
DevOps, CI, APIs, Oh My!: Security Gone Agile
“As the world of system and application deployment continues to change, the sys admins and security community are having to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. After adding in Dev/Ops and cloud, the traditional sys admin and security processes just don’t work anymore. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. When you are deploying multiple times a day, there is no time to fit in your traditional week long security assessment.
A new concept of Test Driven Security, which is loosely based on the tenants of Test Driven Development, is beginning to emerge in the application security community. This talk will cover how Matt is putting the practices in place currently at Rackspace and how you can architect your security work to be agile enough to keep up with the pace of change today. The talk will cover agile methods for securing infrastructure, apps & APIs and source code. Even if you are not there today, you will be soon enough. Its time to embrace the change and say “”Challenge Accepted””.”
“Matt has been involved in the Information Technology and application development for more than 10 years. He is currently working at Pearson and previously worked at Rackspace in the Cloud product’s application security team. Prior to joining Rackspace, Matt spent time as a application security consultant and spent several years as the “appsec guy” at a government agency. Matt’s focus has been in application security including testing, code reviews, design reviews and training. His background in web application development and system administration helped bring a holistic focus to Secure SDLC efforts he’s driven. He has taught both graduate level university courses and for large financial institutions. Matt has presented and provided training a various industry events including DHS Software Assurance Workshop, Agile Austin, AppSec EU, AppSec US, AppSec Academia, and AppSec Brazil.
Matt is highly involved in many OWASP projects. Matt is the project leader of the OWASP WTE (Web Testing Environment) which is the source of the OWASP Live CD Project and Virtual Machines pre-configured with tools and documentation for testing web applications. All running on Linux (of course).
Industry designations include the RHCE, Linux+, Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Matt Tesauro has a B.S. in Economics and a M.S in Management Information Systems from Texas A&M University.”
Hacking Management: Why Stop at Domain Admin?
Abstract: Why won’t your company’s management just “do the right thing” with security? How can you get necessary changes made when the answer always seems to be “no”? In this turbo talk, learn quick tips and tricks for hacking organizational decision making structures, using empathy to communicate more effectively, and improving tactical execution of your change plan.
Adam Brand is a habitual Changer of Things. As an Associate Director with Protiviti’s Information Security and Privacy practice, he helps organizations improve their information security programs, find existing attackers within their networks (“hunting”), and respond to security incidents (particularly with malware reverse-engineering). Adam has spoken at a number of information security conferences, including various BSides, Toorcon, LASCON, Shmoocon, and RSA, and is a co-organizer of OWASP Orange County. He is also a core member of the “I am the Cavalry” grassroots security organization focused on improving security in connected devices that can impact human safety.