Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, October 11
 

8:00am

Developer Summit
Join other Developers at this event for some fun-filled, interactive, hands-on, bug squashing sessions.  

All Developers are welcome to attend! Individuals may choose to participate in as many sessions as they would like.  

Bring your laptop, energy and be ready to code!!

Tuesday October 11, 2016 8:00am - 5:00pm
Meeting Room 9

8:00am

Project Summit

We are excited to announce the Project Summit USA 2016.  OWASP is providing a platform for two full days at APPSEC USA 2016. An open forum setting for ideas, innovations, gain contributors and share feedback for projects to advance to the next level.

Join our Project Leaders in a discussion on OWASP Projects!

Please feel free to add Hot Topics that you would like to see discussed.  


Contacts:

Senior  Projects Technical Coordinator Matt Tesauro

Project Coordinator Claudia Aviles-Casanova

 


Tuesday October 11, 2016 8:00am - 5:00pm
Meeting Room 8

8:00am

Registration
Tuesday October 11, 2016 8:00am - 5:30pm
Meeting Room Floor Landing

9:00am

Training Session - Assessing and Exploiting Control Systems & IoT Day 1 (2 Day)
This is not your traditional SCADA/ICS/IoT security course! How many courses send you home with your own PLC and a set of hardware/RF hacking tools?!? This course teaches hands-on penetration testing techniques used to test individual components of a control system, including embedded electronic field devices, network protocols, RF communications, Human Machine Interfaces (HMIs), and various forms of master servers and their ICS applications. Skills you will learn in this course will apply directly to systems such as the Smart Grid, PLCs, RTUs, smart meters, building management, manufacturing, Home Area Networks (HAN), smart appliances, SCADA, substation automation, and synchrophasors. This course is structured around the formal penetration testing methodology created by UtiliSec for the United States Department of Energy. Using this methodology and Control Things Pentest Platform (previously SamuraiSTFU), an open source Linux distribution for pentesting energy sector systems and other critical infrastructure, we will perform hands-on penetration testing tasks on user interfaces (on master servers and field device maintenance interfaces), control system protocols (modbus, DNP3, IEC 60870-5-104), RF communications (433MHz, 869MHz, 915MHz), and embedded circuit attacks (memory dumping, bus snooping, JTAG, and firmware analysis). We will tie these techniques and exercises back to control system devices that can be tested using these techniques. The course exercises will be performed on a mixture of real world and simulated devices to give students the most realistic experience as possible in a portable classroom setting. 

Advances in modern control systems such as the energy sector’s Smart Grid has brought great benefits for asset owners/operators and customers alike, however these benefits have often come at a cost from a security perspective. With increased functionality and addition inter-system communication, modern control systems bring a greater risk of compromise that vendors, asset owners/operators, and society in general must accept to realize the desired benefits. To minimize this risk, penetration testing in conjunction with other security assessment types must be performed to minimize vulnerabilities before attackers can exploit critical infrastructures that exist in all countries around the world. Ultimately, this is the goal of this course, to help you know how, when, and where this can be done safely in your control systems.

 WHAT STUDENTS SHOULD BRING

Laptop with at least two USB ports (three ports preferred). If only
two USB ports exist on the laptop AND they are right next to each
other (such as found on a Macbook Air), a USB extension cable must be
brought as well
Latest VMware Player, VMware Workstation, VWware Fusion installed.
Other virtualization software such as Parallels or VirtualBox may work
if the attendee is familiar with its functionality, however VMware
Player should be prepared as a backup just in case
Access to an account with administrative permissions and the ability
to disable all security software on their laptop such as Antivirus
and/or firewalls if needed for the class
At least thirty (30) GB of free hard drive space
At least four (4) GB of RAM, optimally eight (8) GB or RAM
Windows 7, 8.x, or 10.x installed on your host laptop or inside a VM

________________________________

WHAT STUDENTS WILL BE PROVIDED WITH

Power for your laptop
Internet connectivity may or may not be available depending on the
facility hosting the course.
Latest version of SamuraiSTFU distribution
PDF version of the course slide deck
Student hardware kits to keep

________________________________

STUDENT PREPARATIONS

For those with little or no ICS experience, these Wikipedia articles
provide a brief introduction to the concepts and history of control
systems that will be helpful to know for class.

http://en.wikipedia.org/wiki/ICS
http://en.wikipedia.org/wiki/SCADA
http://en.wikipedia.org/wiki/Distributed_control_system
http://en.wikipedia.org/wiki/Smart_grid
http://nostarch.com/xboxfree (Note: While this has nothing to do with
control systems, it provides a great introduction to the concepts and
techniques taught in this class to pen test embedded electronic
hardware in ICS field/floor devices.)
http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf
(Chapter 7 of the NIST Interagency Report 7628, titled Bottom-up
Security Analysis of the Smart Grid, provides a great overview of the
challenges faced in Smart Grid and energy sector systems, many of
which we are testing for and exploiting in this class.)

Speakers
avatar for Justin Searle

Justin Searle

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG). He currently leads the testing group at the National Electric Sector Cybersecurity Organization Resources (NESCOR... Read More →


Tuesday October 11, 2016 9:00am - 5:00pm
Meeting Room 12

9:00am

Training Session - Creating and Automating your own AppSec Pipeline Day 1 (2 Day)
Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

This will be a hands-on class and attendees are expected to have:
  • A laptop capable of running VirtualBox and a VM with at least 2048 MB RAM for the VM - 4096 is even better
  • VMs will be provided on a USB drive formatted as a NTFS volume
  • VMs will be in .ova (Open Virtualization Format) which is generally 'importable' in more then just VirtualBox if you happen to already have virtualization software installed
I'll have printed handouts and digital versions on the USB drive as well.
Note for those bringing a Mac laptop to the training:  Mac's hasn't consistently supported reading from NTFS formatted disks.  There's usually one or two students who cannot read the USB drives I hand out to the class with Macs.  I usually recommend they use the 15 day trial of Tuxera to get past the problem for the training - http://www.tuxera.com/products/tuxera-ntfs-for-mac/.  Other alternatives are outlined in this article: http://www.howtogeek.com/236055/how-to-write-to-ntfs-drives-on-a-mac/

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Tuesday October 11, 2016 9:00am - 5:00pm
Meeting Room 15

9:00am

Training Session - Hands-On Security in DevOps (SecDevOps) Workshop Day 1 (2 Days)
Agile and DevOps have revolutionized the way we deliver apps to customers. Software products today demand rapid everything. Rapid Code Changes, Rapid Deployments and Rapid Delivery. In addition, you have embraced Agile Development Methodologies that stress on iterative product development and flexibility to changing environments. There is one major problem in this entire chain, and that is Application Security.

While your product may be rapidly delivered to customers, Application security still remains a massive bottleneck in your continuous delivery pipeline. Application security is critical because companies lose billions of dollars due to vulnerabilities in their applications. Apart from typical vulnerabilities like SQL Injection and Cross Site Scripting, vulnerabilities in authentication, authorization, business logic and cryptographic implementations are more prevalent and can cause massive damage to a software product company.

This is why you need SecDevOps. You need a practical, repeatable and scalable way to deliver Application Security to your product across the Agile and DevOps lifecycle. In the we45 Certified SecDevOps Professional program you will receive powerful hands on training on how you can implement scalable and effective security for rapid-release applications. The workshop will be a hardcore hands-on workshop with coverage on the following, but not limited to:

  • Security Threat Modeling - Agile Methodology
  • Static Application Security Testing - Integrated with Continuous Integration Services
  • Customized Security Automation Scripting Framework with Continuous Integration
  • Creating specialized Application Security Testing Scripts to be integrated with existing Test Suites
  • Security in Configuration management and Continuous Deployment
  • Creating Security Configuration Management “Infrastructure as Code” and Validation Scripts
  • Application Security Monitoring in a DevOps World
Laptop Requirements for SecDevOps Workshop:

For Windows Laptop Users
• Intel i3 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred, with atleast 50GB of free HDD space. 
Netbooks will NOT work
• Working WiFi adapter with ability to connect to third party wireless networks
• User must be able to use the DVD Drive/USB port of the laptop to copy and install the Virtual Machine, which will be delivered in a DVD/USB Mass Storage Device (Flash Drive)
.• Windows users - Please download and install the latest version of Oracle VM Virtualbox from http://www.virtualbox.org
• We have observed that Windows laptops often come with Virtualization options disabled in the BIOS. In such cases, the Virtual Machine and the workshop exercises won’t work. Please ensure that the following measures are taken to make your laptop available for Virtualization o You must have access to your BIOS menu. This can be accessed by pressing F12 (not all laptops, some may have a different key to access the BIOS menu). In some cases, there may be a password to access the BIOS menu. Please ensure that you have a password (if required) to access the BIOS menu. o Please enable Virtualization in the BIOS options. Please refer to screenshots below (please note that different laptops may have these options located in different menu screens).  HP – BIOS Virtualization Screen  Dell Laptop BIOS Virtualization Option

For Linux/Mac Users
• Intel i3 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred• atleast 50GB HDD space available
• Working WiFi adapter with ability to connect to third party wireless networks
• User must be able to use the DVD Drive/USB port of the laptop to copy and install the Virtual Machine, which will be delivered in a DVD/USB Mass Storage Device (Flash Drive)
• Install the latest version of Oracle VM VirtualBox


** We are using two VMs for hands-on labs for the participants. In this case both the VMs will exceed a size of 8 GB, therefore, we will be distributing this in USB drives for people to copy and use. The option of DVDs (which was an either/or for USB) from earlier will not be possible in this case.

** Also, the drives will be formatted with exFAT, so we members of the audience with Linux computers might need to download exFAT libraries to get it to work. If this is a problem, then we need to go with a different file system. 

Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Chief Technology Officer, we45
Abhay Bhargav is the founder and CTO of the we45, a focused Information Security Solutions Company. He has extensive experience with Information Security. He has performed security assessments for various enterprises in various domains like banking, software development, retail, telecom and legal. He is also the co-author of “Secure Java for Web Application Development” published by CRC Press, New York and is the author of “PCI... Read More →


Tuesday October 11, 2016 9:00am - 5:00pm
Meeting Room 16

9:00am

Training Session - Mobile Application Exploitation iOS and Android Day 1 (2 Day)
Even wondered how different attacking a Mobile application would be, from a traditional web application? Gone are the days when knowledge of just SQL Injection or XSS could help you land a lucrative high-paying infoSec job.

This will be an introductory course on exploiting iOS and Android applications. The training will be based on exploiting Damn Vulnerable iOS app, Android-InsecureBankv2 and other vulnerable applications that are written by the trainers in order to give an in-depth knowledge about the different kinds of vulnerabilities in an Mobile applications. This course will also discuss how an attacker can compromise a mobile application. After the workshop, the students will be able to successfully pentest and secure applications running on the various operating systems.

The training will also include a CTF challenge in the end where the attendees will use their skills learnt in the training to solve the CTF challenges.

Below is the ToDo's for the attendees:

* 20+ GB free hard disk space 
* 3+ GB RAM 
* VMware player installed on the machine
* Latest version of Android SDK. To make sure the setup is right, follow all the steps on https://github.com/dineshshetty/Android-InsecureBankv2/blob/master/Usage%20Guide.pdf
* A jailbroken iPhone/iPad/iPod for iOS testing.
* If you are using a Mac machine, also download and install the latest version of Xcode.

Speakers
avatar for Prateek Gianchandani

Prateek Gianchandani

Cognosec
Prateek Gianchandani, an OWASP member and contributor has been working in the infosec industry for about 5 years. During his five years, he has performed a number of penetration tests on mobile and web applications and even developed a lot of applications for the App Store. His core focus area is iOS application pentesting and exploitation. He is also the author of the open source vulnerable application named Damn Vulnerable iOS app. He has... Read More →
avatar for Dinesh Shetty

Dinesh Shetty

Security Innovation
Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and VoIP technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished author and speaker, and his research has been published in multiple security zines and sites like Packet Storm, Exploit-DB, PenTest Magazine... Read More →


Tuesday October 11, 2016 9:00am - 5:00pm
Meeting Room 14

9:00am

Training Session - Practical IoT Exploitation Day 1 (2 Day)
Practical IoT Exploitation is a unique course being launched at OWASP AppSec by Attify. The previous version of the course titled “Offensive IoT Exploitation” has been run in various conferences such as BlackHat (US, EU, Asia), Brucon, HIP and many other places. 

IoT or the Internet of Things is one of the most upcoming trends in technology as of now. A lot many new devices are coming up every single month. However, not much attention has been paid to the device's security till now. "Practical IoT Exploitation" is a brand new and unique course which offers pentesters the ability to assess and exploit the security of these smart devices - by looking deep depth into the devices, their radio communications and interactions with the real world, and then exploiting them.

The training will cover different varieties of IoT devices, assessing their attack surfaces, reversing their communication protocols and writing exploits for them. This is a 2-day action packed class covering topics like firmware analysis, identifying attack surface, analyzing Zigbee communication, finding vulnerabilities and then finally exploiting the vulnerabilities.

The course labs include both emulated environments as well as real live devices which will be provided to the attendees during the training. Practical IoT Exploitation training is designed for pentesters who want to kickstart their career in IoT Pentesting and the training does not expect the attendees to have a prior knowledge of assembly, mobile security or reversing. The attendees will be provided with VM image for IoT security testing platform called IoTa created by the trainers themselves. 

After the 2-days class, the attendees will be able to:

Extract and analyze device firmwares 
Analysing firmware and binaires using IDA pro 
Hands-on Labs with UART, SPI
JTAG interaction and debugging 
Identify attack surfaces and write fuzzers
Device Scanning and reversing communication APIs
USB Attacks
Familiarity with NFC, Bluetooth, RFID 
BLE Analysis and packet analysis 
Attacks on Zigbee - Hands-on labs 

Practical IoT Exploitation is the course for you if you want to try exploitation on new hardwares and find security vulnerabilities and 0-days in IoT devices. At the end of the class, there will be a final CTF challenge where the attendees will have to identify security vulnerabilities and exploit them, in a completely unknown device - created exclusively for the OWASP AppSec training.

Requiremnets:

 Hardware:
  • At least 25 GB of free space 
  • Laptop having a minimum of 4 GB RAM 
  • USB access allowed 
Software:
  • Virtualization software installed 
  • Administrative privileges on the system 
At the start of the class, we will share the devices and AttifyOS VM which will have all the tools preconfigured for the training. 
During the Radio section of the class, we have seen some students encounter issues with the hardware not being detected in the VM while they are running on one Virtualisation software, but working with the same VM on another virtualisation software. 
Though we don't often run into these issues, it's recommended to have both virtualisation tools - VirtualBox and VMWare to save time troubleshooting. In case of VMWare if you don't have the paid edition, the free VMWare Workstation Player will also work. 

Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile security firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation. | | He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also... Read More →
avatar for Norman Shamas

Norman Shamas

Attify Inc
Norman Shamas is a IoT Pentester and trainer at Attify (attify.com ) , an IoT and Mobile security firm. Attify has done a lot of in-depth research on Mobile application security and IoT device Exploitation and is the creator of AppWatch (https://appwatch.io) - an automated platform for Mobile Security Analysis. Norman has previously worked on numerous smart home pentests, ICS exploitation, Radio protocol analysis, Reversing custom protocols, and... Read More →


Tuesday October 11, 2016 9:00am - 5:00pm
Meeting Room 13

9:00am

Training Session - Secure Coding in Java Day 1 (2 Day)
The course provides developers with practical guidance for developing Java programs that are robust and secure. Material in this presentation was derived from the Addison-Wesley book The CERT Oracle Secure Coding Standard for Java and is supported by the Secure Coding Rules for Java LiveLessons video series. Participants should come away from the course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors.
In particular, participants will learn how to:
• Explain the need for secure coding
• Follow fundamental secure coding guidelines
• Validate and sanitize data
• Explain the Java Security Model
• Predict how the numerical types behave in Java
• Avoid pitfalls in the use of characters and strings
• Securely process input and output
Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s.

You will need to bring a laptop with 100MB or greater of free hard disk space and the following software installed:

  •  Java SE Development Kit 8
  • Eclipse IDE for Java Developers or other a Java 8 compatible IDE
  • Adobe Reader

You should clone the course exercises, demos, and examples from https://github.com/rcseacord/JavaSCR.git prior to the class.  Make sure that you have imported the code into your IDE and that you can build and test the sample programs.

“The CERT Oracle Secure Coding Standard for Java” and “Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs” books authored by Robert C. Seacord and published by Addison-Wesley can be purchased in advance at InformIT.  We will be covering chapters 1-8 of The CERT Oracle Secure Coding Standard for Java in class, if you want to prepare by reviewing these chapters.

 


Speakers
avatar for Robert Seacord

Robert Seacord

Principal Security Consultant, NCC Group
I'm work with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, I led the secure coding initiative in the CERT Division of Carnegie Mellon University’s Software Engineering Institute (SEI). I'm an adjunct professor in the Information Networking Institute at Carnegie Mellon University. | I am the author of six books, including “The CERT... Read More →


Tuesday October 11, 2016 9:00am - 5:00pm
Meeting Room 11

6:00pm

OWASP Board Meeting
https://www.owasp.org/index.php/Board#tab=Agenda_for_2016_Meetings

Tuesday October 11, 2016 6:00pm - 9:00pm
Meeting Room 5
 
Wednesday, October 12
 

8:00am

Developer Summit
Join other Developers at this event for some fun-filled, interactive, hands-on, bug squashing sessions.  

All Developers are welcome to attend! Individuals may choose to participate in as many sessions as they would like.  

Bring your laptop, energy and be ready to code!!

Wednesday October 12, 2016 8:00am - 5:00pm
Meeting Room 9

8:00am

Project Summit

We are excited to announce the Project Summit USA 2016.  OWASP is providing a platform for two full days at APPSEC USA 2016. An open forum setting for ideas, innovations, gain contributors and share feedback for projects to advance to the next level.

Join our Project Leaders in a discussion on OWASP Projects!

Please feel free to add Hot Topics that you would like to see discussed.  


Contacts:

Senior  Projects Technical Coordinator Matt Tesauro

Project Coordinator Claudia Aviles-Casanova

 


Wednesday October 12, 2016 8:00am - 5:00pm
Meeting Room 8

8:00am

Registration
Wednesday October 12, 2016 8:00am - 8:00pm
Meeting Room Floor Landing

9:00am

Training Session - AppSec Safari (1 Day)
Tired of reading about vulnerabilities or seeing screen captures of other people landing the big one? Join our AppSec Safari and go toe-to-toe with an application. Track a bug through multiple fields and feel the triumph of exploiting the flaw yourself!

The Safari will take you on a guided tour of cross-site scripting, SQL injection, privilege escalation and more. We’ll present a refresher on each vulnerability type, provide example exploits and turn you loose on a real application hosted in a local test environment. We’ll give hints as needed to maximize your chances of success. If you get ahead of the group, build your skills by chasing vulnerabilities we’ve hidden in the environment.

If you’re an application developer or security practitioner who is looking to solidify your theoretical knowledge, join our safari. Bring a laptop with an Ethernet port that is capable of running a Kali live image, or have the following tools installed: ZAP, sqlmap, MySQL client, Remote Desktop client.

Speakers
avatar for Mark Hoopes

Mark Hoopes

Aspect Security
Mark Hoopes has been working in enterprise IT delivery for nearly 20 years in an assortment of roles including development, project management, and major incident management. He found his niche in application security and has been effectively on vacation ever since. Throughout his career Mark has been an instructor of numerous virtual training sessions and full-day live courses. He gets irrationally excited about demonstrating technically... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 10

9:00am

Training Session - Assessing and Exploiting Control Systems & IoT Day 2 (2 Day)
This is not your traditional SCADA/ICS/IoT security course! How many courses send you home with your own PLC and a set of hardware/RF hacking tools?!? This course teaches hands-on penetration testing techniques used to test individual components of a control system, including embedded electronic field devices, network protocols, RF communications, Human Machine Interfaces (HMIs), and various forms of master servers and their ICS applications. Skills you will learn in this course will apply directly to systems such as the Smart Grid, PLCs, RTUs, smart meters, building management, manufacturing, Home Area Networks (HAN), smart appliances, SCADA, substation automation, and synchrophasors. This course is structured around the formal penetration testing methodology created by UtiliSec for the United States Department of Energy. Using this methodology and Control Things Pentest Platform (previously SamuraiSTFU), an open source Linux distribution for pentesting energy sector systems and other critical infrastructure, we will perform hands-on penetration testing tasks on user interfaces (on master servers and field device maintenance interfaces), control system protocols (modbus, DNP3, IEC 60870-5-104), RF communications (433MHz, 869MHz, 915MHz), and embedded circuit attacks (memory dumping, bus snooping, JTAG, and firmware analysis). We will tie these techniques and exercises back to control system devices that can be tested using these techniques. The course exercises will be performed on a mixture of real world and simulated devices to give students the most realistic experience as possible in a portable classroom setting. 

Advances in modern control systems such as the energy sector’s Smart Grid has brought great benefits for asset owners/operators and customers alike, however these benefits have often come at a cost from a security perspective. With increased functionality and addition inter-system communication, modern control systems bring a greater risk of compromise that vendors, asset owners/operators, and society in general must accept to realize the desired benefits. To minimize this risk, penetration testing in conjunction with other security assessment types must be performed to minimize vulnerabilities before attackers can exploit critical infrastructures that exist in all countries around the world. Ultimately, this is the goal of this course, to help you know how, when, and where this can be done safely in your control systems.

 WHAT STUDENTS SHOULD BRING

Laptop with at least two USB ports (three ports preferred). If only
two USB ports exist on the laptop AND they are right next to each
other (such as found on a Macbook Air), a USB extension cable must be
brought as well
Latest VMware Player, VMware Workstation, VWware Fusion installed.
Other virtualization software such as Parallels or VirtualBox may work
if the attendee is familiar with its functionality, however VMware
Player should be prepared as a backup just in case
Access to an account with administrative permissions and the ability
to disable all security software on their laptop such as Antivirus
and/or firewalls if needed for the class
At least thirty (30) GB of free hard drive space
At least four (4) GB of RAM, optimally eight (8) GB or RAM
Windows 7, 8.x, or 10.x installed on your host laptop or inside a VM

________________________________

WHAT STUDENTS WILL BE PROVIDED WITH

Power for your laptop
Internet connectivity may or may not be available depending on the
facility hosting the course.
Latest version of SamuraiSTFU distribution
PDF version of the course slide deck
Student hardware kits to keep

________________________________

STUDENT PREPARATIONS

For those with little or no ICS experience, these Wikipedia articles
provide a brief introduction to the concepts and history of control
systems that will be helpful to know for class.

http://en.wikipedia.org/wiki/ICS
http://en.wikipedia.org/wiki/SCADA
http://en.wikipedia.org/wiki/Distributed_control_system
http://en.wikipedia.org/wiki/Smart_grid
http://nostarch.com/xboxfree (Note: While this has nothing to do with
control systems, it provides a great introduction to the concepts and
techniques taught in this class to pen test embedded electronic
hardware in ICS field/floor devices.)
http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf
(Chapter 7 of the NIST Interagency Report 7628, titled Bottom-up
Security Analysis of the Smart Grid, provides a great overview of the
challenges faced in Smart Grid and energy sector systems, many of
which we are testing for and exploiting in this class.)

Speakers
avatar for Justin Searle

Justin Searle

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG). He currently leads the testing group at the National Electric Sector Cybersecurity Organization Resources (NESCOR... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 12

9:00am

Training Session - Creating and Automating your own AppSec Pipeline Day 2 (2 Day)
Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

This will be a hands-on class and attendees are expected to have:
  • A laptop capable of running VirtualBox and a VM with at least 2048 MB RAM for the VM - 4096 is even better
  • VMs will be provided on a USB drive formatted as a NTFS volume
  • VMs will be in .ova (Open Virtualization Format) which is generally 'importable' in more then just VirtualBox if you happen to already have virtualization software installed
I'll have printed handouts and digital versions on the USB drive as well.
Note for those bringing a Mac laptop to the training:  Mac's hasn't consistently supported reading from NTFS formatted disks.  There's usually one or two students who cannot read the USB drives I hand out to the class with Macs.  I usually recommend they use the 15 day trial of Tuxera to get past the problem for the training - http://www.tuxera.com/products/tuxera-ntfs-for-mac/.  Other alternatives are outlined in this article: http://www.howtogeek.com/236055/how-to-write-to-ntfs-drives-on-a-mac/

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 15

9:00am

Training Session - Hands-On Security in DevOps (SecDevOps) Workshop Day 2 (2 Day)
Agile and DevOps have revolutionized the way we deliver apps to customers. Software products today demand rapid everything. Rapid Code Changes, Rapid Deployments and Rapid Delivery. In addition, you have embraced Agile Development Methodologies that stress on iterative product development and flexibility to changing environments. There is one major problem in this entire chain, and that is Application Security.

While your product may be rapidly delivered to customers, Application security still remains a massive bottleneck in your continuous delivery pipeline. Application security is critical because companies lose billions of dollars due to vulnerabilities in their applications. Apart from typical vulnerabilities like SQL Injection and Cross Site Scripting, vulnerabilities in authentication, authorization, business logic and cryptographic implementations are more prevalent and can cause massive damage to a software product company.

This is why you need SecDevOps. You need a practical, repeatable and scalable way to deliver Application Security to your product across the Agile and DevOps lifecycle. In the we45 Certified SecDevOps Professional program you will receive powerful hands on training on how you can implement scalable and effective security for rapid-release applications. The workshop will be a hardcore hands-on workshop with coverage on the following, but not limited to:

  • Security Threat Modeling - Agile Methodology
  • Static Application Security Testing - Integrated with Continuous Integration Services
  • Customized Security Automation Scripting Framework with Continuous Integration
  • Creating specialized Application Security Testing Scripts to be integrated with existing Test Suites
  • Security in Configuration management and Continuous Deployment
  • Creating Security Configuration Management “Infrastructure as Code” and Validation Scripts
  • Application Security Monitoring in a DevOps World
Laptop Requirements for SecDevOps Workshop:

For Windows Laptop Users
• Intel i3 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred, with atleast 50GB of free HDD space.
Netbooks will NOT work
• Working WiFi adapter with ability to connect to third party wireless networks
• User must be able to use the DVD Drive/USB port of the laptop to copy and install the Virtual Machine, which will be delivered in a DVD/USB Mass Storage Device (Flash Drive)
.• Windows users - Please download and install the latest version of Oracle VM Virtualbox from http://www.virtualbox.org
• We have observed that Windows laptops often come with Virtualization options disabled in the BIOS. In such cases, the Virtual Machine and the workshop exercises won’t work. Please ensure that the following measures are taken to make your laptop available for Virtualization o You must have access to your BIOS menu. This can be accessed by pressing F12 (not all laptops, some may have a different key to access the BIOS menu). In some cases, there may be a password to access the BIOS menu. Please ensure that you have a password (if required) to access the BIOS menu. o Please enable Virtualization in the BIOS options. Please refer to screenshots below (please note that different laptops may have these options located in different menu screens).  HP – BIOS Virtualization Screen  Dell Laptop BIOS Virtualization Option

For Linux/Mac Users
• Intel i3 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred• atleast 50GB HDD space available
• Working WiFi adapter with ability to connect to third party wireless networks
• User must be able to use the DVD Drive/USB port of the laptop to copy and install the Virtual Machine, which will be delivered in a DVD/USB Mass Storage Device (Flash Drive)
• Install the latest version of Oracle VM VirtualBox

** We are using two VMs for hands-on labs for the participants. In this case both the VMs will exceed a size of 8 GB, therefore, we will be distributing this in USB drives for people to copy and use. The option of DVDs (which was an either/or for USB) from earlier will not be possible in this case. 

** Also, the drives will be formatted with exFAT, so we members of the audience with Linux computers might need to download exFAT libraries to get it to work. If this is a problem, then we need to go with a different file system. 


Speakers
avatar for Abhay Bhargav

Abhay Bhargav

Chief Technology Officer, we45
Abhay Bhargav is the founder and CTO of the we45, a focused Information Security Solutions Company. He has extensive experience with Information Security. He has performed security assessments for various enterprises in various domains like banking, software development, retail, telecom and legal. He is also the co-author of “Secure Java for Web Application Development” published by CRC Press, New York and is the author of “PCI... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 16

9:00am

Training Session - Mobile Application Exploitation iOS and Android Day 2 (2 Day)
Even wondered how different attacking a Mobile application would be, from a traditional web application? Gone are the days when knowledge of just SQL Injection or XSS could help you land a lucrative high-paying infoSec job.

This will be an introductory course on exploiting iOS and Android applications. The training will be based on exploiting Damn Vulnerable iOS app, Android-InsecureBankv2 and other vulnerable applications that are written by the trainers in order to give an in-depth knowledge about the different kinds of vulnerabilities in an Mobile applications. This course will also discuss how an attacker can compromise a mobile application. After the workshop, the students will be able to successfully pentest and secure applications running on the various operating systems.

The training will also include a CTF challenge in the end where the attendees will use their skills learnt in the training to solve the CTF challenges.

 Below is the ToDo's for the attendees:

* 20+ GB free hard disk space 
* 3+ GB RAM 
* VMware player installed on the machine
* Latest version of Android SDK. To make sure the setup is right, follow all the steps on https://github.com/dineshshetty/Android-InsecureBankv2/blob/master/Usage%20Guide.pdf
* A jailbroken iPhone/iPad/iPod for iOS testing.
* If you are using a Mac machine, also download and install the latest version of Xcode.

Speakers
avatar for Prateek Gianchandani

Prateek Gianchandani

Cognosec
Prateek Gianchandani, an OWASP member and contributor has been working in the infosec industry for about 5 years. During his five years, he has performed a number of penetration tests on mobile and web applications and even developed a lot of applications for the App Store. His core focus area is iOS application pentesting and exploitation. He is also the author of the open source vulnerable application named Damn Vulnerable iOS app. He has... Read More →
avatar for Dinesh Shetty

Dinesh Shetty

Security Innovation
Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and VoIP technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished author and speaker, and his research has been published in multiple security zines and sites like Packet Storm, Exploit-DB, PenTest Magazine... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 14

9:00am

Training Session - Practical IoT Exploitation Day 2 (2 Day)
Practical IoT Exploitation is a unique course being launched at OWASP AppSec by Attify. The previous version of the course titled “Offensive IoT Exploitation” has been run in various conferences such as BlackHat (US, EU, Asia), Brucon, HIP and many other places. 

IoT or the Internet of Things is one of the most upcoming trends in technology as of now. A lot many new devices are coming up every single month. However, not much attention has been paid to the device's security till now. "Practical IoT Exploitation" is a brand new and unique course which offers pentesters the ability to assess and exploit the security of these smart devices - by looking deep depth into the devices, their radio communications and interactions with the real world, and then exploiting them.

The training will cover different varieties of IoT devices, assessing their attack surfaces, reversing their communication protocols and writing exploits for them. This is a 2-day action packed class covering topics like firmware analysis, identifying attack surface, analyzing Zigbee communication, finding vulnerabilities and then finally exploiting the vulnerabilities.

The course labs include both emulated environments as well as real live devices which will be provided to the attendees during the training. Practical IoT Exploitation training is designed for pentesters who want to kickstart their career in IoT Pentesting and the training does not expect the attendees to have a prior knowledge of assembly, mobile security or reversing. The attendees will be provided with VM image for IoT security testing platform called IoTa created by the trainers themselves. 

After the 2-days class, the attendees will be able to:

Extract and analyze device firmwares 
Analysing firmware and binaires using IDA pro 
Hands-on Labs with UART, SPI
JTAG interaction and debugging 
Identify attack surfaces and write fuzzers
Device Scanning and reversing communication APIs
USB Attacks
Familiarity with NFC, Bluetooth, RFID 
BLE Analysis and packet analysis 
Attacks on Zigbee - Hands-on labs 


Practical IoT Exploitation is the course for you if you want to try exploitation on new hardwares and find security vulnerabilities and 0-days in IoT devices. At the end of the class, there will be a final CTF challenge where the attendees will have to identify security vulnerabilities and exploit them, in a completely unknown device - created exclusively for the OWASP AppSec training.

 Requiremnets:

 Hardware:
  • At least 25 GB of free space 
  • Laptop having a minimum of 4 GB RAM 
  • USB access allowed 
Software:
  • Virtualization software installed 
  • Administrative privileges on the system 
At the start of the class, we will share the devices and AttifyOS VM which will have all the tools preconfigured for the training. 
During the Radio section of the class, we have seen some students encounter issues with the hardware not being detected in the VM while they are running on one Virtualisation software, but working with the same VM on another virtualisation software. 
Though we don't often run into these issues, it's recommended to have both virtualisation tools - VirtualBox and VMWare to save time troubleshooting. In case of VMWare if you don't have the paid edition, the free VMWare Workstation Player will also work. 

Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile security firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation. | | He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also... Read More →
avatar for Norman Shamas

Norman Shamas

Attify Inc
Norman Shamas is a IoT Pentester and trainer at Attify (attify.com ) , an IoT and Mobile security firm. Attify has done a lot of in-depth research on Mobile application security and IoT device Exploitation and is the creator of AppWatch (https://appwatch.io) - an automated platform for Mobile Security Analysis. Norman has previously worked on numerous smart home pentests, ICS exploitation, Radio protocol analysis, Reversing custom protocols, and... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 13

9:00am

Training Session - Secure Coding in Java Day 2 (2 Day)
The course provides developers with practical guidance for developing Java programs that are robust and secure. Material in this presentation was derived from the Addison-Wesley book The CERT Oracle Secure Coding Standard for Java and is supported by the Secure Coding Rules for Java LiveLessons video series. Participants should come away from the course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors.
In particular, participants will learn how to:
• Explain the need for secure coding
• Follow fundamental secure coding guidelines
• Validate and sanitize data
• Explain the Java Security Model
• Predict how the numerical types behave in Java
• Avoid pitfalls in the use of characters and strings
• Securely process input and output
Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s.

You will need to bring a laptop with 100MB or greater of free hard disk space and the following software installed:

  •  Java SE Development Kit 8
  • Eclipse IDE for Java Developers or other a Java 8 compatible IDE
  • Adobe Reader

You should clone the course exercises, demos, and examples from https://github.com/rcseacord/JavaSCR.git prior to the class.  Make sure that you have imported the code into your IDE and that you can build and test the sample programs.

“The CERT Oracle Secure Coding Standard for Java” and “Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs” books authored by Robert C. Seacord and published by Addison-Wesley can be purchased in advance at InformIT.  We will be covering chapters 1-8 of The CERT Oracle Secure Coding Standard for Java in class, if you want to prepare by reviewing these chapters.


 

Speakers
avatar for Robert Seacord

Robert Seacord

Principal Security Consultant, NCC Group
I'm work with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, I led the secure coding initiative in the CERT Division of Carnegie Mellon University’s Software Engineering Institute (SEI). I'm an adjunct professor in the Information Networking Institute at Carnegie Mellon University. | I am the author of six books, including “The CERT... Read More →


Wednesday October 12, 2016 9:00am - 5:00pm
Meeting Room 11

5:00pm

WIA - Networking event
  • Meet Tiffany Long, OWASP community manager and Emily Verwee, OWASP DC Chapter Co-lead
  • Network with industry professionals who are interested in supporting women in AppSec and related careers 

Wednesday October 12, 2016 5:00pm - 6:00pm
Mount Vernon Square A&B

6:00pm

Pre-Conference Reception
Wednesday October 12, 2016 6:00pm - 8:00pm
Mount Vernon Square A&B

7:00pm

OWASP Leaders Meeting
If you are a Project Leader, Chapter Leader, or interested in becoming one the Leader's workshop is for you!  You will hear about everything new that is going down at OWASP and be able to participate in a community discussion focused on your needs.  At the last Leaders Workshop we discussed OWASP communication strategist,  community concerns regarding the leader's list, and new leaders learned strategies for addressing their most pressing concerns from our more experienced leaders.  

Wednesday October 12, 2016 7:00pm - 9:00pm
Meeting Room 16
 
Thursday, October 13
 

7:00am

Registration
Thursday October 13, 2016 7:00am - 6:00pm
Grand Ball Room Foyer

8:00am

Keynote - Software Supply Chain Lifecycle Management: Reducing Attack Vectors and Enabling Rugged DevOps
As the cyber threat landscape evolves and as software dependencies grow more complex, understanding and managing risk in the software supply chain is more critical than ever, and it must focus on the entire lifecycle that includes development, acquisition, and DevOps.  The Internet of Things (IoT) is contributing to a massive proliferation of a variety of types of software-reliant, connected devices.  With IoT increasingly dependent upon third-party software of unknown provenance and pedigree, software composition analysis and other forms of testing are needed to determine 'fitness for use' and trustworthiness in terms of quality, security, safety, and licensing.  Application vulnerability correlation and management should leverage automated means for detecting threat indicators, weaknesses, vulnerabilities, and exploits.  Using standards-based automation also enables the exchange of information internally and externally with vendors in the global supply chain for IoT/ICT products.  Addressing supply chain dependencies throughout the lifecycle enables enterprises to harden their attack surface by:  comprehensively identifying exploit targets; understanding how assets are attacked, and providing more responsive course of action mitigations.

Speakers
avatar for Joe Jarzombek

Joe Jarzombek

Joe Jarzombek is the former Director for Software Assurance in the National Cyber Security Division of the U.S. Department of Homeland Security (DHS). He led government inter-agency efforts with industry, academia, and standards organizations to shift the security paradigm away from patch management by addressing security needs in work force education and training, more comprehensive diagnostic capabilities, and security-enhanced development... Read More →


Thursday October 13, 2016 8:00am - 9:00am
Grand Ball Room Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

9:00am

Morning Coffee Break
Thursday October 13, 2016 9:00am - 9:30am
Grand Ball Room Foyer

9:15am

Lightning Talk - Demystifying CSP
There have been many attempts to make the Web a more secure place, or at least make it harder to attack web applications. One of them is CSP, Content Security Policy. In my talk, I will cover history of CSP, how it evolves from its original version, and what features will be available in the near future.
One of the challenges in deploying CSP is to understand what versions and directives are supported by different web browsers. In this presentation, I will share current CSP compatibility matrix for major web browsers to provide better understanding of CSP support. I will also demonstrate a framework that I developed to make it easy for anyone to run the same CSP feature set of tests to inspect the results as well as to add new feature check.
In the last part of the presentation, I will show the usage of CSP by Alexa top web sites and how good their CSP policies are. I will also explain common CSP mistakes and strategies to fix them. Last but not least, I will demonstrate various tools, frameworks and libraries which would be useful to improve CSP policies.

Speakers
avatar for Ilya Nesterov

Ilya Nesterov

Engineering manager, Shape Security
Ilya Nesterov is currently an engineering manager at Shape Security, where he is responsible for product quality. Prior to Shape, Ilya led QA teams at F5 and earned his master’s degree from Tomsk Polytechnic University. His area of interest is web application security, in particular identifying vulnerabilities using software testing and automation techniques. His mission is to automate things and make the Internet a safer place.


Thursday October 13, 2016 9:15am - 9:25am
Room C

9:30am

Lightning Talk - Assessing and Exploiting XML Schemas Vulnerabilities
Specifications for XML and XML schemas have been designed with multiple security flaws. At the same time, these specifications provide the tools required to protect XML applications. This provides a complex scenario for developers and a fun environment for hackers.

Even though XML schemas are used to define the security of XML documents, they are also used to perform a variety of attacks: file retrieval, server side request forgery, port scanning, and/or brute forcing.

This talk will analyze how new attack vectors can be inferred by analyzing the current vulnerabilities and how it is possible to affect common libraries and software. Recommendations will be shared to safely deploy applications relying in XML.

Speakers
avatar for Fernando Arnaboldi

Fernando Arnaboldi

Senior Security Consultant, IOActive
Fernando Arnaboldi is a senior security consultant at IOActive specialized in code reviews and penetration tests.


Thursday October 13, 2016 9:30am - 9:40am
Room C

9:30am

The Ways Hackers Are Taking To Win The Mobile Malware Battle

In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. The team that uncovered iOS malicious profiles, WiFiGate, HTTP Request Hijacking, No iOS Zone and Invisible Profiles are taking it upon themselves to coach developers and organizations on how to regain control, and turn the tables on the hackers behind next-generation mobile malware. 


In his presentation, Yair will discuss cutting-edge techniques used by malware writers to circumvent mobile security paradigms such as app-sandboxing and containers. Mr. Amit will then break down the current set of techniques (signatures, static analysis & dynamic analysis) used to identify malware on mobile devices, and identify the pros and cons of these approaches. He will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions. 

During a live, interactive demo, Yair will create a mobile malware on stage, meant to be undetected by static and runtime analysis technologies.


Speakers
avatar for Yair Amit

Yair Amit

CTO & Founder, Skycure
Yair Amit is co-founder and CTO at Skycure, leading the company’s research and vision and overseeing its R&D center. Yair has been active in the security industry for more than a decade with his research regularly covered by media outlets and presented in security conferences around the world. Prior to co-founding Skycure, Yair managed the Application Security and Research Group at IBM, joining through the acquisition of Watchfire. At IBM, Yair... Read More →


Thursday October 13, 2016 9:30am - 10:30am
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

9:30am

Continuous Integration: Live Static Analysis using Visual Studio & the Roslyn API
For over 10 years, Visual Studio has provided basic source code analysis through FxCop and StyleCop. While these code analyzers focus mainly on design conformance, code consistency, and best practices, there is very little support for enforcing secure coding techniques. To address this gap, Microsoft started a project back in 2011 called CAT.NET to help identify secure coding bugs such as XSS, SQL Injection, and XPath Injection. Unfortunately, CAT.NET failed and never made it past the first version. Aside from purchasing expensive commercial static analysis tools, .NET development teams have been left without an easy way to integrate secure code scanning rules into Visual Studio. At least until now...

With the release of Visual Studio 2015, the open-source .NET Compiler Platform (aka “Roslyn”) exposes a set of code analysis APIs capable of querying the source code, identifying a security issue, and reporting it as code is written! In this talk, we will explore the code analysis APIs and show you how to create a live static analysis rule. Come prepared to see demonstrations of Visual Studio static analysis rules in action, and walk away with a static analysis rule pack to run against your organization’s .NET applications.

Speakers
avatar for Eric Johnson

Eric Johnson

Senior Security Consultant, Cypress Data Defense, LLC
Eric Johnson is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. Eric is a Certified SANS Instructor and is a course author for DEV544: Secure Coding in .NET, DEV531: Mobile App Security Essentials, and several Securing The Human Developer security awareness modules. His experience includes web and mobile application penetration testing, secure code review, risk assessment... Read More →


Thursday October 13, 2016 9:30am - 10:30am
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

9:30am

Everything is Terrible: Three Perspectives on Building, Configuring, and Securing Software
Developers, operations, and security all have differing agendas and benchmarks for success. One is tasked with building new features, the next with delivering and making them available, and the third is tasked with mitigating the risks associated with the previous two.

Core to the DevOps movement is the idea of building empathy with people in other teams in order to align for business success. Providing the perspectives from three engineers who have each lived primarily in one of Dev, Ops, or Security, but have also worked collaboratively to try not to kill each other. They will talk about their backgrounds, provide practical examples from daily experiences, and share suggestions on building common tooling that minimizes friction and enhances collaboration.

This talk will discuss
- The misalignment of priorities that organisations often force upon these groups
- Struggles with collaboration and working cultures
- Common bottlenecks associated with release cycles and security processes
- Building empathy and optimizing for communication that doesn't involve fisticuffs (or other 19th century combat styles)

The audience will come away with:
- Ideas for handling these complicated situations
- Approaches for building workflows and possible tooling suggestions to minimize the tire fires
- A new appreciation for those on the other sides of the silo walls

Speakers
avatar for Chris Barker

Chris Barker

Puppet
Turning in his pager for an airline miles membership, Chris Barker now helps fellow system administrators refine and automate their infrastructure. In his past life as a systems administrator, he has administered Linux, Windows, and OS X systems in infrastructure ranging from small businesses to Fortune 500 companies. He was drawn to Puppet due to his automation-driven creativity. When not traveling for Puppet, he resides in Portland, OR... Read More →
avatar for Adrien Thebo

Adrien Thebo

Puppet
Adrien is a software engineer at Puppet. He started in IT Ops in 2005 and started writing code to automate everything, inadvertently becoming one of the earliest devops hipsters (he did devops before it was cool). Adrien joined Puppet in 2011, first on the Operations team where he helped cause frequent outages, and then transferred to the Engineering team in 2013 to where he helped break the build. The original author of r10k and other client... Read More →
avatar for Bill Weiss

Bill Weiss

Sr Manager of SysOps, Puppet
As a red-and-blue-team member turned sysadmin herder, Bill Weiss had an early introduction to automation in security, and he's spent the rest of his career trying to bring that idea to more places. He started out working in the .gov, moved to Chicago to spend several years at a financial services SaaS, and finally made it to Portland in 2015 to join Puppet as the Manager of SysOps, which he thinks is a way better term than “sysadmin”.


Thursday October 13, 2016 9:30am - 10:30am
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

9:30am

OWASP Bug Bounty for projects
In June 2016, we started the OWASP Bug Bounty for projects initiative, where security researchers can actually submit their findings on the participant OWASP projects through the BugCrowd platform. 

Many developers and companies looking to implement security are turning towards OWASP to use Defender libraries that they can implement to secure their critical applications. Since this implies a form of trust in OWASP, many users of these projects might forget or not be aware that many of them are Open Source and lack an expected security assurance review, which at the moment is not done by OWASP.

Testing web applications for security can be a challenging task. But testing that security control libraries are robust in the face of attack is an even more difficult challenge for even the most sophistical assessment professionals. 

BugCrowd provides their platform and services to allow OWASP projects conduct specific Bug Bounty programs for Defender category projects but also, any other Code Project that needs to be installed and could create vulnerabilities in the installed computer.

The following projects are part of OWASP Bug Bounty:

We want to promote and spread the word regarding our Bug Bounty program. The activity we want to plan during the APPSEC US 2016, involves an OWASP Bug Bash similar to the one organised in APPSEC  2013 but only with OWASP projects part of the Bounty program, where we provide a deployed server with the applications.

Thursday October 13, 2016 9:30am - 11:30am
Meeting Room 2

9:45am

Lightning Talk - Application Security in a DevOps World: Three Methods for Shifting Left
Application Security in a DevOps World: Three Methods for Shifting Left 
Operations has always resided clearly outside of development. Release candidates are tossed over the fence by development and operations was expected to “just make it work.” The same can be said about many other activities, including application security. This isn’t intended to be derision aimed at development—it’s just a feature of how processes have historically been demarcated. 
But with the emergence of the DevOps movement, organizations are beginning to apply the “shift-left” principle associated with early testing toward other facets of application development. Security, which has been treated as something you can test into an application, should be built into an application according to DevOps principles. 
In this presentation, we discuss how to get development and operations working together to build security into the application. We’ll outline three methods and discuss their merits and drawbacks:
• Penetration testing: This is the approach most commonly used.
• Hybrid testing: By applying flow (dynamic analysis) early in the process, you can that look for possible paths through the code that lead to security flaws.
• Preventative testing: By taking a standards-based approach and implementing a set of activities that target defects that lead to security vulnerabilities, you are able to get ahead of security issues that diminish the effectiveness of DevOps approaches.

Speakers
avatar for Aaron Lindsay

Aaron Lindsay

Aaron Lindsay been helping Parasoft’s clients harden code, develop functional testing solutions, and virtualize their environments for almost 4 years. He has worked on projects all across America and South America, incorporating service virtualization into verticals that range from banking and healthcare to defense organizations. | | Aaron also worked with R&D team under Dr. Ciera Jaspan to identify collaboration constrains in Java... Read More →


Thursday October 13, 2016 9:45am - 9:55am
Room C

10:00am

Lightning Talk - Automated Gadget Chain Generation for Object Injections
Object injection vulnerabilities account for the most sophisticated attacks against web applications today. They persist when an attacker is able to modify the unified string representation of an object that is passed to the application. By injecting a specifically crafted object, the attacker can trigger the execution of existing code fragments, so called gadgets. Depending on the application's source code and programming language, different gadget chains are possible that can lead to diverse security issues, such as remote code execution. Due to todays applications' code complexity and size, finding all possible gadget combinations is a difficult task. This lightning talk will present new static code analysis techniques for the automated detection of PHP object injection vulnerabilities and the automated generation of gadget chains.

Speakers
avatar for Hendrik Buchwald

Hendrik Buchwald

CSO, RIPS Technologies
Hendrik Buchwald is a computer science graduate from the Ruhr University Bochum and a professional software engineer. He is co-founder and the CSO of RIPS Technologies, a Bochum-based IT security company with focus on code analysis solutions for web applications.


Thursday October 13, 2016 10:00am - 10:10am
Room C

10:00am

Members Lounge
Need to recharge?
Feeling a bit thirsty or hungry?
Maybe you’re looking for an OWASP t-shirt?
Or just looking to take a break from the hectic conference atmosphere?

NO PROBLEM!  

Head on over to the Members Lounge located in the Mount Vernon room 

Here you can grab a snack, quench your thirst, recharge those batteries, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.

Not an OWASP Member? That’s okay, swing on over to the Lounge and you can sign up on the spot!  

Look for the signs or ask a volunteer for directions


Thursday October 13, 2016 10:00am - 5:00pm
Mount Vernon Square A

10:15am

Lightning Talk - If you can dodge a wrench!..... (or how not to security test your web app):
Have you ever initiated a test that inadvertently sent 2,000 emails to your executives? How about dumping your Production Database?

As web applications become more advanced, security teams have become increasingly reliant on using automated scanners to discover vulnerabilities within their environment. However, unlike NetSec scanners, web application scanners have the potential to break your web app, resulting in loss of data, downtime and more importantly, lost revenue.
But don't shut down your scanning program just yet! I will walk you through the common mistakes, pitfalls and pre-scanning techniques that will ensure a more harmonious relationship between your scanner and web application.

In this talk you will learn pre-scan reconnaissance techniques, what changes you should make to your application, and how to dodge common scanner configuration mistakes.

Thursday October 13, 2016 10:15am - 10:25am
Mount Vernon Square B Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

10:15am

Lightning Talk - WAF Evolution, or How I Stopped Worrying About Vulnerabilities
In this talk, we'll explore how application firewalls must evolve to continue to provide powerful, operationally scalable security policies. Gone are the days of "virtually" patching vulnerabilities when remediation time continues to shrink in more agile, devops-driven infrastructures. Infrastructure-based pplication security must pivot to focus on client behavior an characteristics, rather than on the web app itself. Security must also be extended to the browser, to protect even the user who will click on anything from compromise. 
Elements of this topic have been covered in my columns on Information Security Buzz: http://www.informationsecuritybuzz.com/articles/the-death-of-waf-as-we-know-it/http://www.informationsecuritybuzz.com/articles/when-a-bot-isnt-a-bot/http://www.informationsecuritybuzz.com/articles/is-bot-detection-the-best-value-in-infosec/

Speakers
avatar for Brian McHenry

Brian McHenry

Senor Security Solutions Architect, F5 Networks
As a Senior Security Solutions Architect at F5 Networks, Brian McHenry focuses on web application and network security. McHenry acts as a liaison between customers and the F5 product teams, providing a hands-on, real-world perspective. He is also a regular contributor on InformationSecurityBuzz.com, writing articles aimed at simplifying complex IT security challenges. Prior to joining F5 in 2008, McHenry, a self-described “IT... Read More →


Thursday October 13, 2016 10:15am - 10:25am
Room C

10:30am

Lightning Talk - Taking Back Privacy to Gain Control
The word ‘privacy’ has become an increasingly prevalent and polarizing term and it is a problem. 

Asking someone to define ‘privacy’ is like asking them for their definition of God. The question is intensely personal, colored by distinct experiences and backgrounds. After talking to hundreds of people and spending a career thinking about it, it’s possible we’ve been contemplating the wrong question.

The word privacy itself has obscured the issue because the “battle over privacy” isn’t really about privacy at all — it’s about control. Thinking about it in more specific examples, when someone decides to do naked yoga with the curtains closed (or open, as it were), they’re really saying: “I choose to let you see me or not…but either way it’s my choice.” 

Privacy becomes a hot button topic when information or our actions are recorded without our consent or knowledge. We’re outraged that the NSA engaged in domestic surveillance and creeped out that companies are profiling us at such a detailed level that they can predict intimate events like pregnancy. 

However, as participating members of our modern, tech-enabled society, this is the trade-off we make. We’re not just giving up privacy for convenience; we’re surrendering control, and we do it because we don’t believe we have a viable alternative. 

This is not how the real world works.

At home, we can decide when to turn off the lights and close the blinds. We control who, how and what about ourselves is shared. This is our right — our choice — and it’s a decision that will differ from person to person because everyone has a varying degree of comfort when it comes to sharing pieces of his or her personal life. That’s the definition of control.

Which leads back to the problem: talking about privacy in the first place. Not only does it fail to address the real issue (control), it fails to include everyone in the conversation. Let’s be honest, some people simply don’t mind doing yoga naked with the curtains open. They aren’t as concerned about their privacy as others might be, but that doesn’t mean they don’t like having the freedom to choose when and how wide to open their windows. Steve Shillingford, CEO of Anonyome Labs wants to open the door to this problem and discuss. He believes individuals should be able to control their identities and personal information — plain and simple. 

Recent data from Pew (January 2016) suggests that while Americans aren’t necessarily opposed to sharing their information, they are frustrated and concerned by the lack of control they have regarding how, when and with whom that information is shared. In fact, 93% of surveyed adults said that being in control of who could access their information was important to them, and 90% said that control over what information was collected was important. So why are we talking about privacy at all?

Speakers
avatar for Steve Shillingford

Steve Shillingford

Anonyome Labs
Steve Shillingford, current Founder and CEO of Anonyome Labs, has more than 20 years of experience driving growth and revenue at industry-leading technology companies. Shillingford has served as an Advisor at Signal Peak Ventures since 2013, and also serves on the boards of E8 Security and eFilecabinet. In 2013, he was brought in as the Senior Vice President and General Manager of the Advanced Threat Protection at Blue Coat Systems in the... Read More →


Thursday October 13, 2016 10:30am - 10:40am
Room C

10:45am

Lightning Talk - Beyond The ‘Cript: Practical iOS Reverse Engineering
There is an app for everything these days. And if you are current on your Infosec news you know every new app comes with its own vulnerabilities. One class of bugs has been relatively easy to find, with frameworks becoming increasingly available to help. 

But more and more developers are hardening their apps against common issues using jailbreak detection and best practices, and some of the easy issues are starting to dry up.

Luckily for the top testers, there is another class of bug that can still (and only) be found with deeper knowledge of iOS and its underlying assembly code.

The aim of this talk is to build a bridge between the mundane methodologies and vulnerabilities that everyone can find (and that are now being defended against), and a new approach that finds additional bugs that require assembly knowledge to discover. 

The talk looks at the fundamentals of reversing, a primer on iOS architecture, binary patching, reversing MACH-0 binaries, and ends with some real-world examples involving jailbreak detection.

Speakers
avatar for Michael Allen

Michael Allen

Security Consultant, IOActive, Inc
Michael E. Allen is a security consultant at IOActive with more than ten years | of experience in the Information Security industry. His primary interests are in programming, exploit development, and reverse engineering. Mr. Allen has extensive skills in design, implementation, enhancement, testing, maintenance, and support of a myriad of software instances. He’s adept in both testing software, as well as assisting development teams with... Read More →


Thursday October 13, 2016 10:45am - 10:55am
Room C

10:45am

Practical Static Analysis for Continuous Application Security
Static code analysis tools that attempt determine what code does without actually running the code provide an excellent opportunity to perform lightweight security checks as part of the software development lifecycle. Unfortunately, building generic static analysis tools, especially for security, is a costly, time-consuming effort. As a result very few tools exist and commercial tools are very expensive - if they even support your programming language.

The good news is building targeted static analysis tools for your own environment with rules specific to your needs is much easier! Since static analysis tools can be run at any point in the software development lifecycle, even simple tools enable powerful security assurance when added to continuous integration. This talk will go through straight-forward options for static analysis, from grep to writing rules for existing tools through writing static analysis tools from scratch.

Speakers
avatar for Justin Collins

Justin Collins

CEO, Brakeman Security, Inc
Justin has been an application security engineer at SurveyMonkey, Twitter, and AT&T Interactive, and is the primary author of Brakeman, an open source static analysis security tool for Ruby on Rails.


Thursday October 13, 2016 10:45am - 11:45am
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

10:45am

SPArring with the Security of Single Page Applications
SPArring with the Security of Single Page Applications

When SPArring with the security of a Single Page Application (SPA) you need to be like a Mixed Martial Artist (MMA) fighter who understands several specialties to be successful.

In MMA, a fighter needs to be skilled in several martial arts styles, such as boxing, kickboxing, Muay Thai for the stand up portion of the fight. Then, he needs to know wrestling or judo to take the fight to the ground, and once he’s on the ground, he needs to know Jujitsu and Sambo to submit his opponent. 

When doing battle with a SPA, a pen-tester must become an MMA hacker…A Mixed Multilayer Application Hacker. As an MMA Hacker, you need to understand the multitude of complex application layers that are only getting more complex and interconnected by the day.

This discussion will include MMA Hacker training on the following application layers:
Interface layer: Become familiar with SPA frameworks (AngularJS, ReactJS). These SPA frameworks fundamentally change the browser communication that security experts have long understood. 
Backend layer: Dig into different REST API’s and learn how they are used and where to find the weaknesses.
Network layer: Learn more about WebSockets and how they fundamentally change TCP/HTTP as you have always known it to be.
Interconnectivity layer: Get to know how SPA’s are often interconnected with 3rd party API’s or presentation elements and how this can create security issues that get inherited from trusting the 3rd party.
Tools: Understand what tools are available to help you address these challenges, and the potential gaps exist in the tools we all depend on.

Join this talk to start your MMA Hacker training today!

Speakers
avatar for Dan Kuykendall

Dan Kuykendall

Senior Director, Application Security Products , Rapid7
Dan Kuykendall is the Senior Director of Application Security Products at Rapid7 where he directs the strategic vision, research and product development for the company’s application security solutions. In addition to keeping up with the latest attack patterns, Dan remains focused on one of the toughest aspects of application security - the rapidly evolving web and mobile application development trends. He does this with the philosophy that... Read More →


Thursday October 13, 2016 10:45am - 11:45am
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

10:45am

Your License for Bug Hunting Season
You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs.

Speakers
avatar for Jim Denaro

Jim Denaro

Partner, CipherLaw
Jim is a registered patent attorney in the Washington, D.C. area and advises clients on offensive and defensive applications of intellectual property. Jim has particular expertise in information security and cybersecurity technologies, and is a frequent speaker and writer on the subject. Jim has experience in a broad range of information security technologies including intrusion detection and prevention, botnet investigation, malware discovery... Read More →
avatar for Casey Ellis

Casey Ellis

Founder and CEO, Bugcrowd Inc
Casey Ellis, CEO and founder of Bugcrowd has spent 14 years in information security, servicing clients ranging from startups to multinational corporations as a security and risk consultant and solutions architect. He has presented at Derbycon, Converge, SOURCE Conference, and the AISA National Summit. Before relocating from Sydney Australia to San Francisco with Bugcrowd, he founded White Label Security, a white-labelled penetration testing... Read More →


Thursday October 13, 2016 10:45am - 11:45am
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

11:00am

Lightning Talk - LANGSEC 101: Taking the Theory Mainstream
LANGSEC has been a promising yet heady topic on the fringes of AppSec for several years, and its ready for a mainstream debut. Heard about LANGSEC but don't know what it is or whether you should use it? Programming languages are getting more powerful and capable, burdening developers and security professionals alike. LANGSEC attempts to solve vulnerability classes that arise from user input unintentionally changing the expected behavior of an application. 

This session provides an easy-to follow introduction to the LANGSEC philosophy, and is geared towards those with no prior experience building parsers or understanding of formal language theory. Attacks that can be addressed with the effective implementation of LANGSEC include:

- Cross-site scripting (XSS) 
- SQL Injection 
- Command Injection 
- Format String 
- Stack Overflow 
- Heap Overflow
- File Inclusion 

Nobody wants these vulnerabilities in their code. This session will begin by pointing out the flaws and limitations of any application security model that is dependent on traditional techniques that rely on signatures, definitions, pattern-matching, regular expressions or taint analysis. Once solely the obscure domain of compiler geeks, Language Security, a.k.a. LANGSEC, is a completely different approach and has gained increasing momentum as a much more thorough, robust way to implement application security.

Speakers
avatar for Kunal Anand

Kunal Anand

Co-founder and CTO, Prevoty
Kunal Anand is the co-founder and CTO of Prevoty, a runtime application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company’s global Digital Entertainment and Gaming initiatives. Kunal also has several years of experience leading security, data and engineering at Gravity, MySpace and NASA’s Jet Propulsion Laboratory. His work has been... Read More →


Thursday October 13, 2016 11:00am - 11:10am
Room C

11:15am

Lightning Talk - Building your Own Security ChatBot
ChatOps, a term widely credited to GitHub, is all about conversation-driven development and enabling teams to quickly and easily manage their development and deployment pipelines. Security for many years has been siloed and often only the security team runs these security tools. With ChatOps for security, common tools such as nmap, ZAP, Burp, and static code tools are available as a security chatbot. Need to run an nmap scan? No problem! Ask @SecurityBot to scan your server and even limit what destination IP's can be scanned. 

Often times there are many great security tools that hide behind obscure command line flags or have complex setup requirements or dependencies. Learn how to convert these tools into accessible tools that the security team and developers can take advantage so that these tools are only a conversation away. No binary tool distribution or configuration, just chat!

Speakers
avatar for Aaron Weaver

Aaron Weaver

Application Security Manager, Cengage Learning


Thursday October 13, 2016 11:15am - 11:25am
Room C

11:30am

Lightning Talk - Can IT & Engineering get along for the sake of building, deploying, and maintaining app security?
Mobile Security has become a top priority for companies as both critical customer and company data flows through these apps constantly. Whether, enterprise workforce or consumer facing apps, how can we as Engineering and IT teams work together to make app security a top priority, but also create development and deployment templates that ensure the proper protections are in place in a standardized way and the necessary components are included at the code level to enable the type of ongoing cyber threat monitoring required once apps are live

Speakers
avatar for Mark Stutzman

Mark Stutzman

Mark Stutzman, CEO of Appmobi will discuss the strategies necessary for teams to work together to ensure mobile app security and the tools they should consider that enable both secure development and deployment as well as real time monitoring and threat resolution.


Thursday October 13, 2016 11:30am - 11:45am
Room C

11:45am

Lightning Talk - The hidden bug in public bug bounties
On the surface, public bug bounty programs look like a no-brainer. You invite a number of security researchers to find security issues in your application and you only pay for valid results. Who can say no to that? However as we explore in this talk, for many organizations, launching a public bug bounty program is a buggy idea. It’s like storming the castle before gathering systematic intelligence and planning strategic attacks.

In this talk we will look at some of the challenges of public bug bounties such as:
- Low signal to noise  which drives up the cost per bug
- Significant program management needed to run the program

We will look at the return on investment between running a public bug bounty program and engaging in more focused crowdsourced pen tests.

We’ll dive deeper into experiences drawn from the crowdsourced appsec industry over the last 4 years, as well as analysis of public accessible data in connection with data gathered from 200+ organizations running security programs on the Cobalt platform.

Speakers
avatar for Jacob Hansen

Jacob Hansen

CEO, Cobalt Labs
Jacob Hansen is the CEO and Co-Founder of Cobalt Labs. Cobalt delivers crowdsourced pen tests and private bug bounties to modern organizations. | | Prior to founding Cobalt, Jacob was a consultant at Accenture in Copenhagen and London, where he delivered Enterprise IT Solutions for Fortune 1000 clients. As an advocate of crowdsourcing and cybersecurity, Jacob has been featured in Forbes, The Verge, and has spoken at various conferences... Read More →


Thursday October 13, 2016 11:45am - 11:55am
Room C

12:00pm

Lightning Talk - Demystifying Windows Application
The talk will cover the security architecture of windows 7 and windows 8, os features , bitlocker encryption ,sand-boxed application model ,UEFI secure boot ,and windows mobile application development life cycle . later on this will cover the testing the windows mobile application testing as per owasp mobile top 10 and lack of binary protection . Will show real world scenario of application flaws in applications like drop box , facebook , ebay , box  and the exploitation techniques .Will demonstrate the hacks and discuss about the secure coding techniques for mitigation the security flaws .

Speakers
avatar for Rupali Dash

Rupali Dash

Analyst, Goldman sachs
Rupali is working in goldman sachs as a security analyst . She is more focused into mobile application security and has been awarded for her work from big billion companies .She also works on IOT and a subject matter expert for developing secure applications in platforms like Android , IOS , windows and blackberry .She is known for her skills and learning practice on the update attack pattern and trends in the technology .She is also a member... Read More →


Thursday October 13, 2016 12:00pm - 12:10pm
Room C

12:00pm

Lunch Break
Thursday October 13, 2016 12:00pm - 1:00pm
Rooms A&B

12:00pm

WIA - Mentoring event
  • Meet industry professionals who are interested in mentoring aspiring women in the field
  • Lunch will be provided

Thursday October 13, 2016 12:00pm - 1:00pm
Lafayette

1:00pm

Barbarians at the Gate(way)
This talk will examine the tools, methods and data behind the DDoS and web attacks against cloud platforms and traditional architectures that are prevalent in the news headlines.

Using collected information, the presentation will demonstrate what the attackers are using to cause their mischief & mayhem, and examine the timeline and progression of attackers as they move from the historical page defacers to the motivated attacker.

We will look at their motivations and rationale and try to give you some sort of understanding of what patterns to be aware of for your own protection.

Speakers
avatar for Dave Lewis

Dave Lewis

Global Security Advocate, Akamai Technologies
Dave Lewis has almost two decades of industry experience. He has extensive experience in IT operations and management. Currently, Lewis is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and cohost of the Liquidmatrix podcast. Lewis writes a column for CSO Online and Forbes.


Thursday October 13, 2016 1:00pm - 2:00pm
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

1:00pm

Next Gen Web Pen Testing: Handling Modern Applications in a Penetration Test
As technology advances and applications make use of newer technology, our penetration testing techniques and methods have to keep up. In this presentation, Jason Gillam and Kevin Johnson of Secure Ideas will walk attendees through new web technologies and how testing methods can change to handle the nuances. Some examples of technologies and changes that will be discussed during the talk are; HTTP/2, CSP, CORS and RESTful APIs. During the presentation, Kevin and Jason will walk through each new system or feature and methods to test it. After presenting these techniques, Jason and Kevin will walk through the new modern vulnerable application and the release of the new SamuraiWTF 4.0.

Speakers
avatar for Jason Gillam

Jason Gillam

Secure Ideas LLC
Jason Gillam is a Principal Security Consultant with Secure Ideas. He has over 15 years of industry experience in enterprise software solutions, system architecture, and application security. Jason has spent most of his career in technical leadership roles ranging from startups to fortune 100 companies and has learned the business acumen necessary to advise everyone from developers to senior executives on security and architecture. ... Read More →
avatar for Kevin Johnson

Kevin Johnson

CEO, Secure Ideas
Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is an instructor and author for... Read More →


Thursday October 13, 2016 1:00pm - 2:00pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

1:00pm

Using language-theoretics and runtime visibility to align AppSec with DevOps
Programming languages are becoming more powerful and capable, and applications more porous than ever before -- burdening developers and security professionals alike. Evolving constraints, patterns and definition lists make validating data inputs and preventing injections while maintaining application performance unwieldy and difficult. Nobody wants vulnerabilities in their code, but with the rise of Agile DevOps, security is usually playing catch-up. 

A new breed of embedded runtime security tools coined Runtime Application Self-Protection (RASP) are enabling developers and security admins to see beyond potential vulnerabilities and identify the actual attacks that are hitting their applications in production. RASP comes in several shapes and sizes, and this talk is designed to introduce the audience to the RASP implementation based on the LANGSEC methodology and its mission to align Security and DevOps – giving both teams the visibility and automation they need to work in synchrony.

LANGSEC has been a promising yet heady topic on the fringes of AppSec for several years, and its ready for a mainstream debut. LANGSEC attempts to use the grammar and linguistic constructs of the programming language itself to solve vulnerability classes that arise from user input unintentionally changing the expected behavior of an application (XSS, SQLi, command injection, CSRF, format string, stack / heap overflow, file inclusion). 

This session will begin by pointing out the flaws and limitations of any application security model that is dependent on traditional techniques that rely on signatures, definitions, pattern-matching, regular expressions or taint analysis. Once solely the obscure domain of compiler geeks, Language Security, a.k.a. LANGSEC, is a completely different approach and has gained a lot of traction as a much more robust approach to securing and releasing applications more quickly and easily.

Speakers
avatar for Kunal Anand

Kunal Anand

Co-founder and CTO, Prevoty
Kunal Anand is the co-founder and CTO of Prevoty, a runtime application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company’s global Digital Entertainment and Gaming initiatives. Kunal also has several years of experience leading security, data and engineering at Gravity, MySpace and NASA’s Jet Propulsion Laboratory. His work has been... Read More →


Thursday October 13, 2016 1:00pm - 2:00pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

2:00pm

Career Fair
Thursday October 13, 2016 2:00pm - 5:00pm
Room C

2:15pm

Cleaning Your Applications' Dirty Laundry with Scumblr
Like many cutting-edge companies, the environment at Netflix is constantly changing. New applications are deployed everyday, code is pushed every hour, and systems are spun-up and down at will to support changing demand patterns of online video streaming. This, combined with Netflix's 100% cloud model, provides significant challenges in understanding our assets, the risk they pose, and the vulnerabilities they expose.

In order to help address these issues we developed and released an open-source tool call Scumblr in 2014. Scumblr was initially focused on the outside--find interesting intelligence from the Internet and bring it to our attention. Internally at Netflix, however, we've set our sights on new challenges and have found new and innovative ways to use the Scumblr platform to make an AppSec engineer's life a little bit easier. Through a series of small tweaks as well as larger architectural changes, Scumblr has become a versatile tool that allows us to track a wide range of information including changes to endpoints on netflix.com, risk profiles for each application in our environment, and the status of vulnerabilities across a thousands of applications. We've made changes to Scumblr to make it faster, more flexible, and more powerful and we're ready to share these changes with the open source community.

Attendees of this talk will get an understanding for how we designed a tool that has been successful in tackling a broad range of security challenges. We'll share our latest uses for the tools include details on how we're using Scumblr for vulnerability management, application risk tracking and other uses. Finally, we'll discuss how you can replicate what we've done by sharing new plugins that integrate with Arachni, AppSpider, Github, while also showing just how easy it is to create new integrations that open up new opportunities for automation, data collection and analysis.

Speakers
avatar for Scott Behrens

Scott Behrens

Netflix
Scott Behrens is currently employed as a senior application security engineer for Netflix. Prior to Netflix Scott worked as a senior security consultant at Neohapsis and an adjunct professor at DePaul University. Scott's expertise lies in both building and breaking for application security at scale. An avid coder and researcher, he has contributed to and released a number of open source tools for both attack and defense. Scott has presented... Read More →
avatar for Andrew Hoernecke

Andrew Hoernecke

Netflix
Andy Hoernecke is a Senior Application Security Engineer on the Product and Application Security Team at Netflix where he spends his time on security automation, identifying and driving systemic security improvements to the Netflix architecture, and developing open source security tools. | | Prior to working at Netflix, Andy built and ran the Application Security program for Sears Online Business Unit. He has also held positions as an Adjunct... Read More →


Thursday October 13, 2016 2:15pm - 3:15pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

2:15pm

Should there be an Underwriters Laboratories certification for software in IoT products?
The US Cybersecurity National Action Plan released in February 2016 announced that the US government, specifically the Department of Homeland Security, is collaborating with the Underwriters Laboratories and industry partners to develop a Cybersecurity Assurance Program that would test and certify the security of devices that are part of the Internet of Things (IoT), such as infusion pumps and refrigerators. One of the goals is to ensure that software embedded in these devices is free of vulnerabilities that could be exploited. 

UL certification of software within products is a controversial topic. Proponents point to CyberUL certification as a means of assuring that IoT products meet acceptable standards such as owner-unique passwords, automated software and firmware updates, and IoT product software that is free of SQL injection and Cross Site Scripting flaws. Proponents also see the CyberUL as a proactive measure to provide security safeguards for the vastly expanding digital infrastructure. Opponents point out that it is a major investment in a solution that addresses less than 0.1% of real-world attacks; many would rather see the investment in CyberUL transferred to fixing the problems that account for most attacks, such as unpatched software, bad passwords and users succumbing to phishing. Opponents also say that the cost associated with getting CyberUL certification can create a barrier to the introduction of innovative products.

This panel will discuss the pros and cons of the Cyber Assurance Program’s pursuit of a CyberUL certification and the impact it may have on the application security community. It will appeal to conference attendees who are interested in how policy affects technology, builders of new technologies that are targets for CyberUL certification, and breakers who may see the CyberUL as either an opportunity or a challenge to overcome.

Speakers
avatar for Joshua Corman

Joshua Corman

CTO | Founder | Founder, Sonatype | I am The Cavalry | Rugged
Joshua Corman is a Founder of I am The Cavalry (dot org) and Director of the Cyber Statecraft Initiative for the Atlantic Council. Corman previously served as CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world’s increasing... Read More →
avatar for Anita D'Amico

Anita D'Amico

CEO, Code Dx, Inc.
Anita D’Amico, PhD is a survivor of one of the US government’s other programs for certifying security technology, the National Information Assurance Partnership (NIAP). She is CEO of Code Dx, Inc. which has commercialized innovative application security technology developed by Secure Decisions, an R&D organization which she also directs. She is an evangelist for making secure code development easier and more affordable. Her prior experience... Read More →
avatar for Kevin Greene

Kevin Greene

Department of Homeland Security, Science and Technology
Kevin Greene works in the federal government overseeing software assurance and application security research and development projects. He currently is focusing on the build-out of the Software Assurance Marketplace (SWAMP), a national marketplace and collaborative research forum designed to advance secure software development best-practices within the industry. Kevin has more than 17 years of cybersecurity and information assurance experience... Read More →


Thursday October 13, 2016 2:15pm - 3:15pm
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

2:15pm

Threat Modeling with Architectural Risk Patterns
Current approaches to Threat Modeling emphasise manual analysis typically performed by developers together with a security specialist.  This has a high initial cost, both in terms of time and the skills required to perform it.  Both of those constraints are under pressure as organisations increase the speed and volume of software development.  In enterprise environments there is the additional challenge of scaling this activity across thousands of products with a limited number of software security specialists to guide the process.  Lack of necessary security skills is also a reason that many smaller companies never attempt threat modeling in the first place.
This talk will present a software-centric method of threat modeling that uses risk patterns to increase the speed of creating a threat model and that also introduces a degree of consistency into the process.  We’ll present a series of incremental improvements to the use of risk patterns from a simple checklist based approach to the use of a flexible rules engine.

 

This method could be implemented by tooling to automatically generate a threat model based on architectural decisions.  The technique employs principals from Object Oriented software design such as inheritance and method overloading so that the contents of the patterns can be practically maintained and extended without unnecessary repetition.  Organisations can use this method to extract the expertise from their software security experts so that threat modeling knowledge is retained and can be re-used within the organisation.

Speakers
avatar for Stephen de Vries

Stephen de Vries

Founder, CEO, Continuum Security SL
Stephen is the founder of Continuum Security and focussed on building AppSec tools to support security in the SDLC, including the IriusRisk threat modeling tool and BDD-Security open source security testing framework. | | His background is in software development and security testing of web and mobile applications. He has worked at Corsaire, KPMG and on the ISS/IBM X-Force team and contributed to the OWASP Java project, ASVS and the testing... Read More →


Thursday October 13, 2016 2:15pm - 3:15pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

3:00pm

Securing the Electronic Frontier

From light bulbs to drones, sophisticated technology is integrated into nearly every aspect of our lives. Today, nearly everyone is technologically curious if not active in a maker or hackerspace. The world is, essentially, a security researcher’s dream.  The ease with which devices can now be altered also makes some companies uncomfortable or eager to profit off of user generated content.  Mediating these competing needs is the law, written largely for generations-old technology by political bodies not conversant in the nuances of bleeding edge tech.

Enter DRM, which can be used to prevent your devices from completing legal tasks or punish researchers who seek to secure them. OWASP is proud to offer you a chance to speak with the EFF’s Cory Doctorow about their current lawsuit and the intersection of security research and DRM. The second half of the one hour session will be opened up to a Q&A by the audience.  

Speakers
avatar for Cory Doctorow

Cory Doctorow

Cory Doctorow (craphound.com) is a science fiction author, activist, | journalist and blogger — the co-editor of Boing Boing (boingboing.net) | and the author of the YA graphic novel IN REAL LIFE, the nonfiction | business book INFORMATION DOESN’T WANT TO BE FREE, and young adult | novels like HOMELAND, PIRATE CINEMA and LITTLE BROTHER and novels for | adults like RAPTURE OF THE NERDS and MAKERS. He works for the Electronic | Frontier... Read More →


Thursday October 13, 2016 3:00pm - 4:00pm
Meeting Room 2

3:30pm

How to Find the Next Great Deserialization CVE
The talk will generalize the recent spate of deserialization attacks, including a brief discussion of an originally authored exploit for a recently discovered CVE. 

The commonalities between deserialization attacks will then be discussed, laying the framework for a "how to" guide on finding and exploiting deserialization vulnerabilities.

The talk will also explain the incredible difficulty faced when using traditional appsec defenses (input validation, signaturing) to stop these vulnerabilities, and explain free and open source options for builders to protect themselves from such attacks.

Speakers
avatar for Arshan Dabirsiaghi

Arshan Dabirsiaghi

Chief Scientist, Contrast Security
Arshan is an accomplished security researcher with over 10 years of experience advising large organizations on application security. Prior to Contrast Security, Arshan spent 8 years at Aspect Security in a research role where he used static and dynamic technology to perform security assurance work, including code reviews, architecture reviews and penetration testing. From his experience at Aspect Security, Arshan quickly discovered that... Read More →


Thursday October 13, 2016 3:30pm - 4:30pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

3:30pm

HTTPS & TLS in 2016: Security practices from the front lines
Implementing strong security for Internet‐facing services has grown more challenging and more complex over the past two years. With protocol‐level vulnerabilities like FREAK, BEAST, CRIME, POODLE, & LOGJAM, Ops teams are forced to reevaluate long‐held assumptions about foundation system network code. What are the right tradeoffs between modern network security requirements versus widespread legacy client and user interoperability? How do we apply these to traditional Apache and Nginx servers, mobile app web services, and non‐browser infrastructure like libcurl, proxies, API endpoints, and load balancers? And what's the deal with Curve25519, ChaCha/Poly1305, LibSodium, BoringSSL, and LibreSSL?
Here, we present a practitioner's crash guide to modern site and web service endpoint encryption using HTTPS. We cover the "TLS 101" (and 201) fundamentals of certificates: ECDSA vs RSA, 2K vs 4K, ephemeral Diffie‐ Hellman (elliptic curve versus static), Domain Validation vs Extended Validation. We'll talk about intermediate and root authorities (and why Superfish is such a problem), and then look at some best practices around https including certificate transparency (CT), pinning (HPKP), and strict transport security (HSTS). Lastly, we'll give updates from the OpenSSL 1.1 audit, and point to well curated configuration guides and recipes for https and TLS.

Speakers
avatar for Eric Mill

Eric Mill

Eric Mill is a software engineer and advocate for a web that is safe and secure for all of its users. Eric is currently an advisor and engineer in a federal government agency, and has previously worked at the Sunlight Foundation on open data infrastructure and policy.
avatar for Kenneth White

Kenneth White

Director, Open Crypto Audit Project
Kenneth White is a security researcher whose work focuses on networks and global systems. He is Director of the Open Crypto Audit Project (OCAP), currently managing a large‐scale audit of OpenSSL on behalf of the Linux Foundation's Core Infrastructure Initiative. In his day job, White leads an applied R&D team for Dovel Labs, working with federal clients on mission system security and cloud automation. Previously, he was Principal Scientist... Read More →


Thursday October 13, 2016 3:30pm - 4:30pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

3:30pm

When encryption is not enough: Attacking Wearable - Mobile Application communication over BLE
Communication protocols have evolved from the traditional Serial and LAN ports to complex and lightweight protocols of today, such as Bluetooth Low Energy (BLE), ANT+ and ZigBee. Bluetooth Low Energy (BLE) is a popular protocol of choice for wearables which are low energy, low performance computing systems. The BLE standard specification provides for a variety of security mechanisms for channel encryption to protect data against snooping and man-in-the-middle style attacks.

In our presentation, we talk about the security assumptions made by popular mobile operating systems when they adopt the BLE specification and how this impacts their communication with wearable devices. We include vulnerability case studies to discuss how rogue mobile applications can use the same set of BLE encryption keys as the legitimate companion application, and get access to personal information or cause denial of service conditions on the wearables. We will discuss the insufficiencies of the protocols and the need for extra measures if the use cases demand confidentiality and integrity of data in transit.

We will present high level flows to correctly design secure communication channels between a phone application and the wearable device.

Speakers
avatar for Chandra Prakash Gopalaiah

Chandra Prakash Gopalaiah

Intel Corp
Chandra has worked in software development and security domain for about 8 years in various roles. Prior to joining Intel, he worked for Motorola Mobility Inc., in Android development. He has a Masters degree in Computer Science from San Diego State University
avatar for Sumanth Naropanth

Sumanth Naropanth

Intel Corp
Sumanth has worked in the information security industry for a decade in a variety of roles, including incident response, feature development and security assurance. He worked for Sun Microsystems and Palm before his current job at Intel. He has a Masters in Computer Science (Security) from Columbia University.
avatar for Kavya Racharla

Kavya Racharla

Intel Corp
Kavya has a Masters in Information Security from the Johns Hopkins University and a passion for Security. She worked for Oracle and Qualcomm’s security teams before she started her current job at Intel.


Thursday October 13, 2016 3:30pm - 4:30pm
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

4:30pm

Afternoon Coffee Break
Thursday October 13, 2016 4:30pm - 5:00pm
Grand Ball Room Foyer

5:00pm

Keynote - The Less Hacked Path
Since the dawn of the Internet and the Web, a broad series of hacking attack vectors have descended. Malicious hackers, researchers, and governments have demonstrated and deployed these attacks onto computers, mobile devices, and nuclear power plants. While we continue to build sophisticated technology to defend against many of these attacks, a new field of exciting research is taking place that uses side channels, physics, and low cost tools to employ powerful attacks against modern technology. We'll explore some of these fascinating, and often secretive, methods and how you can use them or secure against them.

Speakers
avatar for Samy Kamkar

Samy Kamkar

Samy Kamkar is a privacy and security researcher, computer hacker, whistle blower and entrepreneur. At the age of 16, Kamkar dropped out of high school and one year later, co-founded Fonality, a unified communications company based on open source software, which raised over $46 million in private funding. He is possibly best known for creating and releasing the fastest spreading virus of all time, the MySpace worm Samy, and being subsequently... Read More →


Thursday October 13, 2016 5:00pm - 6:00pm
Grand Ball Room Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

6:30pm

Conference Dinner at the SPY Museum
Thursday October 13, 2016 6:30pm - 9:30pm
SPY Museum
 
Friday, October 14
 

7:00am

Registration
Friday October 14, 2016 7:00am - 5:00pm
Grand Ball Room Foyer

8:00am

WASPY Awards
Each year there are many individuals who do amazing work, dedicating countless hours to share, improve, and strengthen the OWASP mission. Some of these individuals are well known to the community while others are not. 

The purpose of these awards is to bring recognition to those who "FLY UNDER THE RADAR". These are the individuals who are passionate about OWASP, who contribute hours of their own free time to the organization to help improve the cyber-security world, yet seem to go unrecognized. 

https://www.owasp.org/index.php/WASPY_Awards_2016

Speakers
avatar for Frank Catucci

Frank Catucci

About Frank: | | Frank Catucci is currently the Director of Web Application Security, Product Manager and a Subject Matter Expert for Qualys. He has over 15 years experience in the Information Technology and Security field that spans enterprise, financial services, university/higher education, government, healthcare, legal, start-up businesses, public and private industries. Aside from his daily Web Application Security duties, Frank also... Read More →
avatar for Dave Ferguson

Dave Ferguson

Dave Ferguson is a Solution Architect with Qualys and has been a specialist in Application Security since 2006. After writing tons of Java and C++ code as an application developer for over a decade, he joined FishNet Security (now Optiv) and pen tested countless applications and trained developers worldwide on secure coding techniques. Dave also led the global application security program at Sabre Corporation. He is author of the OWASP... Read More →



Friday October 14, 2016 8:00am - 8:15am
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

8:00am

Keynote - Cryptography in the age of Heartbleed
The past decade has seen an unprecedented number of high-profile data breaches. To address this threat, businesses have begun to invest heavily in encryption technologies, both to protect data and to reduce liability in the event of a breach. However, the widespread deployment of encryption has placed a new burden on application developers, a burden that is made worse by the fact that many of our existing protocols and software libraries are themselves flawed. In this talk I will discuss the problems facing both cryptographers and application developers who implement cryptography. I will focus on where we stand with making cryptography easy to use; recent vulnerabilities in some of the protocols that power the secure web; and the challenging problem of securing cryptographic software against sophisticated nation-state attackers. 

Speakers
avatar for Matthew Green

Matthew Green

Dr. Matthew Green, a respected cryptographer and security technologist, has over fifteen years of industry experience in computer security. Dr. Green is an Assistant Professor of Computer Science at the Johns Hopkins Information Security Institute. He specializes in applied cryptography, privacy-enhanced storage systems, and anonymous cryptocurrencies. Dr. Green led the team that developed the first anonymous cryptocurrencies, Zerocoin and... Read More →


Friday October 14, 2016 8:00am - 9:00am
Grand Ball Room Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

9:00am

Morning Coffee Break
Friday October 14, 2016 9:00am - 9:30am
Grand Ball Room Foyer

9:15am

Serverless Security: Doing Security in 100 milliseconds

Serverless is the awesome future of cloud computing. This session will focus on practical security approaches for serverless in four key areas: software supply chain, delivery pipeline, data flow, and attack detection.

 

Serverless is a design pattern gaining a lot of traction in DevOps shops. The serverless pattern allows scale without managing the servers or processes running the application. This is done across the continuum of cloud–from storage as a service to database as a service but the center of serverless is Functions as a Service (FaaS). FaaS offerings on the market include AWS Lambda, Azure Functions, and Google Cloud Functions. Now processes run for milliseconds before being destroyed and then get instantiated for subsequent requests.

 

Security changes under serverless and our traditional modes of firewalling and hardening all the things just won’t cut it. Practices like vulnerability discovery, code scanning and intrusion detection change in a serverless architecture. Other changes for serverless include how applications are built and deployed to how teams are structured.

 

This session will focus on practical security approaches and the four key areas of serverless security: software supply chain, delivery pipeline, data flow and attack detection. Even if you don’t have any experience with serverless, don’t worry, in this session we will start with the basics and you will learn what serverless is (it’s still being defined) and practical patterns for serverless adoption.


Speakers
avatar for James Wickett

James Wickett

James does most of his research and work is at the intersection of the DevOps and Security communities. He works as a Sr. Engineer at Signal Sciences and is a supporter of the Rugged Software and Rugged DevOps movements. Seeing the gap in software testing, James founded an open source project, Gauntlt, to serve as a Rugged Testing Framework. He is the author of the Hands-on Gauntlt book and is a Lynda.com author of the DevOps Fundamentals... Read More →


Friday October 14, 2016 9:15am - 10:00am
Room C

9:30am

Protect Containerized Applications With System Call Profiling
Container technologies like Docker are gaining mainstream interest from development and operations teams. Unlike virtual machines, containers running on the same host share the underlying OS kernel. As such, a malicious container can influence the execution of other containers through the common kernel by either exploiting a kernel vulnerability or simply leveraging the privileges of the compromised container. In this talk we describe an approach to harden and isolate containerized applications via system call profiling. We show that one can develop accurate system call profiles via static analysis of the container images and knowledge of the host system. Using this profile in runtime, one can monitor for and protect against malicious behavior that deviates from the profile. We show that one can build these profiles automatically from analyzing information within the container image and Dockerfiles. We show that runtime profiling and monitoring adds approximately 5-8% performance overhead for running applications. We demonstrate system call profiling on a sample micro-service application and show that it is a non-intrusive and effective method to detect behavioral anomalies with low false positives.

Speakers
avatar for Chenxi Wang

Chenxi Wang

Twistlock
Dr. Chenxi Wang is Chief Strategy Officer of Twistlock, where she is responsible for product strategy and thought leadership. Chenxi built an illustrious career at Forrester Research, Intel Security, and CipherCloud. At Forrester, Chenxi covered mobile, cloud, and enterprise security, and wrote many hard hitting research papers. At Intel Security, she led the ubiquity strategy that spans both hardware and software platforms. Chenxi started her... Read More →


Friday October 14, 2016 9:30am - 10:30am
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

9:30am

Putting an “I” in Code Review – Turning Code Reviewing Interactive
Everybody knows that manual code review can be a tedious and lengthy effort, with complexity growing exponentially with the size of the code. However, understanding code flow and focusing on relevant parts can become much easier when employing interactive debugging techniques. This allows combining the best of penetration testing and code review benefits to achieve maximum results in the most efficient manner. In this talk we will explain and demonstrate this eye-opening technique for effectively performing a manual code review on a live system using a debugger and provide a quick starter kit for implementing this technique. 

Speakers
avatar for Ofer Maor

Ofer Maor

Director of Security Strategy, Synopsys
Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product development | | As the founder and CTO of Seeker, Ofer pioneered IAST, the next generation of application security testing technology, currently used by some of the largest organizations in the... Read More →


Friday October 14, 2016 9:30am - 10:30am
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

9:30am

Why using SMS in the authentication chain is risky and what better options are available
Passwords are horrible for security. Over the past 20 years we’ve bolstered the password with other factors, the most common being a one time password (OTP, TOTP, HOTP) that is either generated on a physical device the user holds, in a smartphone app or most commonly sent via SMS. Using SMS for authentication is not secure. We’ve known this for years, but recently we’ve been reminded of this with problems with Google and Apple SMS security. 

SMS is important to ensure we have a backup way of allowing people to login to systems, but it should always be a last resort. So what’s the first resort? Second factors to the password need a different communications channel to the one a user is authenticating to. SMS is not secure, but push notification methods are. It is possible to initiate a communication channel via Apple, Google and Microsoft mobile notification networks. At the end of these push notifications is a secured app that in turn securely communicates with the 2FA back end. Not only is this method more secure, it’s actually a far improved user experience that can be extended beyond the login to secure in application transactions.

This presentation will go over the limitations of traditional two-factor methods and introduce the improved approach using a push notification channel to achieve the same goal, i.e. authenticate a user identity by validating the initiating request comes from a person who has something in their possession which is trusted.

Speakers
avatar for Simon Thorpe

Simon Thorpe

Director of Product, Twilio - Authy
Simon works in the product group at Authy and has over 15 years of experience in the security and identity management space. Working at companies like Oracle, Microsoft and Okta, he has spent a lot of time understanding and architecting solutions to secure all sorts of information. At Twilio he owns the authentication service, Authy and works closely with the whole team to deliver a world class solution for developers to build security into their... Read More →



Friday October 14, 2016 9:30am - 10:30am
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

9:30am

WIA - Planning event
  • Provide feedback on the WIA events 
  • Brainstorm ideas for next year's conference
  • Determine short and long-term goals for the WIA initiative

Friday October 14, 2016 9:30am - 11:30am
Meeting Room 2

10:00am

Members Lounge
Need to recharge?
Feeling a bit thirsty or hungry?
Maybe you’re looking for an OWASP t-shirt?
Or just looking to take a break from the hectic conference atmosphere?

NO PROBLEM!  

Head on over to the Members Lounge located in the Mount Vernon Room Square A

Here you can grab a snack, quench your thirst, recharge those batteries, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.

Not an OWASP Member? That’s okay, swing on over to the Lounge and you can sign up on the spot!  

Look for the signs or ask a volunteer for directions



Friday October 14, 2016 10:00am - 3:00pm
Mount Vernon Square A

10:05am

Continuous Security: DevOps and Ongoing Authorization

Application security has changed dramatically from even just a decade ago. Today, if you do not build in security and deliver continuously, you are at risk. This is the story of how we have updated our practices to incorporate security at every phase, through the intersection of DevOps and Cybersecurity. The session will touch on lessons learned through real world experience and things you can do to begin integrating security into your DevOps pipeline through the use of ongoing authorization.  


Speakers
avatar for Paula Thrasher

Paula Thrasher

Paula Thrasher is Director of Digital Services at CSRA. She has 20+ years experience in IT and has spent the last 15 years trying to implement Agile culture in the federal government. Paula's first Agile project was in 2001. Since then, she has lead over 15 programs and projects as an Agile developer, technical lead, Scrum Master or Agile Coach. Her teams have helped two separate federal agencies migrate applications to Amazon AWS GovCloud, and... Read More →


Friday October 14, 2016 10:05am - 10:45am
Room C

10:45am

DevOps to DevSecOps: a 2-dimensional view of security for DevOps

When it comes to looking at Security and DevOps, one has to look at it in two dimensions: 1. Securing the Application 2. Securing the Application Delivery Pipeline. Securing the application is focused on ensuring the application being developed and delivered, and the associated data are secure. That they are being built and delivered using Secure Engineering practices that ensure its security and integrity, and that of the business, and end-users.

 

Securing the Application Delivery Pipeline, focuses on securing the Delivery Platform itself - the application development and delivery tools, the Infrastructure and environments, configurations, automation tools, repositories, and associated Services and APIs are all secure.

 

This session will look at the security consideration that need to be taken, to put the Security in DevOps.


Speakers
avatar for Sanjeev Sharma

Sanjeev Sharma

Sanjeev Sharma is an internationally known DevOps, and Cloud Transformation thought leader, technology executive, and published author. Sanjeev’s industry experience includes tenures as CTO and Worldwide Technical Sales Leader, Acquisition Integration Technical Leader, and IT Architect. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM’s exclusive core of technical leaders.   Sanjeev... Read More →


Friday October 14, 2016 10:45am - 11:20am
Room C

10:45am

Exploiting CORS Misconfigurations for Bitcoins and Bounties
Hear the story of how a specification’s innocent intentions toward security and simplicity mingled with Real World Code and ultimately spawned hosts of unfortunately exploitable systems.

Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It’s already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.

In between looking at websites with harmful misconfigurations that range from depressingly predictable to utterly unfathomable, I'll reflect on where the CORS specification and implementations collaborated to save developers from themselves, and where the good intentions didn't work out so well. From this, I’ll propose several potential solutions and mitigations aimed at specification authors, browser vendors, developers and pentesters with varying degrees of optimism.

Speakers
avatar for James Kettle

James Kettle

Head of Research, PortSwigger Web Security
James Kettle is head of research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on techniques to detect unknown classes of vulnerabilities, and the new Burp Collaborator system for identifying and exploiting asynchronous blind code injection. | James has extensive experience cultivating novel attack techniques, including server-side RCE via... Read More →


Friday October 14, 2016 10:45am - 11:45am
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

10:45am

Patterns of Authentication and Self-Announcement in the Internet of Things (IoT)
The need to connect ‘things’ to each other in the IoT ecosystem introduces new security requirements for authentication and self-announcement due to four major characteristics of IoT
1. Physical access and infinite time available to adversaries to take apart devices 
2. Lower computation power of standalone devices 
3. Unforeseen and emergent behavior of the system if arbitrary nodes are compromised 
4. Endless possibility of privacy intrusion based on data intelligence and indirect identity inference. 
In this work the IoT systems are modelled using a number of elements: person, machine/device, service, server, client (esp. mobile), and passive marker. New authentication scenarios emerge when these items introduce themselves to each other on trusted or untrusted networks. The majority of authentication and self-announcement needs could be modelled using the above elements. For major authentication and self-announcement scenarios, possible authentication patterns are presented. Here are four examples of how these patterns apply to sample IoT scenarios: 
• Home automation as enabled by NEST devices
• Device collaboration in Zigbee-based networks
• Smart inventory management using NFC/RFID
• Remote device control based on XMPP (SASL authentication)
The minimum computation power (capability to perform cryptographic operations) and privacy preserving considerations are analyzed in each case.

Speakers
avatar for Amir Pourafshar

Amir Pourafshar

Application Security Researcher, Security Compass
Amir Pourafshar is an application security researcher at Security Compass. Amir is currently part of a research team working on an IoT project that aims to investigate and formulate the security requirements of system design/development in internet of things (IoT) ecosystem. Amir has done his masters in computer science at Information Security Centre of eXcellence (University of New Brunswick). Amir's experience includes active participation in... Read More →


Friday October 14, 2016 10:45am - 11:45am
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

10:45am

Practical tips for web application security in the age of agile and DevOps
The SDLC has been the standard model for web application security over the last decade and beyond, focussing heavily on gatekeeping controls like static analysis and dynamic scanning. However, the SDLC was originally designed in a world of Waterfall development and its heavy weight controls often cause more problems than they solve in todays world of agile, DevOps, and CI/CD. 

This talk will share practical lessons learned on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to: 
1) Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices
2) Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly 
3) Measure maturity of your organizations security efforts in a non-theoretical way

Speakers
avatar for Zane Lackey

Zane Lackey

Founder/Chief Security Officer, Signal Sciences
Zane Lackey is the Founder/Chief Security Officer at Signal Sciences and serves on the Advisory Boards of the Internet Bug Bounty Program and the US State Department-backed Open Technology Fund. Prior to Signal Sciences, Zane was the Director of Security Engineering at Etsy and a Senior Security Consultant at iSEC Partners. He has been featured in notable media outlets such as the BBC, Associated Press, Forbes, Wired, CNET, Network World, and SC... Read More →


Friday October 14, 2016 10:45am - 11:45am
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

11:25am

Where bits & bytes meet flesh & blood: Devops, Cybersafety, and the Internet of Things

We've heard software is eating the world; software is infecting the world. Our dependence on connected technology is growing faster than our ability to secure it - in areas affecting public safety and human life. Adding millions of lines of code and connecting everything to everything else exposes cyber physical systems to new accidents and adversaries. This is truly where bits & bytes meet flesh & blood. While many in security fear DevOps and see it as the end of security as we know it... maybe that's a good thing. Our best is not good enough. Despite best practices, modern SW and Security have allowed 100 of the F100 to lose IP and sensitive information - even our governments routinely succumb to adversaries. These failure rates cannot stand with the consequences of failure being measured - not in record count - but in human lives and GDP. Paradoxically, it may take DevOps to rise to these challenges. Rugged DevOps is finding un-obvious common ground and break throughs like SW supply chain principles, greater visibility and response agility, immutable infrastructure, and the like. We must be better. This is what better looks like.

 


Speakers
avatar for Joshua Corman

Joshua Corman

CTO | Founder | Founder, Sonatype | I am The Cavalry | Rugged
Joshua Corman is a Founder of I am The Cavalry (dot org) and Director of the Cyber Statecraft Initiative for the Atlantic Council. Corman previously served as CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world’s increasing... Read More →


Friday October 14, 2016 11:25am - 12:10pm
Room C

12:00pm

Lunch Break
Friday October 14, 2016 12:00pm - 1:00pm
Rooms A&B

1:00pm

Automating API Penetration Testing using fuzzapi

Despite the widespread use of REST API calls using various frameworks, security researchers continue to discover many vulnerabilities in APIs. Vulnerabilities are frequently found in the APIs of applications produced by even the most mature development teams – which include internet giants Facebook, Google and Microsoft etc.

Where do the developers fail? After studying several API vulnerabilities across the internet, the main problem our team has identified is that developers often have little understanding of how to write or implement secure REST APIs. Most fail while trying to solve the complexity of writing APIs for web and mobile platforms simultaneously. Another significant problem the team has identified is that most DevOp engineers and Penetration testers have no standard platform that provides coverage of common vulnerabilities typically found in APIs. It has been a challenge for penetration testers to practice security testing on APIs across multiple platforms in the absence of such vulnerable applications.


Our project is trying to address this problem for the broader community by developing a platform to better understand and practice testing for the most common API vulnerabilities. Rather than a tool that only identifies vulnerabilities in web services, we have built a platform that enables everyone to test and understand a large range of API vulnerabilities that exist in both web and mobile applications. 


As part of this presentation, our team will release an API Fuzzer as an OWASP Project to help developers test the APIs they develop during the early stages of the SDLC. The tool can be integrated into the build pipeline to allow developers to identify vulnerabilities prior to Pen Testing. Also, Pen testers can also use this tool against various APIs during their testing which will allow them to automate few tasks.



Speakers
avatar for Abhijeth Dugginapeddi

Abhijeth Dugginapeddi

Abhijeth D(@abhijeth) is a security Consultant working for a bank in Australia. Previously worked with Adobe Systems, TCS and Sourcenxt. Security Enthusiast in the fields of Penetration Testing, Application/Mobile/Infrastructure Security. Believes in need for more security awareness and free responsible disclosures. Got lucky in finding few vulnerabilities with Google, Yahoo, Facebook, Microsoft, Ebay, Dropbox, etc and one among Top 5 researchers... Read More →
avatar for Lalith Rallabhandi

Lalith Rallabhandi

Lalith Rallabhandi (@lalithr95) currently works as a Developer Intern at Shopify. He has previously worked with Hackerrank, Zomato and Google Summer of Code. Likes to code, break stuff mostly with web applications and is a Ruby on rails Enthusiast. Found bugs with Google, Microsoft, Facebook, Badoo, Twitter etc.


Friday October 14, 2016 1:00pm - 2:00pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

1:00pm

DevOops: Redux
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:

-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)

Speakers
avatar for Chris Gates

Chris Gates

Sr. Security Engineer
Chris Gates has extensive experience in network and web application penetration testing, Red Teaming and Purple Teaming. Chris is currently learning to be a part time fixer instead of full time breaker. In the past he has spoken at the United States Military Academy, BlackHat, DefCon, Toorcon, Brucon, Troopers, SOURCE Boston, Derbycon, LasCon, HashDays, HackCon, Bsides ATL, IT Defense, OWASP AppSec DC, and Devops Days. Chris is also a... Read More →
avatar for Ken Johnson

Ken Johnson

CTO, nVisium
Ken Johnson - CTO, nVisiumKen Johnson has been hacking web applications professionally for 8 years. Ken is both a breaker and builder and currently leads the nVisium product team. Previously, Ken has spoken at AppSec DC, AppSec California, DevOpsDaysDC, LasCon, numerous Ruby and OWASP events, and AWS NYC. Ken is currently investing his time between OWASP’s Railsgoat, Elxir and Go, as well as all aspects of AWS offerings. | | Ken is also... Read More →


Friday October 14, 2016 1:00pm - 2:00pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

1:00pm

Needle: Finding Issues within iOS Applications
Assessing the security of an iOS application typically requires a plethora of tools, each developed for a specific need and all with different modes of operation and syntax. The Android ecosystem has tools like "drozer" that have solved this problem and aim to be a ‘one stop shop’ for the majority of use cases, however iOS does not have an equivalent.

"Needle" is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Given its modular approach, Needle is easily extensible and new modules can be added in the form of python scripts. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.​ The only requirement in order to run Needle effectively is a jailbroken device.

We will be describing the tool's architecture, capabilities and roadmap. We will also demonstrate how Needle can be used to find vulnerabilities in iOS applications from both a black-box and white-box perspective (if source code is provided). 

Speakers
avatar for Marco Lancini

Marco Lancini

Security Consultant, MWR InfoSecurity
Marco Lancini is a Security Consultant at MWR InfoSecurity in the UK, specialising in mobile applications. He works assessing apps and device configurations for a number of large organisations including banking, financials, telco, and energy providers. He has a Master degree in Engineering of Computing Systems, and holds international certifications such as OSCP.He has previously presented at Black Hat, DeepSEC, Bsides, ACSAC, CCS, and NATO's... Read More →


Friday October 14, 2016 1:00pm - 2:00pm
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

1:05pm

DevSecOps: A Peek Inside the Pipeline

Got it, DevSecOps…  now could you stop dropping the microphone and show me how.   It’s time for DevOps and Security to come together and show how tools and processes can make it possible for software developers and security professionals to unite in a common mission.  It’s not easy to bring everything together and make it possible to build better, safer software at scale.  Using developer tools like Jira, Jenkins, and Nexus; it is not only possible to increase the efficiency of software delivery but to strengthen applications at the same time.  Digging into these tools, we’ll take a look at how security defects and feature requests are now becoming part of a developer’s backlog.  And we’ll look at unique ways to evolve both DevOps and Security to increase the speed of finding and fixing security issues while deploying software and still enjoying your job. 


Speakers
avatar for Shannon Lietz

Shannon Lietz

DevSecOps Lead, Intuit
Shannon Lietz is an award winning innovator with over two decades of experience pursuing advanced security defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s cloud security strategy, roadmap and implementation in support of corporate innovation. She operates a 24x7 DevSecOps team that includes Red and Blue Team... Read More →


Friday October 14, 2016 1:05pm - 1:50pm
Room C

1:55pm

Making Invisible Things Visible: Revealing Secrets from 25,000 Applications

Every software development organization on the planet relies on a software supply chain —but most can’t see it and don’t understand the volume of components flowing through it. In the 2016 State of the Software Supply Chain Report, I detailed the practices of over 35,000 software development organizations who consumed billions open source and third-party components in 2015. Across billions components downloaded, I found that 1 in 17 had a known security vulnerability.  I also found a similar ratio of components flowing through these software supply chains into finished applications.

 

Those leading AppSec and DevOps practices who have pursued improved visibility, supplier choices, and control mechanisms across their software supply chains have boosted developer productivity by as much as 30%, crumbled mountains of security debt, and shifted millions of dollars from sustaining operations to accelerating innovation. Yet the vast majority of organizations developing software are blind to their free-for-all consumption volume, patterns, and velocity. Their software supply chain practices are silently sabotaging efforts to accelerate development, improve efficiency and maintain the integrity of their applications.

 

Results from the report will be shared with attendees, including:

 

  • Using one of the latest versions of a software component can cut vulnerability ratio in half.
  • 75% of organizations lack policies that control the use of open source and third-party components
  • 97% of development organizations lack any vetting process for components being electively procured for use in applications.

 

This discussion is not intended to simply shed light on bad practices.  It is about making your software supply chain visible. Attendees will learn how those on the forefront of Development and Application Security are improving the quality and security of components used across their software supply chains.


Speakers
avatar for Derek Weeks

Derek Weeks

VP and Rugged DevOps Advocate, Sonatype
Derek is a huge advocate of applying proven supply chain management principles into development and application security practices to improve efficiencies, reduce security risks, and sustain long-lasting competitive advantages. Over the past two years, Derek led the largest and most comprehensive analysis of software supply chain practices to date across 3,000 development organizations. His research detailed the consumption of billions of open... Read More →


Friday October 14, 2016 1:55pm - 2:30pm
Room C

2:15pm

If You Can’t Beat ‘Em Join ‘Em: Practical Tips For Running A Successful Bug Bounty Program
Having a bug bounty program is one of the most efficient methods of finding security vulnerabilities today. But, as anyone who has tried to run a bug bounty program knows, it's not a trivial undertaking... As professionals who have helped to manage hundreds of bug bounty programs, we're uniquely positioned to provide advice on how to succeed. Whether you're already running a bug bounty program, are looking to run a bug bounty program, or are a researcher, this talk aims to deepen your knowledge of the subject.

Speakers
avatar for Grant McCracken

Grant McCracken

Solutions Architect, Bugcrowd
Grant has been with Bugcrowd, a crowdsourced cybersecurity solution, for roughly two years - initially helping process bounty submissions as an Application Security Engineer/Analyst, and later transitioning to his current role of Solutions Architect. With a background in appsec, and an occasional bug hunter himself, he offers a unique perspective to Bugcrowd clients - helping them create, setup, and manage successful bounty programs across a... Read More →
avatar for Daniel Trauner

Daniel Trauner

Daniel Trauner is a Senior Application Security Engineer at Bugcrowd – a crowdsourced cybersecurity solution. He works with (and is sometimes a part of) the thousands of security researchers worldwide who collectively attempt to understand, break, and fix anything that companies will let them. Previously, he was the lead iOS researcher on HP's Fortify Security Research team, where he contributed to the HP Fortify Static Code Analyzer across... Read More →


Friday October 14, 2016 2:15pm - 3:15pm
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

2:15pm

Misconfigured CORS and why web application security is not getting easier.
Web Application Security is actually really hard to enter into the "big-leagues" with a mature security program like facebook, google, and the like. These orgs are very mature and oftentimes roll out the newest, lastest, greatest security features.

Part of entering in to the big leagues usually requires the implementation of advanced browser security features and HTTP Response headers.

I want to tell a personal story about finding a massive vulnerability in about 1000 out of the Alexa top 1million sites that caused sites to basically turn off SAMEORIGIN policy. 
- How I thought to try my exploit
- Who was vulnerable
- Details of the exploit

I want to talk about the difficultly understanding the details of the CORS headers that caused the issue. Lots of things to understand.

I want to then talk about individual security technologies and their operational issues associated with them.
- CSP
- HPKP
- HSTS
- SRI
- CORS etc etc etc.

There's a lot of operational issues to cover.

Finally I want to make a plea to stick to the basics before you try to roll these things out. Most sites don't get any utility from these features and they only cause problems.

Speakers
avatar for Evan Johnson

Evan Johnson

Security Systems Engineer, CloudFlare
I'm Evan Johnson. I work at CloudFlare and previously worked at LastPass. I developed a password manager in my spare time called passgo, https://github.com/ejcx/passgo. On twitter he is @ejcx_


Friday October 14, 2016 2:15pm - 3:15pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

2:15pm

Scaling Security Assessment at the Speed of DevOps
Scaling Security Testing at the Speed of DevOps

Recent software development trends, namely DevOps, Continuous Integration, Continuous Delivery, and Continuous Deployment, have empowered developers and drastically reduced the DevTest window forcing teams to adopt highly automated test infrastructures. While the adoption of these trends and automated test frameworks have improved feature delivery and time to market, they have complicated security assessment, producing substantial gaps between the current release and the last security audited code. Consumers are now being forced to
adopt new code releases daily or hourly without substantive security review, especially in the Software as a Service (SaaS) sector. As engineering teams rapidly embrace these development methodologies, the community must evolve security testing strategies so as to enhance the security posture of products, services, and solutions.

This evolution must address three primary problems elucidated by the
aforementioned development trends:

1. Testability: Security requirements should be testable and verifiable.
2. Scalability: Security requirement should be capable of being
automated in a best-effort fashion so as to scale effectively.
3. Accessibility: Security tools and results should be easily digestible
by software engineers and testers, and new security tools should be
accessible to all development and test engineers.

Therefore, we have developed and are preparing to open source a new distributed security testing framework called Norad which facilitates security assessment at scale. This framework automates multiple open-source and vendor security tools and aggregates their results for review. It also provides an SDK which promotes the development of community developed security test content. This talk will explain Norad's design philosophy, architecture, and demonstrate its usage.

Speakers
avatar for Blake Hitchcock

Blake Hitchcock

Software Engineer, Cisco
Blake Hitchcock has been building and breaking web applications for 6 years with Cisco. He loves writing in Ruby, and 'Burp' is not just something he does after a few too many kielbasas. When he's not doing web stuff, Blake enjoys fitness, food, sports, and cheering for his beloved Tennessee Volunteers.
avatar for Brian Manifold

Brian Manifold

Cisco
Brian Manifold has worked as a software/security engineer at Cisco for the past 4 1/2 years. His main areas of interest at work are web development and web security. Outside of work he enjoys playing music, anything CNC (milling, 3d printing, etc..) related, hardware electronics, and spending time with his family.
avatar for Roger Seagle

Roger Seagle

Principal Engineer, Cisco
Roger Seagle Jr. is a Principal Engineer in the STO TIP team at Cisco. Previously, he worked in Cisco's Advanced Security Initiatives Group (ASIG) where he assessed the security posture of Cisco products and advised product teams on patching and mitigating vulnerabilities. Roger regularly audits embedded systems and web applications, configures and monitors internal production servers, and serves as a technical advisor. Roger holds a PhD and MS... Read More →


Friday October 14, 2016 2:15pm - 3:15pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

2:35pm

Moving to the Left: DevOps practices and the changing role of SecOps

As shown in the 2016 State of DevOps Survey, DevOps practices are changing the role of security teams, moving them “to the left” in the SDLC as part of the design phase and no longer simply validating production as being secure. Result: 50% less time remediating security issues.

 

The State of DevOps Survey has been running for the last 5 years, and the past two in particular have shown that DevOps practices are moving beyond just “Dev” and “Ops” to involve security teams as well as other areas of the business. Various labels are being used to describe this world: SecDevOps, DevSecOps, RuggedDevOps, but the critical inflection point is that the combination of strong automation platforms, continuous delivery, infrastructure-as-code and version control are all enabling security teams to validate and secure apps and infrastructure at the design phase. This minimizes the amount of manual validation of production by security teams, enables faster remediation of security issues and ultimately results in more secure deployments, but only if security teams take this opportunity to revisit existing practices that have built up over time.

 

In this talk we’ll be covering the high level results of the 2016 State of DevOps Report, the changing role of security teams as well as some anonymized user stories illustrating both how to best take advantage of a growing DevOps practice within your organization and major missteps observed in the field.


Speakers
avatar for Bill Weiss

Bill Weiss

Sr Manager of SysOps, Puppet
As a red-and-blue-team member turned sysadmin herder, Bill Weiss had an early introduction to automation in security, and he's spent the rest of his career trying to bring that idea to more places. He started out working in the .gov, moved to Chicago to spend several years at a financial services SaaS, and finally made it to Portland in 2015 to join Puppet as the Manager of SysOps, which he thinks is a way better term than “sysadmin”.


Friday October 14, 2016 2:35pm - 3:10pm
Room C

3:15pm

Glad You Could Join Us: Bringing Security into the DevOps Fold

We all know that “DevOps” is a pormanteau of Development and Operations, but where is the “Sec”? Security has long been the red-headed stepchild of the DevOps cultural movement. The time has come to fully integrate traditional security testing practices into a Continuous Delivery pipeline.

 

We will discuss the current state of security in DevOps, what it means to have a security pipeline, and some challenges and solutions of such a transformation.


Speakers
avatar for Bryan Batty

Bryan Batty

Having spent more than ten years building secure software applications, Bryan Batty is now a Managing Consultant for Coveros, and focuses primarily on security and DevOps transformations, especially as it relates to building security into the software development pipeline. Over the past few years, he has had the opportunity to influence security policy, coach development teams on secure coding practices, conduct security assessments of web... Read More →


Friday October 14, 2016 3:15pm - 3:50pm
Room C

3:30pm

AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business. This isn’t a theoretical talk. It covers the results of successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees. Yes, real stats on improvements seen will be provided.

Beyond providing concrete examples of how to optimize your AppSec program, the talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in. It will also introduce several new OWASP projects which will help you on your journey: the OWASP AppSec Pipeline project, OWASP Defect Dojo and the AppSec Pipeline toolbox. This talk’s content plus these open source projects are more than you’ll need to get started buying down the technical security debt and unshackle you from traditional AppSec thinking.

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Friday October 14, 2016 3:30pm - 4:30pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

3:30pm

Breaking and Fixing your ‘Docker’ ized environments
This presentation extracts few points from CIS Docker 1.12 benchmark which was co-authored by me. Ref: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker12.100

Abstract: The concept of containerization was in Linux from ages in the form of jails, zones, LXC etc. but it is since 2 years it gained tremendous recognition. The credit goes to "Docker" which made the concept of containerization very useful and handy by adding many benefits to existing container technologies. Tech giants like Redhat, Google, IBM, VMware etc. are not only the biggest contributors to this most active open source project but also major users of it. Only Google spins up more than 2 billion containers per week, more than 3,300 containers per second. Inspired from Docker, Microsoft also started its container technology by extending its research project "Drawbridge". The effect of containers already impacted the virtual machine market and this impact is going to increase significantly in near future.

Security is always an important issue for any upcoming technology and Docker is no exception to it. This presentation starts with a brief introduction to containers vs. virtualization technology, Docker ecosystem and then goes deep into "Docker Security". It touches each and every component listed below in the Docker container pipeline and gives details about the ways on how they can be broken and then defensive measures to secure them.

Container Pipeline Components:
a) Images
b) Container Runtime
c) Host security
d) Daemon security
e) Communication security ( daemon <=> client , daemon to registry etc.) f) Registry security Below is the brief overview only on Images, containers components.

1. Images
a. Image security analysis in which I have extracted more than 50 Docker hub images (which also includes official images) and found critical vulnerabilities like Heartbleed, Shellshock, CSRF, XSS etc. in them. The presentation also provides a comprehensive security analysis on Docker hub images , how vulnerable are they and gives details about alternative options available for getting secure images
b. Protecting images
- Efficient scanning : binary level scanning, hash based comparison instead of version string matching mechanisms
- Docker Content Trust: Ensures authenticity, integrity and freshness guarantees (Is this really secure to use?)
- 20 golden rules to be followed for "writing Dockerfiles and maintaining images" securely

2. Containers
a. Detailed explanation about how containers isolation can be torn apart
b. Docker claims that their containers are "Secure by Default" and also a popular report on Linux containers released by NCC Group states that "Docker has strong defaults". In this presentation, I will be proving that Docker defaults are vulnerable to DOS, side channel, remote exploitation etc. vulnerabilities. Besides, I will also be explaining about a few other ways of exploiting Docker containers if CIS Docker bechmark rules were not adhered
c. 20 golden rules to be followed for ensuring secure container runtime

Apart from the topics mentioned above, this presentation also throws a light on the tools available in market for securing container ecosystem along with the pros and cons of each tool : Twistlock, Aquasec, Nautilus etc.

Speakers
avatar for Manideep Konakandla

Manideep Konakandla

Carnegie Mellon University
Is an Author, Security Researcher, Speaker and a J.N Tata Scholar. He is current Security Researcher + Masters student in Information Security @Carnegie Mellon University, USA and is currently researching on "Security of containers with focus on Docker". He has authored a book at an age of 21 which made him one of the youngest authors in India to write a book on Hacking. He was also featured in India's largest circulated English and Telugu... Read More →


Friday October 14, 2016 3:30pm - 4:30pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

3:30pm

Containerizing your Security Operations Center
As security professionals, we have no shortage of tools available to us in our offensive and defensive pursuits. How we choose to deploy, maintain, and share these tools across teams can prove to be burdensome and overly complex. Security teams are becoming swept up in the DevOps movement and we are being encouraged to bring visibility into our workflows and toolsets. This means moving things from our local boxes to a more available and collaborative environment. This talk will share lessons learned from building a pluggable, cloud­based "Security Operations Center" running entirely on containers to help security teams rapidly build out scanning pipelines, centralize alerts, investigate malware, and easily collaborate with teams across the organization. I’ll dive into the architecture and design of the cluster and how to quickly get a POC running in Kubernetes

Speakers
avatar for Jimmy Mesta

Jimmy Mesta

Sr. Security Engineer, Invoca
Jimmy is an application security leader that has been involved in Information Security for nearly 10 years. He is the chapter leader of OWASP Santa Barbara and co-organizer of the AppSec California security conference. Jimmy has spent time on both the offense and defense side of the industry and is constantly working towards building modern, developer-friendly security solutions. His core focus has been in application and cloud security with an... Read More →


Friday October 14, 2016 3:30pm - 4:30pm
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

3:55pm

Mapping the Risk in Your Value Stream

Mapping can help visualize the flow between your customers and the raw materials your business uses to provide them with products or services. This session will examine how mapping risk onto your value stream can improve your chances of success and keep failures bounded to expectations.

 

Description

While enumerating system states may increase our understanding of our options it does not account for probabilities and likely outcomes. Any attempt to instantly transition a system to a desired state is usually expensive and unsuccessful.

 

By visualizing our value stream and weighing our options we’re able to trade the high risk for lower but more likely payouts. These low risk wagers provide the intermediate steps needed to reach our goals without taking some huge leap of faith.

 

By painting a more complete picture with our numbers we’re enabling our audiences to make educated decisions. We’ll look at different types of value stream mapping techniques and how to automate data collection for different types of metrics.

 

  • Basic Value Stream Mapping
  • Wardley Mapping
  • Five Required Families of Metrics
  • Enumerating Risks
  • Automating Analysis
  • Taking Action with Data
  • Evolving System Models

Speakers
avatar for Chris Corriere

Chris Corriere

Chris Corriere has been working with data, phones, networks and writing software for over fifteen years. His background in mathematics and engineering has allowed him to adapt to new and industry specific technologies and provided many unique consulting opportunities. As a devOps professional Chris is committed to culture, automation, learning, sharing, and having a good time while getting work done. Chris is currently a DevOps Engineer at... Read More →


Friday October 14, 2016 3:55pm - 4:30pm
Room C

4:30pm

5:00pm

Keynote - What does winning look like?
Speakers
avatar for Dan Geer

Dan Geer

Dan Geer is currently the CISO for In-Q-Tel, a not-for-profit investment firm that works to invest in technology that supports the missions of the Central Intelligence Agency and the broader U.S. intelligence community. Looking at just a few of his accomplishments, Geer was a key contributor to the development of the X Window System, as well as the Kerberos authentication protocol while a member of the Athena Project at MIT in the 1980s... Read More →


Friday October 14, 2016 5:00pm - 6:00pm
Grand Ball Room Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001