AppSec USA 2016: Full Schedule

8:00am EDT

Developer Summit

Join other Developers at this event for some fun-filled, interactive, hands-on, bug squashing sessions.

All Developers are welcome to attend! Individuals may choose to participate in as many sessions as they would like.

Bring your laptop, energy and be ready to code!!

Tuesday October 11, 2016 8:00am - 5:00pm EDT
Meeting Room 9

8:00am EDT

Project Summit

We are excited to announce the Project Summit USA 2016. OWASP is providing a platform for two full days at APPSEC USA 2016. An open forum setting for ideas, innovations, gain contributors and share feedback for projects to advance to the next level.

Join our Project Leaders in a discussion on OWASP Projects!

OWASP Project Hot Topics

OWASP Participating Projects and Detailed Agenda

Please feel free to add Hot Topics that you would like to see discussed.

Contacts:

Senior Projects Technical Coordinator Matt Tesauro

Project Coordinator Claudia Aviles-Casanova

Tuesday October 11, 2016 8:00am - 5:00pm EDT
Meeting Room 8

8:00am EDT

Registration

Tuesday October 11, 2016 8:00am - 5:30pm EDT
Meeting Room Floor Landing

Registration

9:00am EDT

Training Session - Assessing and Exploiting Control Systems & IoT Day 1 (2 Day)

This is not your traditional SCADA/ICS/IoT security course! How many courses send you home with your own PLC and a set of hardware/RF hacking tools?!? This course teaches hands-on penetration testing techniques used to test individual components of a control system, including embedded electronic field devices, network protocols, RF communications, Human Machine Interfaces (HMIs), and various forms of master servers and their ICS applications. Skills you will learn in this course will apply directly to systems such as the Smart Grid, PLCs, RTUs, smart meters, building management, manufacturing, Home Area Networks (HAN), smart appliances, SCADA, substation automation, and synchrophasors. This course is structured around the formal penetration testing methodology created by UtiliSec for the United States Department of Energy. Using this methodology and Control Things Pentest Platform (previously SamuraiSTFU), an open source Linux distribution for pentesting energy sector systems and other critical infrastructure, we will perform hands-on penetration testing tasks on user interfaces (on master servers and field device maintenance interfaces), control system protocols (modbus, DNP3, IEC 60870-5-104), RF communications (433MHz, 869MHz, 915MHz), and embedded circuit attacks (memory dumping, bus snooping, JTAG, and firmware analysis). We will tie these techniques and exercises back to control system devices that can be tested using these techniques. The course exercises will be performed on a mixture of real world and simulated devices to give students the most realistic experience as possible in a portable classroom setting.

Advances in modern control systems such as the energy sector’s Smart Grid has brought great benefits for asset owners/operators and customers alike, however these benefits have often come at a cost from a security perspective. With increased functionality and addition inter-system communication, modern control systems bring a greater risk of compromise that vendors, asset owners/operators, and society in general must accept to realize the desired benefits. To minimize this risk, penetration testing in conjunction with other security assessment types must be performed to minimize vulnerabilities before attackers can exploit critical infrastructures that exist in all countries around the world. Ultimately, this is the goal of this course, to help you know how, when, and where this can be done safely in your control systems.

WHAT STUDENTS SHOULD BRING

Laptop with at least two USB ports (three ports preferred). If only
two USB ports exist on the laptop AND they are right next to each
other (such as found on a Macbook Air), a USB extension cable must be
brought as well
Latest VMware Player, VMware Workstation, VWware Fusion installed.
Other virtualization software such as Parallels or VirtualBox may work
if the attendee is familiar with its functionality, however VMware
Player should be prepared as a backup just in case
Access to an account with administrative permissions and the ability
to disable all security software on their laptop such as Antivirus
and/or firewalls if needed for the class
At least thirty (30) GB of free hard drive space
At least four (4) GB of RAM, optimally eight (8) GB or RAM
Windows 7, 8.x, or 10.x installed on your host laptop or inside a VM

________________________________

WHAT STUDENTS WILL BE PROVIDED WITH

Power for your laptop
Internet connectivity may or may not be available depending on the
facility hosting the course.
Latest version of SamuraiSTFU distribution
PDF version of the course slide deck
Student hardware kits to keep

________________________________

STUDENT PREPARATIONS

For those with little or no ICS experience, these Wikipedia articles
provide a brief introduction to the concepts and history of control
systems that will be helpful to know for class.

http://en.wikipedia.org/wiki/ICS
http://en.wikipedia.org/wiki/SCADA
http://en.wikipedia.org/wiki/Distributed_control_system
http://en.wikipedia.org/wiki/Smart_grid
http://nostarch.com/xboxfree (Note: While this has nothing to do with
control systems, it provides a great introduction to the concepts and
techniques taught in this class to pen test embedded electronic
hardware in ICS field/floor devices.)
http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf
(Chapter 7 of the NIST Interagency Report 7628, titled Bottom-up
Security Analysis of the Smart Grid, provides a great overview of the
challenges faced in Smart Grid and energy sector systems, many of
which we are testing for and exploiting in this class.)

Speakers

Justin Searle

Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and played key roles in the Advanced Security Acceleration... Read More →

Tuesday October 11, 2016 9:00am - 5:00pm EDT
Meeting Room 12

Training

9:00am EDT

Training Session - Creating and Automating your own AppSec Pipeline Day 1 (2 Day)

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

This will be a hands-on class and attendees are expected to have:

A laptop capable of running VirtualBox and a VM with at least 2048 MB RAM for the VM - 4096 is even better
VMs will be provided on a USB drive formatted as a NTFS volume
VMs will be in .ova (Open Virtualization Format) which is generally 'importable' in more then just VirtualBox if you happen to already have virtualization software installed

I'll have printed handouts and digital versions on the USB drive as well.
Note for those bringing a Mac laptop to the training: Mac's hasn't consistently supported reading from NTFS formatted disks. There's usually one or two students who cannot read the USB drives I hand out to the class with Macs. I usually recommend they use the 15 day trial of Tuxera to get past the problem for the training - http://www.tuxera.com/products/tuxera-ntfs-for-mac/. Other alternatives are outlined in this article: http://www.howtogeek.com/236055/how-to-write-to-ntfs-drives-on-a-mac/

Speakers

Matt Tesauro

Senior AppSec Engineer, Duo Security

Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security. Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was... Read More →

Tuesday October 11, 2016 9:00am - 5:00pm EDT
Meeting Room 15

Training

9:00am EDT

Training Session - Hands-On Security in DevOps (SecDevOps) Workshop Day 1 (2 Days)

Agile and DevOps have revolutionized the way we deliver apps to customers. Software products today demand rapid everything. Rapid Code Changes, Rapid Deployments and Rapid Delivery. In addition, you have embraced Agile Development Methodologies that stress on iterative product development and flexibility to changing environments. There is one major problem in this entire chain, and that is Application Security.

While your product may be rapidly delivered to customers, Application security still remains a massive bottleneck in your continuous delivery pipeline. Application security is critical because companies lose billions of dollars due to vulnerabilities in their applications. Apart from typical vulnerabilities like SQL Injection and Cross Site Scripting, vulnerabilities in authentication, authorization, business logic and cryptographic implementations are more prevalent and can cause massive damage to a software product company.

This is why you need SecDevOps. You need a practical, repeatable and scalable way to deliver Application Security to your product across the Agile and DevOps lifecycle. In the we45 Certified SecDevOps Professional program you will receive powerful hands on training on how you can implement scalable and effective security for rapid-release applications. The workshop will be a hardcore hands-on workshop with coverage on the following, but not limited to:

Security Threat Modeling - Agile Methodology
Static Application Security Testing - Integrated with Continuous Integration Services
Customized Security Automation Scripting Framework with Continuous Integration
Creating specialized Application Security Testing Scripts to be integrated with existing Test Suites
Security in Configuration management and Continuous Deployment
Creating Security Configuration Management “Infrastructure as Code” and Validation Scripts
Application Security Monitoring in a DevOps World

Laptop Requirements for SecDevOps Workshop:

For Windows Laptop Users
• Intel i3 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred, with atleast 50GB of free HDD space.
Netbooks will NOT work
• Working WiFi adapter with ability to connect to third party wireless networks
• User must be able to use the DVD Drive/USB port of the laptop to copy and install the Virtual Machine, which will be delivered in a DVD/USB Mass Storage Device (Flash Drive)
.• Windows users - Please download and install the latest version of Oracle VM Virtualbox from http://www.virtualbox.org
• We have observed that Windows laptops often come with Virtualization options disabled in the BIOS. In such cases, the Virtual Machine and the workshop exercises won’t work. Please ensure that the following measures are taken to make your laptop available for Virtualization o You must have access to your BIOS menu. This can be accessed by pressing F12 (not all laptops, some may have a different key to access the BIOS menu). In some cases, there may be a password to access the BIOS menu. Please ensure that you have a password (if required) to access the BIOS menu. o Please enable Virtualization in the BIOS options. Please refer to screenshots below (please note that different laptops may have these options located in different menu screens). HP – BIOS Virtualization Screen Dell Laptop BIOS Virtualization Option

For Linux/Mac Users
• Intel i3 and above preferred, 64bit Operating System (32 bit will NOT work), 8GB+ RAM preferred• atleast 50GB HDD space available
• Working WiFi adapter with ability to connect to third party wireless networks
• User must be able to use the DVD Drive/USB port of the laptop to copy and install the Virtual Machine, which will be delivered in a DVD/USB Mass Storage Device (Flash Drive)
• Install the latest version of Oracle VM VirtualBox

** We are using two VMs for hands-on labs for the participants. In this case both the VMs will exceed a size of 8 GB, therefore, we will be distributing this in USB drives for people to copy and use. The option of DVDs (which was an either/or for USB) from earlier will not be possible in this case.

** Also, the drives will be formatted with exFAT, so we members of the audience with Linux computers might need to download exFAT libraries to get it to work. If this is a problem, then we need to go with a different file system.

Speakers

Abhay Bhargav

Founder, we45

"Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron"", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering... Read More →

Tuesday October 11, 2016 9:00am - 5:00pm EDT
Meeting Room 16

Training

9:00am EDT

Training Session - Mobile Application Exploitation iOS and Android Day 1 (2 Day)

Even wondered how different attacking a Mobile application would be, from a traditional web application? Gone are the days when knowledge of just SQL Injection or XSS could help you land a lucrative high-paying infoSec job.

This will be an introductory course on exploiting iOS and Android applications. The training will be based on exploiting Damn Vulnerable iOS app, Android-InsecureBankv2 and other vulnerable applications that are written by the trainers in order to give an in-depth knowledge about the different kinds of vulnerabilities in an Mobile applications. This course will also discuss how an attacker can compromise a mobile application. After the workshop, the students will be able to successfully pentest and secure applications running on the various operating systems.

The training will also include a CTF challenge in the end where the attendees will use their skills learnt in the training to solve the CTF challenges.

Below is the ToDo's for the attendees:

* 20+ GB free hard disk space
* 3+ GB RAM
* VMware player installed on the machine
* Latest version of Android SDK. To make sure the setup is right, follow all the steps on https://github.com/dineshshetty/Android-InsecureBankv2/blob/master/Usage%20Guide.pdf
* A jailbroken iPhone/iPad/iPod for iOS testing.
* If you are using a Mac machine, also download and install the latest version of Xcode.

Speakers

Prateek Gianchandani

Cognosec

Prateek Gianchandani, an OWASP member and contributor has been working in the infosec industry for about 5 years. During his five years, he has performed a number of penetration tests on mobile and web applications and even developed a lot of applications for the App Store. His core... Read More →

Dinesh Shetty

Sr Security Manager, Security Innovation

Dinesh leads the Mobile Security Testing Center of Excellence at Security Innovation. He has performed innumerable penetration tests on Web, Mobile and VoIP technologies - however his core area of expertise is Mobile and Embedded application pentesting and exploitation. He is an accomplished... Read More →

Tuesday October 11, 2016 9:00am - 5:00pm EDT
Meeting Room 14

Training

9:00am EDT

Training Session - Practical IoT Exploitation Day 1 (2 Day)

Practical IoT Exploitation is a unique course being launched at OWASP AppSec by Attify. The previous version of the course titled “Offensive IoT Exploitation” has been run in various conferences such as BlackHat (US, EU, Asia), Brucon, HIP and many other places.

IoT or the Internet of Things is one of the most upcoming trends in technology as of now. A lot many new devices are coming up every single month. However, not much attention has been paid to the device's security till now. "Practical IoT Exploitation" is a brand new and unique course which offers pentesters the ability to assess and exploit the security of these smart devices - by looking deep depth into the devices, their radio communications and interactions with the real world, and then exploiting them.

The training will cover different varieties of IoT devices, assessing their attack surfaces, reversing their communication protocols and writing exploits for them. This is a 2-day action packed class covering topics like firmware analysis, identifying attack surface, analyzing Zigbee communication, finding vulnerabilities and then finally exploiting the vulnerabilities.

The course labs include both emulated environments as well as real live devices which will be provided to the attendees during the training. Practical IoT Exploitation training is designed for pentesters who want to kickstart their career in IoT Pentesting and the training does not expect the attendees to have a prior knowledge of assembly, mobile security or reversing. The attendees will be provided with VM image for IoT security testing platform called IoTa created by the trainers themselves.

After the 2-days class, the attendees will be able to:

Extract and analyze device firmwares
Analysing firmware and binaires using IDA pro
Hands-on Labs with UART, SPI
JTAG interaction and debugging
Identify attack surfaces and write fuzzers
Device Scanning and reversing communication APIs
USB Attacks
Familiarity with NFC, Bluetooth, RFID
BLE Analysis and packet analysis
Attacks on Zigbee - Hands-on labs

Practical IoT Exploitation is the course for you if you want to try exploitation on new hardwares and find security vulnerabilities and 0-days in IoT devices. At the end of the class, there will be a final CTF challenge where the attendees will have to identify security vulnerabilities and exploit them, in a completely unknown device - created exclusively for the OWASP AppSec training.

Requiremnets:

Hardware:

At least 25 GB of free space
Laptop having a minimum of 4 GB RAM
USB access allowed

Software:

Virtualization software installed
Administrative privileges on the system

At the start of the class, we will share the devices and AttifyOS VM which will have all the tools preconfigured for the training.
During the Radio section of the class, we have seen some students encounter issues with the hardware not being detected in the VM while they are running on one Virtualisation software, but working with the same VM on another virtualisation software.
Though we don't often run into these issues, it's recommended to have both virtualisation tools - VirtualBox and VMWare to save time troubleshooting. In case of VMWare if you don't have the paid edition, the free VMWare Workstation Player will also work.

Speakers

Aditya Gupta

Founder and CEO, Attify

Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile penetration testing and training firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation... Read More →

Norman Shamas

Attify Inc

Norman Shamas is a IoT Pentester and trainer at Attify (attify.com ) , an IoT and Mobile security firm. Attify has done a lot of in-depth research on Mobile application security and IoT device Exploitation and is the creator of AppWatch (https://appwatch.io) - an automated platform... Read More →

Tuesday October 11, 2016 9:00am - 5:00pm EDT
Meeting Room 13

Training

9:00am EDT

Training Session - Secure Coding in Java Day 1 (2 Day)

The course provides developers with practical guidance for developing Java programs that are robust and secure. Material in this presentation was derived from the Addison-Wesley book The CERT Oracle Secure Coding Standard for Java and is supported by the Secure Coding Rules for Java LiveLessons video series. Participants should come away from the course with a working knowledge of common programming errors that lead to software vulnerabilities, how these errors can be exploited, and effective mitigation strategies for preventing the introduction of these errors.
In particular, participants will learn how to:
• Explain the need for secure coding
• Follow fundamental secure coding guidelines
• Validate and sanitize data
• Explain the Java Security Model
• Predict how the numerical types behave in Java
• Avoid pitfalls in the use of characters and strings
• Securely process input and output
Moreover, the course encourages programmers to adopt security best practices and develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s.

You will need to bring a laptop with 100MB or greater of free hard disk space and the following software installed:

Java SE Development Kit 8
Eclipse IDE for Java Developers or other a Java 8 compatible IDE
Adobe Reader

You should clone the course exercises, demos, and examples from https://github.com/rcseacord/JavaSCR.git prior to the class. Make sure that you have imported the code into your IDE and that you can build and test the sample programs.

“The CERT Oracle Secure Coding Standard for Java” and “Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs” books authored by Robert C. Seacord and published by Addison-Wesley can be purchased in advance at InformIT. We will be covering chapters 1-8 of The CERT Oracle Secure Coding Standard for Java in class, if you want to prepare by reviewing these chapters.

Speakers

Robert Seacord

Principal Security Consultant, NCC Group

I'm work with software developers and software development organizations to eliminate vulnerabilities resulting from coding errors before they are deployed. Previously, I led the secure coding initiative in the CERT Division of Carnegie Mellon University’s Software Engineering Institute... Read More →

Tuesday October 11, 2016 9:00am - 5:00pm EDT
Meeting Room 11

Training

6:00pm EDT

OWASP Board Meeting

https://www.owasp.org/index.php/Board#tab=Agenda_for_2016_Meetings

Tuesday October 11, 2016 6:00pm - 9:00pm EDT
Meeting Room 5

8:00am EDT

Developer Summit

Wednesday October 12, 2016 8:00am - 5:00pm EDT
Meeting Room 9

8:00am EDT

Project Summit

Join our Project Leaders in a discussion on OWASP Projects!

OWASP Project Hot Topics

OWASP Participating Projects and Detailed Agenda

Please feel free to add Hot Topics that you would like to see discussed.

Contacts:

Senior Projects Technical Coordinator Matt Tesauro

Project Coordinator Claudia Aviles-Casanova

Wednesday October 12, 2016 8:00am - 5:00pm EDT
Meeting Room 8

8:00am EDT

Registration

Wednesday October 12, 2016 8:00am - 8:00pm EDT
Meeting Room Floor Landing

Registration

9:00am EDT

Training Session - AppSec Safari (1 Day)

Tired of reading about vulnerabilities or seeing screen captures of other people landing the big one? Join our AppSec Safari and go toe-to-toe with an application. Track a bug through multiple fields and feel the triumph of exploiting the flaw yourself!

The Safari will take you on a guided tour of cross-site scripting, SQL injection, privilege escalation and more. We’ll present a refresher on each vulnerability type, provide example exploits and turn you loose on a real application hosted in a local test environment. We’ll give hints as needed to maximize your chances of success. If you get ahead of the group, build your skills by chasing vulnerabilities we’ve hidden in the environment.

If you’re an application developer or security practitioner who is looking to solidify your theoretical knowledge, join our safari. Bring a laptop with an Ethernet port that is capable of running a Kali live image, or have the following tools installed: ZAP, sqlmap, MySQL client, Remote Desktop client.

Speakers

Mark Hoopes

Senior Application Security Engineer, Aspect Security

Mark Hoopes has been working in enterprise IT delivery for nearly 20 years in an assortment of roles including development, project management, and major incident management. He found his niche in application security and has been effectively on vacation ever since. Throughout his... Read More →

Jason Li

Director, Aspect Security

Jason Li is a Director at Aspect Security where he provides application security consulting services including penetration testing, code review, security control analysis, and threat modeling. He is heavily involved in OWASP having previously chaired the OWASP Global Projects Committee... Read More →

Wednesday October 12, 2016 9:00am - 5:00pm EDT
Meeting Room 10

Training

9:00am EDT

Training Session - Assessing and Exploiting Control Systems & IoT Day 2 (2 Day)

Speakers

Justin Searle

Wednesday October 12, 2016 9:00am - 5:00pm EDT
Meeting Room 12

Training

9:00am EDT

Training Session - Creating and Automating your own AppSec Pipeline Day 2 (2 Day)

A laptop capable of running VirtualBox and a VM with at least 2048 MB RAM for the VM - 4096 is even better
VMs will be provided on a USB drive formatted as a NTFS volume
VMs will be in .ova (Open Virtualization Format) which is generally 'importable' in more then just VirtualBox if you happen to already have virtualization software installed

Speakers

Matt Tesauro

Senior AppSec Engineer, Duo Security

Wednesday October 12, 2016 9:00am - 5:00pm EDT
Meeting Room 15

Training

9:00am EDT

Training Session - Hands-On Security in DevOps (SecDevOps) Workshop Day 2 (2 Day)

Security Threat Modeling - Agile Methodology
Static Application Security Testing - Integrated with Continuous Integration Services
Customized Security Automation Scripting Framework with Continuous Integration
Creating specialized Application Security Testing Scripts to be integrated with existing Test Suites
Security in Configuration management and Continuous Deployment
Creating Security Configuration Management “Infrastructure as Code” and Validation Scripts
Application Security Monitoring in a DevOps World

Speakers

Abhay Bhargav

Founder, we45

Wednesday October 12, 2016 9:00am - 5:00pm EDT
Meeting Room 16

Training

9:00am EDT

Training Session - Mobile Application Exploitation iOS and Android Day 2 (2 Day)

Speakers

Prateek Gianchandani

Cognosec

Dinesh Shetty

Sr Security Manager, Security Innovation

Wednesday October 12, 2016 9:00am - 5:00pm EDT
Meeting Room 14

Training

9:00am EDT

Training Session - Practical IoT Exploitation Day 2 (2 Day)

At least 25 GB of free space
Laptop having a minimum of 4 GB RAM
USB access allowed

Software:

Virtualization software installed
Administrative privileges on the system

Speakers

Aditya Gupta

Founder and CEO, Attify

Norman Shamas

Attify Inc

Wednesday October 12, 2016 9:00am - 5:00pm EDT
Meeting Room 13

Training

9:00am EDT

Training Session - Secure Coding in Java Day 2 (2 Day)

You will need to bring a laptop with 100MB or greater of free hard disk space and the following software installed:

Java SE Development Kit 8
Eclipse IDE for Java Developers or other a Java 8 compatible IDE
Adobe Reader

Speakers

Robert Seacord

Principal Security Consultant, NCC Group

Wednesday October 12, 2016 9:00am - 5:00pm EDT
Meeting Room 11

Training

5:00pm EDT

WIA - Networking event

Meet Tiffany Long, OWASP community manager and Emily Verwee, OWASP DC Chapter Co-lead
Network with industry professionals who are interested in supporting women in AppSec and related careers

Wednesday October 12, 2016 5:00pm - 6:00pm EDT
Mount Vernon Square A&B

WIA

6:00pm EDT

Pre-Conference Reception

Wednesday October 12, 2016 6:00pm - 8:00pm EDT
Mount Vernon Square A&B

Social Event

7:00pm EDT

OWASP Leaders Meeting

If you are a Project Leader, Chapter Leader, or interested in becoming one the Leader's workshop is for you! You will hear about everything new that is going down at OWASP and be able to participate in a community discussion focused on your needs. At the last Leaders Workshop we discussed OWASP communication strategist, community concerns regarding the leader's list, and new leaders learned strategies for addressing their most pressing concerns from our more experienced leaders.

Wednesday October 12, 2016 7:00pm - 9:00pm EDT
Meeting Room 16

7:00am EDT

Registration

Thursday October 13, 2016 7:00am - 6:00pm EDT
Grand Ball Room Foyer

Registration

8:00am EDT

Keynote - Software Supply Chain Lifecycle Management: Reducing Attack Vectors and Enabling Rugged DevOps

As the cyber threat landscape evolves and as software dependencies grow more complex, understanding and managing risk in the software supply chain is more critical than ever, and it must focus on the entire lifecycle that includes development, acquisition, and DevOps. The Internet of Things (IoT) is contributing to a massive proliferation of a variety of types of software-reliant, connected devices. With IoT increasingly dependent upon third-party software of unknown provenance and pedigree, software composition analysis and other forms of testing are needed to determine 'fitness for use' and trustworthiness in terms of quality, security, safety, and licensing. Application vulnerability correlation and management should leverage automated means for detecting threat indicators, weaknesses, vulnerabilities, and exploits. Using standards-based automation also enables the exchange of information internally and externally with vendors in the global supply chain for IoT/ICT products. Addressing supply chain dependencies throughout the lifecycle enables enterprises to harden their attack surface by: comprehensively identifying exploit targets; understanding how assets are attacked, and providing more responsive course of action mitigations.

Speakers

Joe Jarzombek

Joe Jarzombek is the former Director for Software Assurance in the National Cyber Security Division of the U.S. Department of Homeland Security (DHS). He led government inter-agency efforts with industry, academia, and standards organizations to shift the security paradigm away from... Read More →

Thursday October 13, 2016 8:00am - 9:00am EDT
Grand Ball Room Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Keynote

9:00am EDT

Morning Coffee Break

Thursday October 13, 2016 9:00am - 9:30am EDT
Grand Ball Room Foyer

Break

9:15am EDT

Lightning Talk - Demystifying CSP

There have been many attempts to make the Web a more secure place, or at least make it harder to attack web applications. One of them is CSP, Content Security Policy. In my talk, I will cover history of CSP, how it evolves from its original version, and what features will be available in the near future.
One of the challenges in deploying CSP is to understand what versions and directives are supported by different web browsers. In this presentation, I will share current CSP compatibility matrix for major web browsers to provide better understanding of CSP support. I will also demonstrate a framework that I developed to make it easy for anyone to run the same CSP feature set of tests to inspect the results as well as to add new feature check.
In the last part of the presentation, I will show the usage of CSP by Alexa top web sites and how good their CSP policies are. I will also explain common CSP mistakes and strategies to fix them. Last but not least, I will demonstrate various tools, frameworks and libraries which would be useful to improve CSP policies.

Speakers

Ilya Nesterov

Engineering manager, Shape Security

Ilya Nesterov is currently an engineering manager at Shape Security. Prior to Shape, Ilya worked at F5 Networks, and earned his master's degree from Tomsk Polytechnic University. His interests include, but are not limited to, modern Web Application security threats and countermeasures... Read More →

Thursday October 13, 2016 9:15am - 9:25am EDT
Room C

Lightning Talks

9:30am EDT

Lightning Talk - Assessing and Exploiting XML Schemas Vulnerabilities

Specifications for XML and XML schemas have been designed with multiple security flaws. At the same time, these specifications provide the tools required to protect XML applications. This provides a complex scenario for developers and a fun environment for hackers.

Even though XML schemas are used to define the security of XML documents, they are also used to perform a variety of attacks: file retrieval, server side request forgery, port scanning, and/or brute forcing.

This talk will analyze how new attack vectors can be inferred by analyzing the current vulnerabilities and how it is possible to affect common libraries and software. Recommendations will be shared to safely deploy applications relying in XML.

Speakers

Fernando Arnaboldi

Security Consultant

Fernando Arnaboldi is a developer and a security consultant who specializes in penetration testing and code reviews on multiple platforms. He has focused his research on breaking the security of different programming languages and has presented his findings in security conferences... Read More →

Thursday October 13, 2016 9:30am - 9:40am EDT
Room C

Lightning Talks

9:30am EDT

The Ways Hackers Are Taking To Win The Mobile Malware Battle

In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. The team that uncovered iOS malicious profiles, WiFiGate, HTTP Request Hijacking, No iOS Zone and Invisible Profiles are taking it upon themselves to coach developers and organizations on how to regain control, and turn the tables on the hackers behind next-generation mobile malware.

In his presentation, Yair will discuss cutting-edge techniques used by malware writers to circumvent mobile security paradigms such as app-sandboxing and containers. Mr. Amit will then break down the current set of techniques (signatures, static analysis & dynamic analysis) used to identify malware on mobile devices, and identify the pros and cons of these approaches. He will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions.

During a live, interactive demo, Yair will create a mobile malware on stage, meant to be undetected by static and runtime analysis technologies.

Speakers

Yair Amit

CTO & Founder, Skycure

Yair Amit is co-founder and CTO at Skycure, leading the company’s research and vision and overseeing its R&D center. Yair has been active in the security industry for more than a decade with his research regularly covered by media outlets and presented in security conferences around... Read More →

Thursday October 13, 2016 9:30am - 10:30am EDT
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Mobile/IoT

9:30am EDT

Continuous Integration: Live Static Analysis using Visual Studio & the Roslyn API

For over 10 years, Visual Studio has provided basic source code analysis through FxCop and StyleCop. While these code analyzers focus mainly on design conformance, code consistency, and best practices, there is very little support for enforcing secure coding techniques. To address this gap, Microsoft started a project back in 2011 called CAT.NET to help identify secure coding bugs such as XSS, SQL Injection, and XPath Injection. Unfortunately, CAT.NET failed and never made it past the first version. Aside from purchasing expensive commercial static analysis tools, .NET development teams have been left without an easy way to integrate secure code scanning rules into Visual Studio. At least until now...

With the release of Visual Studio 2015, the open-source .NET Compiler Platform (aka “Roslyn”) exposes a set of code analysis APIs capable of querying the source code, identifying a security issue, and reporting it as code is written! In this talk, we will explore the code analysis APIs and show you how to create a live static analysis rule. Come prepared to see demonstrations of Visual Studio static analysis rules in action, and walk away with a static analysis rule pack to run against your organization’s .NET applications.

Speakers

Eric Johnson

Senior Security Consultant, Cypress Data Defense, LLC

Eric Johnson is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. Eric is a Certified SANS Instructor and is a course author for DEV544: Secure Coding in .NET, DEV531: Mobile App Security Essentials, and several... Read More →

Thursday October 13, 2016 9:30am - 10:30am EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Builder/Breaker, Mobile/IoT

9:30am EDT

Everything is Terrible: Three Perspectives on Building, Configuring, and Securing Software

Developers, operations, and security all have differing agendas and benchmarks for success. One is tasked with building new features, the next with delivering and making them available, and the third is tasked with mitigating the risks associated with the previous two.

Core to the DevOps movement is the idea of building empathy with people in other teams in order to align for business success. Providing the perspectives from three engineers who have each lived primarily in one of Dev, Ops, or Security, but have also worked collaboratively to try not to kill each other. They will talk about their backgrounds, provide practical examples from daily experiences, and share suggestions on building common tooling that minimizes friction and enhances collaboration.

This talk will discuss
- The misalignment of priorities that organisations often force upon these groups
- Struggles with collaboration and working cultures
- Common bottlenecks associated with release cycles and security processes
- Building empathy and optimizing for communication that doesn't involve fisticuffs (or other 19th century combat styles)

The audience will come away with:
- Ideas for handling these complicated situations
- Approaches for building workflows and possible tooling suggestions to minimize the tire fires
- A new appreciation for those on the other sides of the silo walls

Speakers

Chris Barker

Puppet

Turning in his pager for an airline miles membership, Chris Barker now helps fellow system administrators refine and automate their infrastructure. In his past life as a systems administrator, he has administered Linux, Windows, and OS X systems in infrastructure ranging from small... Read More →

Adrien Thebo

Puppet

Adrien is a software engineer at Puppet. He started in IT Ops in 2005 and started writing code to automate everything, inadvertently becoming one of the earliest devops hipsters (he did devops before it was cool). Adrien joined Puppet in 2011, first on the Operations team where he... Read More →

Bill Weiss

Sr Manager of SysOps, Puppet

As a red-and-blue-team member turned sysadmin herder, Bill Weiss had an early introduction to automation in security, and he's spent the rest of his career trying to bring that idea to more places. He started out working in the .gov, moved to Chicago to spend several years at a financial... Read More →

Thursday October 13, 2016 9:30am - 10:30am EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, DevOps

9:30am EDT

OWASP Bug Bounty for projects

In June 2016, we started the OWASP Bug Bounty for projects initiative, where security researchers can actually submit their findings on the participant OWASP projects through the BugCrowd platform.

Many developers and companies looking to implement security are turning towards OWASP to use Defender libraries that they can implement to secure their critical applications. Since this implies a form of trust in OWASP, many users of these projects might forget or not be aware that many of them are Open Source and lack an expected security assurance review, which at the moment is not done by OWASP.

Testing web applications for security can be a challenging task. But testing that security control libraries are robust in the face of attack is an even more difficult challenge for even the most sophistical assessment professionals.

BugCrowd provides their platform and services to allow OWASP projects conduct specific Bug Bounty programs for Defender category projects but also, any other Code Project that needs to be installed and could create vulnerabilities in the installed computer.

The following projects are part of OWASP Bug Bounty:

OWASP ZAP : https://bugcrowd.com/owaspzap
OWASP CRSFGuard: https://bugcrowd.com/owaspcrsfguard
OWASP Java HTML Sanitizer: https://bugcrowd.com/owaspjavasanitizer
OWASP Java Encoder :https://bugcrowd.com/owaspjavaencoder

We want to promote and spread the word regarding our Bug Bounty program. The activity we want to plan during the APPSEC US 2016, involves an OWASP Bug Bash similar to the one organised in APPSEC 2013 but only with OWASP projects part of the Bounty program, where we provide a deployed server with the applications.

Thursday October 13, 2016 9:30am - 11:30am EDT
Meeting Room 2

Activity

9:45am EDT

Lightning Talk - Application Security in a DevOps World: Three Methods for Shifting Left

Application Security in a DevOps World: Three Methods for Shifting Left
Operations has always resided clearly outside of development. Release candidates are tossed over the fence by development and operations was expected to “just make it work.” The same can be said about many other activities, including application security. This isn’t intended to be derision aimed at development—it’s just a feature of how processes have historically been demarcated.
But with the emergence of the DevOps movement, organizations are beginning to apply the “shift-left” principle associated with early testing toward other facets of application development. Security, which has been treated as something you can test into an application, should be built into an application according to DevOps principles.
In this presentation, we discuss how to get development and operations working together to build security into the application. We’ll outline three methods and discuss their merits and drawbacks:
• Penetration testing: This is the approach most commonly used.
• Hybrid testing: By applying flow (dynamic analysis) early in the process, you can that look for possible paths through the code that lead to security flaws.
• Preventative testing: By taking a standards-based approach and implementing a set of activities that target defects that lead to security vulnerabilities, you are able to get ahead of security issues that diminish the effectiveness of DevOps approaches.

Speakers

Aaron Lindsay

Aaron Lindsay been helping Parasoft’s clients harden code, develop functional testing solutions, and virtualize their environments for almost 4 years. He has worked on projects all across America and South America, incorporating service virtualization into verticals that range from... Read More →

Thursday October 13, 2016 9:45am - 9:55am EDT
Room C

Lightning Talks

10:00am EDT

Lightning Talk - Automated Gadget Chain Generation for Object Injections

Object injection vulnerabilities account for the most sophisticated attacks against web applications today. They persist when an attacker is able to modify the unified string representation of an object that is passed to the application. By injecting a specifically crafted object, the attacker can trigger the execution of existing code fragments, so called gadgets. Depending on the application's source code and programming language, different gadget chains are possible that can lead to diverse security issues, such as remote code execution. Due to todays applications' code complexity and size, finding all possible gadget combinations is a difficult task. This lightning talk will present new static code analysis techniques for the automated detection of PHP object injection vulnerabilities and the automated generation of gadget chains.

Speakers

Hendrik Buchwald

CSO, RIPS Technologies

Hendrik Buchwald is a computer science graduate from the Ruhr University Bochum and a professional software engineer. He is co-founder and the CSO of RIPS Technologies, a Bochum-based IT security company with focus on code analysis solutions for web applications.

Thursday October 13, 2016 10:00am - 10:10am EDT
Room C

Lightning Talks

10:00am EDT

Members Lounge

Need to recharge?
Feeling a bit thirsty or hungry?
Maybe you’re looking for an OWASP t-shirt?
Or just looking to take a break from the hectic conference atmosphere?

NO PROBLEM!

Head on over to the Members Lounge located in the Mount Vernon room

Here you can grab a snack, quench your thirst, recharge those batteries, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.

Not an OWASP Member? That’s okay, swing on over to the Lounge and you can sign up on the spot!

Look for the signs or ask a volunteer for directions

Thursday October 13, 2016 10:00am - 5:00pm EDT
Mount Vernon Square A

Members Lounge

10:15am EDT

Lightning Talk - If you can dodge a wrench!..... (or how not to security test your web app):

Have you ever initiated a test that inadvertently sent 2,000 emails to your executives? How about dumping your Production Database?

As web applications become more advanced, security teams have become increasingly reliant on using automated scanners to discover vulnerabilities within their environment. However, unlike NetSec scanners, web application scanners have the potential to break your web app, resulting in loss of data, downtime and more importantly, lost revenue.
But don't shut down your scanning program just yet! I will walk you through the common mistakes, pitfalls and pre-scanning techniques that will ensure a more harmonious relationship between your scanner and web application.

In this talk you will learn pre-scan reconnaissance techniques, what changes you should make to your application, and how to dodge common scanner configuration mistakes.

Thursday October 13, 2016 10:15am - 10:25am EDT
Mount Vernon Square B Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Lightning Talks

10:15am EDT

Lightning Talk - WAF Evolution, or How I Stopped Worrying About Vulnerabilities

In this talk, we'll explore how application firewalls must evolve to continue to provide powerful, operationally scalable security policies. Gone are the days of "virtually" patching vulnerabilities when remediation time continues to shrink in more agile, devops-driven infrastructures. Infrastructure-based pplication security must pivot to focus on client behavior an characteristics, rather than on the web app itself. Security must also be extended to the browser, to protect even the user who will click on anything from compromise.
Elements of this topic have been covered in my columns on Information Security Buzz: http://www.informationsecuritybuzz.com/articles/the-death-of-waf-as-we-know-it/http://www.informationsecuritybuzz.com/articles/when-a-bot-isnt-a-bot/http://www.informationsecuritybuzz.com/articles/is-bot-detection-the-best-value-in-infosec/

Speakers

Brian McHenry

Senor Security Solutions Architect, F5 Networks

As a Senior Security Solutions Architect at F5 Networks, Brian McHenry focuses on web application and network security. McHenry acts as a liaison between customers and the F5 product teams, providing a hands-on, real-world perspective. He is also a regular contributor on InformationSecurityBuzz.com... Read More →

Thursday October 13, 2016 10:15am - 10:25am EDT
Room C

Lightning Talks

10:30am EDT

Lightning Talk - Taking Back Privacy to Gain Control

The word ‘privacy’ has become an increasingly prevalent and polarizing term and it is a problem.

Asking someone to define ‘privacy’ is like asking them for their definition of God. The question is intensely personal, colored by distinct experiences and backgrounds. After talking to hundreds of people and spending a career thinking about it, it’s possible we’ve been contemplating the wrong question.

The word privacy itself has obscured the issue because the “battle over privacy” isn’t really about privacy at all — it’s about control. Thinking about it in more specific examples, when someone decides to do naked yoga with the curtains closed (or open, as it were), they’re really saying: “I choose to let you see me or not…but either way it’s my choice.”

Privacy becomes a hot button topic when information or our actions are recorded without our consent or knowledge. We’re outraged that the NSA engaged in domestic surveillance and creeped out that companies are profiling us at such a detailed level that they can predict intimate events like pregnancy.

However, as participating members of our modern, tech-enabled society, this is the trade-off we make. We’re not just giving up privacy for convenience; we’re surrendering control, and we do it because we don’t believe we have a viable alternative.

This is not how the real world works.

At home, we can decide when to turn off the lights and close the blinds. We control who, how and what about ourselves is shared. This is our right — our choice — and it’s a decision that will differ from person to person because everyone has a varying degree of comfort when it comes to sharing pieces of his or her personal life. That’s the definition of control.

Which leads back to the problem: talking about privacy in the first place. Not only does it fail to address the real issue (control), it fails to include everyone in the conversation. Let’s be honest, some people simply don’t mind doing yoga naked with the curtains open. They aren’t as concerned about their privacy as others might be, but that doesn’t mean they don’t like having the freedom to choose when and how wide to open their windows. Steve Shillingford, CEO of Anonyome Labs wants to open the door to this problem and discuss. He believes individuals should be able to control their identities and personal information — plain and simple.

Recent data from Pew (January 2016) suggests that while Americans aren’t necessarily opposed to sharing their information, they are frustrated and concerned by the lack of control they have regarding how, when and with whom that information is shared. In fact, 93% of surveyed adults said that being in control of who could access their information was important to them, and 90% said that control over what information was collected was important. So why are we talking about privacy at all?

Speakers

Steve Shillingford

Anonyome Labs

Steve Shillingford, current Founder and CEO of Anonyome Labs, has more than 20 years of experience driving growth and revenue at industry-leading technology companies. Shillingford has served as an Advisor at Signal Peak Ventures since 2013, and also serves on the boards of E8 Security... Read More →

Thursday October 13, 2016 10:30am - 10:40am EDT
Room C

Lightning Talks

10:45am EDT

Lightning Talk - Beyond The ‘Cript: Practical iOS Reverse Engineering

There is an app for everything these days. And if you are current on your Infosec news you know every new app comes with its own vulnerabilities. One class of bugs has been relatively easy to find, with frameworks becoming increasingly available to help.

But more and more developers are hardening their apps against common issues using jailbreak detection and best practices, and some of the easy issues are starting to dry up.

Luckily for the top testers, there is another class of bug that can still (and only) be found with deeper knowledge of iOS and its underlying assembly code.

The aim of this talk is to build a bridge between the mundane methodologies and vulnerabilities that everyone can find (and that are now being defended against), and a new approach that finds additional bugs that require assembly knowledge to discover.

The talk looks at the fundamentals of reversing, a primer on iOS architecture, binary patching, reversing MACH-0 binaries, and ends with some real-world examples involving jailbreak detection.

Speakers

Michael Allen

Security Consultant, IOActive, Inc

Michael E. Allen is a security consultant at IOActive with more than ten years of experience in the Information Security industry. His primary interests are in programming, exploit development, and reverse engineering. Mr. Allen has extensive skills in design, implementation, enhancement... Read More →

Thursday October 13, 2016 10:45am - 10:55am EDT
Room C

Lightning Talks

10:45am EDT

Practical Static Analysis for Continuous Application Security

Static code analysis tools that attempt determine what code does without actually running the code provide an excellent opportunity to perform lightweight security checks as part of the software development lifecycle. Unfortunately, building generic static analysis tools, especially for security, is a costly, time-consuming effort. As a result very few tools exist and commercial tools are very expensive - if they even support your programming language.

The good news is building targeted static analysis tools for your own environment with rules specific to your needs is much easier! Since static analysis tools can be run at any point in the software development lifecycle, even simple tools enable powerful security assurance when added to continuous integration. This talk will go through straight-forward options for static analysis, from grep to writing rules for existing tools through writing static analysis tools from scratch.

Speakers

Justin Collins

Brakeman Guy

Justin has been an application security engineer at SurveyMonkey, Twitter, and AT&T Interactive, and is the primary author of Brakeman, a free static analysis security tool for Ruby on Rails. His commercial product, Brakeman Pro, was acquired by Synopsys in 2018.

Thursday October 13, 2016 10:45am - 11:45am EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, DevOps

10:45am EDT

SPArring with the Security of Single Page Applications

SPArring with the Security of Single Page Applications

When SPArring with the security of a Single Page Application (SPA) you need to be like a Mixed Martial Artist (MMA) fighter who understands several specialties to be successful.

In MMA, a fighter needs to be skilled in several martial arts styles, such as boxing, kickboxing, Muay Thai for the stand up portion of the fight. Then, he needs to know wrestling or judo to take the fight to the ground, and once he’s on the ground, he needs to know Jujitsu and Sambo to submit his opponent.

When doing battle with a SPA, a pen-tester must become an MMA hacker…A Mixed Multilayer Application Hacker. As an MMA Hacker, you need to understand the multitude of complex application layers that are only getting more complex and interconnected by the day.

This discussion will include MMA Hacker training on the following application layers:
Interface layer: Become familiar with SPA frameworks (AngularJS, ReactJS). These SPA frameworks fundamentally change the browser communication that security experts have long understood.
Backend layer: Dig into different REST API’s and learn how they are used and where to find the weaknesses.
Network layer: Learn more about WebSockets and how they fundamentally change TCP/HTTP as you have always known it to be.
Interconnectivity layer: Get to know how SPA’s are often interconnected with 3rd party API’s or presentation elements and how this can create security issues that get inherited from trusting the 3rd party.
Tools: Understand what tools are available to help you address these challenges, and the potential gaps exist in the tools we all depend on.

Join this talk to start your MMA Hacker training today!

Speakers

Dan Kuykendall

Senior Director, Application Security Products , Rapid7

Dan Kuykendall is the Senior Director of Application Security Products at Rapid7 where he directs the strategic vision, research and product development for the company’s application security solutions. In addition to keeping up with the latest attack patterns, Dan remains focused... Read More →

Thursday October 13, 2016 10:45am - 11:45am EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Builder/Breaker

10:45am EDT

Your License for Bug Hunting Season

You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs.

Speakers

Jim Denaro

Partner, CipherLaw

Jim is a registered patent attorney in the Washington, D.C. area and advises clients on offensive and defensive applications of intellectual property. Jim has particular expertise in information security and cybersecurity technologies, and is a frequent speaker and writer on the subject... Read More →

Casey Ellis

Founder, Bugcrowd

As Founder of Bugcrowd, Casey Ellis brings over 14 years of information security experience to lead the company’s technology vision and strategic operation. Prior to Bugcrowd, he served as chief security officer at ScriptRock and as an information security specialist and account... Read More →

Thursday October 13, 2016 10:45am - 11:45am EDT
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Mobile/IoT

11:00am EDT

Lightning Talk - LANGSEC 101: Taking the Theory Mainstream

LANGSEC has been a promising yet heady topic on the fringes of AppSec for several years, and its ready for a mainstream debut. Heard about LANGSEC but don't know what it is or whether you should use it? Programming languages are getting more powerful and capable, burdening developers and security professionals alike. LANGSEC attempts to solve vulnerability classes that arise from user input unintentionally changing the expected behavior of an application.

This session provides an easy-to follow introduction to the LANGSEC philosophy, and is geared towards those with no prior experience building parsers or understanding of formal language theory. Attacks that can be addressed with the effective implementation of LANGSEC include:

- Cross-site scripting (XSS)
- SQL Injection
- Command Injection
- Format String
- Stack Overflow
- Heap Overflow
- File Inclusion

Nobody wants these vulnerabilities in their code. This session will begin by pointing out the flaws and limitations of any application security model that is dependent on traditional techniques that rely on signatures, definitions, pattern-matching, regular expressions or taint analysis. Once solely the obscure domain of compiler geeks, Language Security, a.k.a. LANGSEC, is a completely different approach and has gained increasing momentum as a much more thorough, robust way to implement application security.

Speakers

Kunal Anand

Co-founder and CTO, Prevoty

Kunal Anand is the co-founder and CTO of Prevoty, a runtime application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company’s global Digital Entertainment and Gaming initiatives. Kunal... Read More →

Thursday October 13, 2016 11:00am - 11:10am EDT
Room C

Lightning Talks

11:15am EDT

Lightning Talk - Building your Own Security ChatBot

ChatOps, a term widely credited to GitHub, is all about conversation-driven development and enabling teams to quickly and easily manage their development and deployment pipelines. Security for many years has been siloed and often only the security team runs these security tools. With ChatOps for security, common tools such as nmap, ZAP, Burp, and static code tools are available as a security chatbot. Need to run an nmap scan? No problem! Ask @SecurityBot to scan your server and even limit what destination IP's can be scanned.

Often times there are many great security tools that hide behind obscure command line flags or have complex setup requirements or dependencies. Learn how to convert these tools into accessible tools that the security team and developers can take advantage so that these tools are only a conversation away. No binary tool distribution or configuration, just chat!

Speakers

Aaron Weaver

Application Security Manager, NA Bancard

Aaron Weaver is the Application Security Manager at NA Bancard. Prior to that he was at Cengage Learning and Protiviti where he built out their secure coding practice. Aaron has managed application security programs at large organizations and leads OWASP Philadelphia. Aaron speaks... Read More →

Thursday October 13, 2016 11:15am - 11:25am EDT
Room C

Lightning Talks

11:30am EDT

Lightning Talk - Can IT & Engineering get along for the sake of building, deploying, and maintaining app security?

Mobile Security has become a top priority for companies as both critical customer and company data flows through these apps constantly. Whether, enterprise workforce or consumer facing apps, how can we as Engineering and IT teams work together to make app security a top priority, but also create development and deployment templates that ensure the proper protections are in place in a standardized way and the necessary components are included at the code level to enable the type of ongoing cyber threat monitoring required once apps are live

Speakers

Mark Stutzman

Mark Stutzman, CEO of Appmobi will discuss the strategies necessary for teams to work together to ensure mobile app security and the tools they should consider that enable both secure development and deployment as well as real time monitoring and threat resolution.

Thursday October 13, 2016 11:30am - 11:45am EDT
Room C

Lightning Talks

11:45am EDT

Lightning Talk - The hidden bug in public bug bounties

On the surface, public bug bounty programs look like a no-brainer. You invite a number of security researchers to find security issues in your application and you only pay for valid results. Who can say no to that? However as we explore in this talk, for many organizations, launching a public bug bounty program is a buggy idea. It’s like storming the castle before gathering systematic intelligence and planning strategic attacks.

In this talk we will look at some of the challenges of public bug bounties such as:
- Low signal to noise which drives up the cost per bug
- Significant program management needed to run the program

We will look at the return on investment between running a public bug bounty program and engaging in more focused crowdsourced pen tests.

We’ll dive deeper into experiences drawn from the crowdsourced appsec industry over the last 4 years, as well as analysis of public accessible data in connection with data gathered from 200+ organizations running security programs on the Cobalt platform.

Speakers

Jacob Hansen

CEO, Cobalt Labs

Jacob Hansen is the CEO and Co-Founder of Cobalt Labs. Cobalt delivers crowdsourced pen tests and private bug bounties to modern organizations.Prior to founding Cobalt, Jacob was a consultant at Accenture in Copenhagen and London, where he delivered Enterprise IT Solutions for Fortune... Read More →

Thursday October 13, 2016 11:45am - 11:55am EDT
Room C

Lightning Talks

12:00pm EDT

Lightning Talk - Demystifying Windows Application

The talk will cover the security architecture of windows 7 and windows 8, os features , bitlocker encryption ,sand-boxed application model ,UEFI secure boot ,and windows mobile application development life cycle . later on this will cover the testing the windows mobile application testing as per owasp mobile top 10 and lack of binary protection . Will show real world scenario of application flaws in applications like drop box , facebook , ebay , box and the exploitation techniques .Will demonstrate the hacks and discuss about the secure coding techniques for mitigation the security flaws .

Speakers

Rupali Dash

Analyst, Goldman sachs

Rupali is working in goldman sachs as a security analyst . She is more focused into mobile application security and has been awarded for her work from big billion companies .She also works on IOT and a subject matter expert for developing secure applications in platforms like Android... Read More →

Thursday October 13, 2016 12:00pm - 12:10pm EDT
Room C

Lightning Talks

12:00pm EDT

Lunch Break

Thursday October 13, 2016 12:00pm - 1:00pm EDT
Rooms A&B

Break

12:00pm EDT

WIA - Mentoring event

Meet industry professionals who are interested in mentoring aspiring women in the field
Lunch will be provided

Thursday October 13, 2016 12:00pm - 1:00pm EDT
Lafayette

WIA

1:00pm EDT

Barbarians at the Gate(way)

This talk will examine the tools, methods and data behind the DDoS and web attacks against cloud platforms and traditional architectures that are prevalent in the news headlines.

Using collected information, the presentation will demonstrate what the attackers are using to cause their mischief & mayhem, and examine the timeline and progression of attackers as they move from the historical page defacers to the motivated attacker.

We will look at their motivations and rationale and try to give you some sort of understanding of what patterns to be aware of for your own protection.

Speakers

Dave Lewis

Global Advisory CISO, Cisco

Dave has 30 years of industry experience. He has extensive experience in IT operations and management. Dave is a Global Advisory CISO for now Cisco. He is the founder of the security site Liquidmatrix Security Digest and host of DuoTV and the Plaintext podcast. Dave is currently working... Read More →

Thursday October 13, 2016 1:00pm - 2:00pm EDT
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Mobile/IoT

1:00pm EDT

Next Gen Web Pen Testing: Handling Modern Applications in a Penetration Test

As technology advances and applications make use of newer technology, our penetration testing techniques and methods have to keep up. In this presentation, Jason Gillam and Kevin Johnson of Secure Ideas will walk attendees through new web technologies and how testing methods can change to handle the nuances. Some examples of technologies and changes that will be discussed during the talk are; HTTP/2, CSP, CORS and RESTful APIs. During the presentation, Kevin and Jason will walk through each new system or feature and methods to test it. After presenting these techniques, Jason and Kevin will walk through the new modern vulnerable application and the release of the new SamuraiWTF 4.0.

Speakers

Jason Gillam

Secure Ideas LLC

Jason Gillam is a Principal Security Consultant with Secure Ideas. He has over 15 years of industry experience in enterprise software solutions, system architecture, and application security. Jason has spent most of his career in technical leadership roles ranging from startups to... Read More →

Kevin Johnson

CEO, Secure Ideas

Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions... Read More →

Thursday October 13, 2016 1:00pm - 2:00pm EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Builder/Breaker

1:00pm EDT

Using language-theoretics and runtime visibility to align AppSec with DevOps

Programming languages are becoming more powerful and capable, and applications more porous than ever before -- burdening developers and security professionals alike. Evolving constraints, patterns and definition lists make validating data inputs and preventing injections while maintaining application performance unwieldy and difficult. Nobody wants vulnerabilities in their code, but with the rise of Agile DevOps, security is usually playing catch-up.

A new breed of embedded runtime security tools coined Runtime Application Self-Protection (RASP) are enabling developers and security admins to see beyond potential vulnerabilities and identify the actual attacks that are hitting their applications in production. RASP comes in several shapes and sizes, and this talk is designed to introduce the audience to the RASP implementation based on the LANGSEC methodology and its mission to align Security and DevOps – giving both teams the visibility and automation they need to work in synchrony.

LANGSEC has been a promising yet heady topic on the fringes of AppSec for several years, and its ready for a mainstream debut. LANGSEC attempts to use the grammar and linguistic constructs of the programming language itself to solve vulnerability classes that arise from user input unintentionally changing the expected behavior of an application (XSS, SQLi, command injection, CSRF, format string, stack / heap overflow, file inclusion).

This session will begin by pointing out the flaws and limitations of any application security model that is dependent on traditional techniques that rely on signatures, definitions, pattern-matching, regular expressions or taint analysis. Once solely the obscure domain of compiler geeks, Language Security, a.k.a. LANGSEC, is a completely different approach and has gained a lot of traction as a much more robust approach to securing and releasing applications more quickly and easily.

Speakers

Kunal Anand

Co-founder and CTO, Prevoty

Thursday October 13, 2016 1:00pm - 2:00pm EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, DevOps

2:00pm EDT

Career Fair

Thursday October 13, 2016 2:00pm - 5:00pm EDT
Room C

Career Fair

2:15pm EDT

Cleaning Your Applications' Dirty Laundry with Scumblr

Like many cutting-edge companies, the environment at Netflix is constantly changing. New applications are deployed everyday, code is pushed every hour, and systems are spun-up and down at will to support changing demand patterns of online video streaming. This, combined with Netflix's 100% cloud model, provides significant challenges in understanding our assets, the risk they pose, and the vulnerabilities they expose.

In order to help address these issues we developed and released an open-source tool call Scumblr in 2014. Scumblr was initially focused on the outside--find interesting intelligence from the Internet and bring it to our attention. Internally at Netflix, however, we've set our sights on new challenges and have found new and innovative ways to use the Scumblr platform to make an AppSec engineer's life a little bit easier. Through a series of small tweaks as well as larger architectural changes, Scumblr has become a versatile tool that allows us to track a wide range of information including changes to endpoints on netflix.com, risk profiles for each application in our environment, and the status of vulnerabilities across a thousands of applications. We've made changes to Scumblr to make it faster, more flexible, and more powerful and we're ready to share these changes with the open source community.

Attendees of this talk will get an understanding for how we designed a tool that has been successful in tackling a broad range of security challenges. We'll share our latest uses for the tools include details on how we're using Scumblr for vulnerability management, application risk tracking and other uses. Finally, we'll discuss how you can replicate what we've done by sharing new plugins that integrate with Arachni, AppSpider, Github, while also showing just how easy it is to create new integrations that open up new opportunities for automation, data collection and analysis.

Speakers

Scott Behrens

Senior Application Security Engineer, Netflix

Scott Behrens is a senior application security engineer for Netflix. Before Netflix, Scott worked as a senior security consultant at Neohapsis (Cisco) and as an adjunct professor at DePaul University where he taught a graduate course on software security assessment. Scott's expertise... Read More →

Andrew Hoernecke

Netflix

Andy Hoernecke is a Senior Application Security Engineer on the Product and Application Security Team at Netflix where he spends his time on security automation, identifying and driving systemic security improvements to the Netflix architecture, and developing open source security... Read More →

Thursday October 13, 2016 2:15pm - 3:15pm EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, DevOps

2:15pm EDT

Should there be an Underwriters Laboratories certification for software in IoT products?

The US Cybersecurity National Action Plan released in February 2016 announced that the US government, specifically the Department of Homeland Security, is collaborating with the Underwriters Laboratories and industry partners to develop a Cybersecurity Assurance Program that would test and certify the security of devices that are part of the Internet of Things (IoT), such as infusion pumps and refrigerators. One of the goals is to ensure that software embedded in these devices is free of vulnerabilities that could be exploited.

UL certification of software within products is a controversial topic. Proponents point to CyberUL certification as a means of assuring that IoT products meet acceptable standards such as owner-unique passwords, automated software and firmware updates, and IoT product software that is free of SQL injection and Cross Site Scripting flaws. Proponents also see the CyberUL as a proactive measure to provide security safeguards for the vastly expanding digital infrastructure. Opponents point out that it is a major investment in a solution that addresses less than 0.1% of real-world attacks; many would rather see the investment in CyberUL transferred to fixing the problems that account for most attacks, such as unpatched software, bad passwords and users succumbing to phishing. Opponents also say that the cost associated with getting CyberUL certification can create a barrier to the introduction of innovative products.

This panel will discuss the pros and cons of the Cyber Assurance Program’s pursuit of a CyberUL certification and the impact it may have on the application security community. It will appeal to conference attendees who are interested in how policy affects technology, builders of new technologies that are targets for CyberUL certification, and breakers who may see the CyberUL as either an opportunity or a challenge to overcome.

Speakers

Josh Corman

Joshua Corman is a Founder of I am The Cavalry (dot org) and CSO for PTC. Corman previously served as Director of the Cyber Statecraft Initiative for the Atlantic Council, CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The... Read More →

Anita D'Amico

CEO, Code Dx, Inc.

Anita D’Amico, PhD. is CEO of Code Dx, Inc., which provides application security orchestration and correlation solutions that automate AppSec workflows. Prior to taking on the role of CEO, Anita was the Director of Secure Decisions, a cybersecurity R&D organization that developed... Read More →

Kevin Greene

Department of Homeland Security, Science and Technology

Kevin Greene works in the federal government overseeing software assurance and application security research and development projects. He currently is focusing on the build-out of the Software Assurance Marketplace (SWAMP), a national marketplace and collaborative research forum designed... Read More →

Thursday October 13, 2016 2:15pm - 3:15pm EDT
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Mobile/IoT

2:15pm EDT

Threat Modeling with Architectural Risk Patterns

Current approaches to Threat Modeling emphasise manual analysis typically performed by developers together with a security specialist. This has a high initial cost, both in terms of time and the skills required to perform it. Both of those constraints are under pressure as organisations increase the speed and volume of software development. In enterprise environments there is the additional challenge of scaling this activity across thousands of products with a limited number of software security specialists to guide the process. Lack of necessary security skills is also a reason that many smaller companies never attempt threat modeling in the first place.
This talk will present a software-centric method of threat modeling that uses risk patterns to increase the speed of creating a threat model and that also introduces a degree of consistency into the process. We’ll present a series of incremental improvements to the use of risk patterns from a simple checklist based approach to the use of a flexible rules engine.

This method could be implemented by tooling to automatically generate a threat model based on architectural decisions. The technique employs principals from Object Oriented software design such as inheritance and method overloading so that the contents of the patterns can be practically maintained and extended without unnecessary repetition. Organisations can use this method to extract the expertise from their software security experts so that threat modeling knowledge is retained and can be re-used within the organisation.

Speakers

Stephen de Vries

Founder, CEO, Continuum Security SL

Stephen is the founder of Continuum Security and focussed on building AppSec tools to support security in the SDLC, including the IriusRisk threat modeling tool and BDD-Security open source security testing framework. His background is in software development and security testing... Read More →

Thursday October 13, 2016 2:15pm - 3:15pm EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Builder/Breaker

3:00pm EDT

Securing the Electronic Frontier

From light bulbs to drones, sophisticated technology is integrated into nearly every aspect of our lives. Today, nearly everyone is technologically curious if not active in a maker or hackerspace. The world is, essentially, a security researcher’s dream. The ease with which devices can now be altered also makes some companies uncomfortable or eager to profit off of user generated content. Mediating these competing needs is the law, written largely for generations-old technology by political bodies not conversant in the nuances of bleeding edge tech.

Enter DRM, which can be used to prevent your devices from completing legal tasks or punish researchers who seek to secure them. OWASP is proud to offer you a chance to speak with the EFF’s Cory Doctorow about their current lawsuit and the intersection of security research and DRM. The second half of the one hour session will be opened up to a Q&A by the audience.

Speakers

Cory Doctorow

Science Fiction Author, Activist and Journalist

Cory Doctorow (craphound.com) is a science fiction novelist, blogger and technology activist. He is the co-editor of the popular weblog Boing Boing (boingboing.net), and a contributor to many magazines, websites and newspapers. He is a special consultant to the Electronic Frontier... Read More →

Thursday October 13, 2016 3:00pm - 4:00pm EDT
Meeting Room 2

Activity

3:30pm EDT

How to Find the Next Great Deserialization CVE

The talk will generalize the recent spate of deserialization attacks, including a brief discussion of an originally authored exploit for a recently discovered CVE.

The commonalities between deserialization attacks will then be discussed, laying the framework for a "how to" guide on finding and exploiting deserialization vulnerabilities.

The talk will also explain the incredible difficulty faced when using traditional appsec defenses (input validation, signaturing) to stop these vulnerabilities, and explain free and open source options for builders to protect themselves from such attacks.

Speakers

Arshan Dabirsiaghi

Chief Scientist, Contrast Security

Arshan is an accomplished security researcher with over 10 years of experience advising large organizations on application security. Prior to Contrast Security, Arshan spent 8 years at Aspect Security in a research role where he used static and dynamic technology to perform security... Read More →

Thursday October 13, 2016 3:30pm - 4:30pm EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Builder/Breaker

3:30pm EDT

HTTPS & TLS in 2016: Security practices from the front lines

Implementing strong security for Internet‐facing services has grown more challenging and more complex over the past two years. With protocol‐level vulnerabilities like FREAK, BEAST, CRIME, POODLE, & LOGJAM, Ops teams are forced to reevaluate long‐held assumptions about foundation system network code. What are the right tradeoffs between modern network security requirements versus widespread legacy client and user interoperability? How do we apply these to traditional Apache and Nginx servers, mobile app web services, and non‐browser infrastructure like libcurl, proxies, API endpoints, and load balancers? And what's the deal with Curve25519, ChaCha/Poly1305, LibSodium, BoringSSL, and LibreSSL?
Here, we present a practitioner's crash guide to modern site and web service endpoint encryption using HTTPS. We cover the "TLS 101" (and 201) fundamentals of certificates: ECDSA vs RSA, 2K vs 4K, ephemeral Diffie‐ Hellman (elliptic curve versus static), Domain Validation vs Extended Validation. We'll talk about intermediate and root authorities (and why Superfish is such a problem), and then look at some best practices around https including certificate transparency (CT), pinning (HPKP), and strict transport security (HSTS). Lastly, we'll give updates from the OpenSSL 1.1 audit, and point to well curated configuration guides and recipes for https and TLS.

Speakers

Eric Mill

Eric Mill is a software engineer and advocate for a web that is safe and secure for all of its users. Eric is currently an advisor and engineer in a federal government agency, and has previously worked at the Sunlight Foundation on open data infrastructure and policy.

Kenneth White

Director, Open Crypto Audit Project

Kenneth White is a security researcher whose work focuses on networks and global systems. He is Director of the Open Crypto Audit Project (OCAP), currently managing a large‐scale audit of OpenSSL on behalf of the Linux Foundation's Core Infrastructure Initiative. In his day job... Read More →

Thursday October 13, 2016 3:30pm - 4:30pm EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Builder/Breaker

3:30pm EDT

When encryption is not enough: Attacking Wearable - Mobile Application communication over BLE

Communication protocols have evolved from the traditional Serial and LAN ports to complex and lightweight protocols of today, such as Bluetooth Low Energy (BLE), ANT+ and ZigBee. Bluetooth Low Energy (BLE) is a popular protocol of choice for wearables which are low energy, low performance computing systems. The BLE standard specification provides for a variety of security mechanisms for channel encryption to protect data against snooping and man-in-the-middle style attacks.

In our presentation, we talk about the security assumptions made by popular mobile operating systems when they adopt the BLE specification and how this impacts their communication with wearable devices. We include vulnerability case studies to discuss how rogue mobile applications can use the same set of BLE encryption keys as the legitimate companion application, and get access to personal information or cause denial of service conditions on the wearables. We will discuss the insufficiencies of the protocols and the need for extra measures if the use cases demand confidentiality and integrity of data in transit.

We will present high level flows to correctly design secure communication channels between a phone application and the wearable device.

Speakers

Chandra Prakash Gopalaiah

Intel Corp

Chandra has worked in software development and security domain for about 8 years in various roles. Prior to joining Intel, he worked for Motorola Mobility Inc., in Android development. He has a Masters degree in Computer Science from San Diego State University

Sumanth Naropanth

Intel Corp

Sumanth has worked in the information security industry for a decade in a variety of roles, including incident response, feature development and security assurance. He worked for Sun Microsystems and Palm before his current job at Intel. He has a Masters in Computer Science (Security... Read More →

Kavya Racharla

Intel Corp

Kavya has a Masters in Information Security from the Johns Hopkins University and a passion for Security. She worked for Oracle and Qualcomm’s security teams before she started her current job at Intel.

Thursday October 13, 2016 3:30pm - 4:30pm EDT
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Mobile/IoT

4:30pm EDT

Afternoon Coffee Break

Thursday October 13, 2016 4:30pm - 5:00pm EDT
Grand Ball Room Foyer

Break

5:00pm EDT

Keynote - The Less Hacked Path

Since the dawn of the Internet and the Web, a broad series of hacking attack vectors have descended. Malicious hackers, researchers, and governments have demonstrated and deployed these attacks onto computers, mobile devices, and nuclear power plants. While we continue to build sophisticated technology to defend against many of these attacks, a new field of exciting research is taking place that uses side channels, physics, and low cost tools to employ powerful attacks against modern technology. We'll explore some of these fascinating, and often secretive, methods and how you can use them or secure against them.

Speakers

Samy Kamkar

Samy Kamkar is a privacy and security researcher, computer hacker, whistle blower and entrepreneur. At the age of 16, Kamkar dropped out of high school and one year later, co-founded Fonality, a unified communications company based on open source software, which raised over $46 million... Read More →

Thursday October 13, 2016 5:00pm - 6:00pm EDT
Grand Ball Room Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Keynote

6:30pm EDT

Conference Dinner at the SPY Museum

Thursday October 13, 2016 6:30pm - 9:30pm EDT
SPY Museum

Social Event

7:00am EDT

Registration

Friday October 14, 2016 7:00am - 5:00pm EDT
Grand Ball Room Foyer

Registration

8:00am EDT

WASPY Awards

Each year there are many individuals who do amazing work, dedicating countless hours to share, improve, and strengthen the OWASP mission. Some of these individuals are well known to the community while others are not.

The purpose of these awards is to bring recognition to those who "FLY UNDER THE RADAR". These are the individuals who are passionate about OWASP, who contribute hours of their own free time to the organization to help improve the cyber-security world, yet seem to go unrecognized.

https://www.owasp.org/index.php/WASPY_Awards_2016

Speakers

Frank Catucci

About Frank:Frank Catucci is currently the Director of Web Application Security, Product Manager and a Subject Matter Expert for Qualys. He has over 15 years experience in the Information Technology and Security field that spans enterprise, financial services, university/higher education... Read More →

Dave Ferguson

Dave Ferguson is a Solution Architect and SME with Qualys and has been immersed in all things application security since 2006. After writing code as a developer for over a decade, Dave worked as a consultant pen-testing applications and training other developers on how to build secure... Read More →

Friday October 14, 2016 8:00am - 8:15am EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

WASPY Awards

8:00am EDT

Keynote - Cryptography in the age of Heartbleed

The past decade has seen an unprecedented number of high-profile data breaches. To address this threat, businesses have begun to invest heavily in encryption technologies, both to protect data and to reduce liability in the event of a breach. However, the widespread deployment of encryption has placed a new burden on application developers, a burden that is made worse by the fact that many of our existing protocols and software libraries are themselves flawed. In this talk I will discuss the problems facing both cryptographers and application developers who implement cryptography. I will focus on where we stand with making cryptography easy to use; recent vulnerabilities in some of the protocols that power the secure web; and the challenging problem of securing cryptographic software against sophisticated nation-state attackers.

Speakers

Matthew Green

Dr. Matthew Green, a respected cryptographer and security technologist, has over fifteen years of industry experience in computer security. Dr. Green is an Assistant Professor of Computer Science at the Johns Hopkins Information Security Institute. He specializes in applied cryptography... Read More →

Friday October 14, 2016 8:00am - 9:00am EDT
Grand Ball Room Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Keynote

9:00am EDT

Morning Coffee Break

Friday October 14, 2016 9:00am - 9:30am EDT
Grand Ball Room Foyer

Break

9:15am EDT

Serverless Security: Doing Security in 100 milliseconds

Serverless is the awesome future of cloud computing. This session will focus on practical security approaches for serverless in four key areas: software supply chain, delivery pipeline, data flow, and attack detection.

Serverless is a design pattern gaining a lot of traction in DevOps shops. The serverless pattern allows scale without managing the servers or processes running the application. This is done across the continuum of cloud–from storage as a service to database as a service but the center of serverless is Functions as a Service (FaaS). FaaS offerings on the market include AWS Lambda, Azure Functions, and Google Cloud Functions. Now processes run for milliseconds before being destroyed and then get instantiated for subsequent requests.

Security changes under serverless and our traditional modes of firewalling and hardening all the things just won’t cut it. Practices like vulnerability discovery, code scanning and intrusion detection change in a serverless architecture. Other changes for serverless include how applications are built and deployed to how teams are structured.

This session will focus on practical security approaches and the four key areas of serverless security: software supply chain, delivery pipeline, data flow and attack detection. Even if you don’t have any experience with serverless, don’t worry, in this session we will start with the basics and you will learn what serverless is (it’s still being defined) and practical patterns for serverless adoption.

Speakers

James Wickett

James does most of his research and work is at the intersection of the DevOps and Security communities. He works as a Sr. Engineer at Signal Sciences and is a supporter of the Rugged Software and Rugged DevOps movements. Seeing the gap in software testing, James founded an open source... Read More →

Friday October 14, 2016 9:15am - 10:00am EDT
Room C

DevOps Connect

9:30am EDT

Protect Containerized Applications With System Call Profiling

Container technologies like Docker are gaining mainstream interest from development and operations teams. Unlike virtual machines, containers running on the same host share the underlying OS kernel. As such, a malicious container can influence the execution of other containers through the common kernel by either exploiting a kernel vulnerability or simply leveraging the privileges of the compromised container. In this talk we describe an approach to harden and isolate containerized applications via system call profiling. We show that one can develop accurate system call profiles via static analysis of the container images and knowledge of the host system. Using this profile in runtime, one can monitor for and protect against malicious behavior that deviates from the profile. We show that one can build these profiles automatically from analyzing information within the container image and Dockerfiles. We show that runtime profiling and monitoring adds approximately 5-8% performance overhead for running applications. We demonstrate system call profiling on a sample micro-service application and show that it is a non-intrusive and effective method to detect behavioral anomalies with low false positives.

Speakers

Chenxi Wang

Twistlock

Dr. Chenxi Wang is Chief Strategy Officer of Twistlock, where she is responsible for product strategy and thought leadership. Chenxi built an illustrious career at Forrester Research, Intel Security, and CipherCloud. At Forrester, Chenxi covered mobile, cloud, and enterprise security... Read More →

Friday October 14, 2016 9:30am - 10:30am EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, DevOps

9:30am EDT

Putting an “I” in Code Review – Turning Code Reviewing Interactive

Everybody knows that manual code review can be a tedious and lengthy effort, with complexity growing exponentially with the size of the code. However, understanding code flow and focusing on relevant parts can become much easier when employing interactive debugging techniques. This allows combining the best of penetration testing and code review benefits to achieve maximum results in the most efficient manner. In this talk we will explain and demonstrate this eye-opening technique for effectively performing a manual code review on a live system using a debugger and provide a quick starter kit for implementing this technique.

Speakers

Ofer Maor

Director of Security Strategy, Synopsys

Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product developmentAs the founder and... Read More →

Friday October 14, 2016 9:30am - 10:30am EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Builder/Breaker

9:30am EDT

Why using SMS in the authentication chain is risky and what better options are available

Passwords are horrible for security. Over the past 20 years we’ve bolstered the password with other factors, the most common being a one time password (OTP, TOTP, HOTP) that is either generated on a physical device the user holds, in a smartphone app or most commonly sent via SMS. Using SMS for authentication is not secure. We’ve known this for years, but recently we’ve been reminded of this with problems with Google and Apple SMS security.

SMS is important to ensure we have a backup way of allowing people to login to systems, but it should always be a last resort. So what’s the first resort? Second factors to the password need a different communications channel to the one a user is authenticating to. SMS is not secure, but push notification methods are. It is possible to initiate a communication channel via Apple, Google and Microsoft mobile notification networks. At the end of these push notifications is a secured app that in turn securely communicates with the 2FA back end. Not only is this method more secure, it’s actually a far improved user experience that can be extended beyond the login to secure in application transactions.

This presentation will go over the limitations of traditional two-factor methods and introduce the improved approach using a push notification channel to achieve the same goal, i.e. authenticate a user identity by validating the initiating request comes from a person who has something in their possession which is trusted.

Speakers

Simon Thorpe

Director of Product, Twilio - Authy

Simon works in the product group at Authy and has over 15 years of experience in the security and identity management space. Working at companies like Oracle, Microsoft and Okta, he has spent a lot of time understanding and architecting solutions to secure all sorts of information... Read More →

Why using SMS in the authentication chain is risky and what better options are available compressed pptx

Friday October 14, 2016 9:30am - 10:30am EDT
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Mobile/IoT

9:30am EDT

WIA - Planning event

Provide feedback on the WIA events
Brainstorm ideas for next year's conference
Determine short and long-term goals for the WIA initiative

Friday October 14, 2016 9:30am - 11:30am EDT
Meeting Room 2

WIA

10:00am EDT

Members Lounge

Need to recharge?
Feeling a bit thirsty or hungry?
Maybe you’re looking for an OWASP t-shirt?
Or just looking to take a break from the hectic conference atmosphere?

NO PROBLEM!

Head on over to the Members Lounge located in the Mount Vernon Room Square A

Here you can grab a snack, quench your thirst, recharge those batteries, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.

Not an OWASP Member? That’s okay, swing on over to the Lounge and you can sign up on the spot!

Look for the signs or ask a volunteer for directions

Friday October 14, 2016 10:00am - 3:00pm EDT
Mount Vernon Square A

Members Lounge

10:05am EDT

Continuous Security: DevOps and Ongoing Authorization

Application security has changed dramatically from even just a decade ago. Today, if you do not build in security and deliver continuously, you are at risk. This is the story of how we have updated our practices to incorporate security at every phase, through the intersection of DevOps and Cybersecurity. The session will touch on lessons learned through real world experience and things you can do to begin integrating security into your DevOps pipeline through the use of ongoing authorization.

Speakers

Paula Thrasher

Paula Thrasher is Director of Digital Services at CSRA. She has 20+ years experience in IT and has spent the last 15 years trying to implement Agile culture in the federal government. Paula's first Agile project was in 2001. Since then, she has lead over 15 programs and projects as... Read More →

Friday October 14, 2016 10:05am - 10:45am EDT
Room C

DevOps Connect

10:45am EDT

DevOps to DevSecOps: a 2-dimensional view of security for DevOps

When it comes to looking at Security and DevOps, one has to look at it in two dimensions: 1. Securing the Application 2. Securing the Application Delivery Pipeline. Securing the application is focused on ensuring the application being developed and delivered, and the associated data are secure. That they are being built and delivered using Secure Engineering practices that ensure its security and integrity, and that of the business, and end-users.

Securing the Application Delivery Pipeline, focuses on securing the Delivery Platform itself - the application development and delivery tools, the Infrastructure and environments, configurations, automation tools, repositories, and associated Services and APIs are all secure.

This session will look at the security consideration that need to be taken, to put the Security in DevOps.

Speakers

Sanjeev Sharma

Sanjeev Sharma is an internationally known DevOps, and Cloud Transformation thought leader, technology executive, and published author. Sanjeev’s industry experience includes tenures as CTO and Worldwide Technical Sales Leader, Acquisition Integration Technical Leader, and IT Architect... Read More →

Friday October 14, 2016 10:45am - 11:20am EDT
Room C

DevOps Connect

10:45am EDT

Exploiting CORS Misconfigurations for Bitcoins and Bounties

Hear the story of how a specification’s innocent intentions toward security and simplicity mingled with Real World Code and ultimately spawned hosts of unfortunately exploitable systems.

Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It’s already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.

In between looking at websites with harmful misconfigurations that range from depressingly predictable to utterly unfathomable, I'll reflect on where the CORS specification and implementations collaborated to save developers from themselves, and where the good intentions didn't work out so well. From this, I’ll propose several potential solutions and mitigations aimed at specification authors, browser vendors, developers and pentesters with varying degrees of optimism.

Speakers

James Kettle

Director of Research, PortSwigger Web Security

James Kettle is Director of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience... Read More →

Friday October 14, 2016 10:45am - 11:45am EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Builder/Breaker

10:45am EDT

Patterns of Authentication and Self-Announcement in the Internet of Things (IoT)

The need to connect ‘things’ to each other in the IoT ecosystem introduces new security requirements for authentication and self-announcement due to four major characteristics of IoT
1. Physical access and infinite time available to adversaries to take apart devices
2. Lower computation power of standalone devices
3. Unforeseen and emergent behavior of the system if arbitrary nodes are compromised
4. Endless possibility of privacy intrusion based on data intelligence and indirect identity inference.
In this work the IoT systems are modelled using a number of elements: person, machine/device, service, server, client (esp. mobile), and passive marker. New authentication scenarios emerge when these items introduce themselves to each other on trusted or untrusted networks. The majority of authentication and self-announcement needs could be modelled using the above elements. For major authentication and self-announcement scenarios, possible authentication patterns are presented. Here are four examples of how these patterns apply to sample IoT scenarios:
• Home automation as enabled by NEST devices
• Device collaboration in Zigbee-based networks
• Smart inventory management using NFC/RFID
• Remote device control based on XMPP (SASL authentication)
The minimum computation power (capability to perform cryptographic operations) and privacy preserving considerations are analyzed in each case.

Speakers

Farbod H Foomany

Senior Security Researcher (Tech. Lead), Security Compass

Farbod H Foomany is a senior application security researcher (technical lead) at security compass. He has a bachelor degree in electrical engineering (control systems), Masters degree in artificial intelligence and robotics, and has completed a PhD with main research on security aspects... Read More →

Amir Pourafshar

Application Security Researcher, Security Compass

Amir Pourafshar is an application security researcher at Security Compass. Amir is currently part of a research team working on an IoT project that aims to investigate and formulate the security requirements of system design/development in internet of things (IoT) ecosystem. Amir... Read More →

Friday October 14, 2016 10:45am - 11:45am EDT
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Mobile/IoT

10:45am EDT

Practical tips for web application security in the age of agile and DevOps

The SDLC has been the standard model for web application security over the last decade and beyond, focussing heavily on gatekeeping controls like static analysis and dynamic scanning. However, the SDLC was originally designed in a world of Waterfall development and its heavy weight controls often cause more problems than they solve in todays world of agile, DevOps, and CI/CD.

This talk will share practical lessons learned on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to:
1) Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices
2) Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly
3) Measure maturity of your organizations security efforts in a non-theoretical way

Speakers

Zane Lackey

Chief Security Officer, Signal Sciences

Zane Lackey is the Co-Founder / Chief Security Officer at Signal Sciences and the Author of Building a Modern Security Program (O’Reilly Media). He serves on multiple public and private advisory boards and is an investor in emerging cybersecurity companies. Prior to co-founding... Read More →

Friday October 14, 2016 10:45am - 11:45am EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, DevOps

11:25am EDT

Where bits & bytes meet flesh & blood: Devops, Cybersafety, and the Internet of Things

We've heard software is eating the world; software is infecting the world. Our dependence on connected technology is growing faster than our ability to secure it - in areas affecting public safety and human life. Adding millions of lines of code and connecting everything to everything else exposes cyber physical systems to new accidents and adversaries. This is truly where bits & bytes meet flesh & blood. While many in security fear DevOps and see it as the end of security as we know it... maybe that's a good thing. Our best is not good enough. Despite best practices, modern SW and Security have allowed 100 of the F100 to lose IP and sensitive information - even our governments routinely succumb to adversaries. These failure rates cannot stand with the consequences of failure being measured - not in record count - but in human lives and GDP. Paradoxically, it may take DevOps to rise to these challenges. Rugged DevOps is finding un-obvious common ground and break throughs like SW supply chain principles, greater visibility and response agility, immutable infrastructure, and the like. We must be better. This is what better looks like.

Speakers

Josh Corman

Friday October 14, 2016 11:25am - 12:10pm EDT
Room C

DevOps Connect

12:00pm EDT

Lunch Break

Friday October 14, 2016 12:00pm - 1:00pm EDT
Rooms A&B

Break

1:00pm EDT

Automating API Penetration Testing using fuzzapi

Despite the widespread use of REST API calls using various frameworks, security researchers continue to discover many vulnerabilities in APIs. Vulnerabilities are frequently found in the APIs of applications produced by even the most mature development teams – which include internet giants Facebook, Google and Microsoft etc.

Where do the developers fail? After studying several API vulnerabilities across the internet, the main problem our team has identified is that developers often have little understanding of how to write or implement secure REST APIs. Most fail while trying to solve the complexity of writing APIs for web and mobile platforms simultaneously. Another significant problem the team has identified is that most DevOp engineers and Penetration testers have no standard platform that provides coverage of common vulnerabilities typically found in APIs. It has been a challenge for penetration testers to practice security testing on APIs across multiple platforms in the absence of such vulnerable applications.

Our project is trying to address this problem for the broader community by developing a platform to better understand and practice testing for the most common API vulnerabilities. Rather than a tool that only identifies vulnerabilities in web services, we have built a platform that enables everyone to test and understand a large range of API vulnerabilities that exist in both web and mobile applications.

As part of this presentation, our team will release an API Fuzzer as an OWASP Project to help developers test the APIs they develop during the early stages of the SDLC. The tool can be integrated into the build pipeline to allow developers to identify vulnerabilities prior to Pen Testing. Also, Pen testers can also use this tool against various APIs during their testing which will allow them to automate few tasks.

Speakers

Abhijeth Dugginapeddi

Abhijeth D(@abhijeth) is a security Consultant working for a bank in Australia. Previously worked with Adobe Systems, TCS and Sourcenxt. Security Enthusiast in the fields of Penetration Testing, Application/Mobile/Infrastructure Security. Believes in need for more security awareness... Read More →

Lalith Rallabhandi

Lalith Rallabhandi (@lalithr95) currently works as a Developer Intern at Shopify. He has previously worked with Hackerrank, Zomato and Google Summer of Code. Likes to code, break stuff mostly with web applications and is a Ruby on rails Enthusiast. Found bugs with Google, Microsoft... Read More →

Friday October 14, 2016 1:00pm - 2:00pm EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Builder/Breaker

1:00pm EDT

DevOops: Redux

In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:

-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)

Speakers

Chris Gates

Sr. Security Engineer

Chris Gates has extensive experience in network and web application penetration testing, Red Teaming and Purple Teaming. Chris is currently learning to be a part time fixer instead of full time breaker. In the past he has spoken at the United States Military Academy, BlackHat, DefCon... Read More →

Ken Johnson

CTO, nVisium

Ken Johnson, CTO of nVisium, has been hacking web applications professionally for 8 years. Ken is both a breaker and builder and currently leads the nVisium product team. Previously, Ken has spoken at DerbyCon, AppSec USA, RSA, AppSec DC, AppSec California, DevOpsDays DC, LASCON... Read More →

Friday October 14, 2016 1:00pm - 2:00pm EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, DevOps

1:00pm EDT

Needle: Finding Issues within iOS Applications

Assessing the security of an iOS application typically requires a plethora of tools, each developed for a specific need and all with different modes of operation and syntax. The Android ecosystem has tools like "drozer" that have solved this problem and aim to be a ‘one stop shop’ for the majority of use cases, however iOS does not have an equivalent.

"Needle" is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Given its modular approach, Needle is easily extensible and new modules can be added in the form of python scripts. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections. The only requirement in order to run Needle effectively is a jailbroken device.

We will be describing the tool's architecture, capabilities and roadmap. We will also demonstrate how Needle can be used to find vulnerabilities in iOS applications from both a black-box and white-box perspective (if source code is provided).

Speakers

Marco Lancini

Security Consultant, MWR InfoSecurity

Marco Lancini is a Security Consultant at MWR InfoSecurity in the UK, specialising in mobile applications. He works assessing apps and device configurations for a number of large organisations including banking, financials, telco, and energy providers. He has a Master degree in Engineering... Read More →

Friday October 14, 2016 1:00pm - 2:00pm EDT
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Mobile/IoT

1:05pm EDT

DevSecOps: A Peek Inside the Pipeline

Got it, DevSecOps… now could you stop dropping the microphone and show me how. It’s time for DevOps and Security to come together and show how tools and processes can make it possible for software developers and security professionals to unite in a common mission. It’s not easy to bring everything together and make it possible to build better, safer software at scale. Using developer tools like Jira, Jenkins, and Nexus; it is not only possible to increase the efficiency of software delivery but to strengthen applications at the same time. Digging into these tools, we’ll take a look at how security defects and feature requests are now becoming part of a developer’s backlog. And we’ll look at unique ways to evolve both DevOps and Security to increase the speed of finding and fixing security issues while deploying software and still enjoying your job.

Speakers

Shannon Lietz

DevSecOps Lead, Intuit

Shannon Lietz is an award winning innovator with over two decades of experience pursuing advanced security defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s cloud... Read More →

Friday October 14, 2016 1:05pm - 1:50pm EDT
Room C

DevOps Connect

1:55pm EDT

Making Invisible Things Visible: Revealing Secrets from 25,000 Applications

Every software development organization on the planet relies on a software supply chain —but most can’t see it and don’t understand the volume of components flowing through it. In the 2016 State of the Software Supply Chain Report, I detailed the practices of over 35,000 software development organizations who consumed billions open source and third-party components in 2015. Across billions components downloaded, I found that 1 in 17 had a known security vulnerability. I also found a similar ratio of components flowing through these software supply chains into finished applications.

Those leading AppSec and DevOps practices who have pursued improved visibility, supplier choices, and control mechanisms across their software supply chains have boosted developer productivity by as much as 30%, crumbled mountains of security debt, and shifted millions of dollars from sustaining operations to accelerating innovation. Yet the vast majority of organizations developing software are blind to their free-for-all consumption volume, patterns, and velocity. Their software supply chain practices are silently sabotaging efforts to accelerate development, improve efficiency and maintain the integrity of their applications.

Results from the report will be shared with attendees, including:

Using one of the latest versions of a software component can cut vulnerability ratio in half.
75% of organizations lack policies that control the use of open source and third-party components
97% of development organizations lack any vetting process for components being electively procured for use in applications.

This discussion is not intended to simply shed light on bad practices. It is about making your software supply chain visible. Attendees will learn how those on the forefront of Development and Application Security are improving the quality and security of components used across their software supply chains.

Speakers

Derek Weeks

VP and Rugged DevOps Advocate, Sonatype

Derek is a huge advocate of applying proven supply chain management principles into development and application security practices to improve efficiencies, reduce security risks, and sustain long-lasting competitive advantages. Over the past two years, Derek led the largest and most... Read More →

Friday October 14, 2016 1:55pm - 2:30pm EDT
Room C

DevOps Connect

2:15pm EDT

If You Can’t Beat ‘Em Join ‘Em: Practical Tips For Running A Successful Bug Bounty Program

Having a bug bounty program is one of the most efficient methods of finding security vulnerabilities today. But, as anyone who has tried to run a bug bounty program knows, it's not a trivial undertaking... As professionals who have helped to manage hundreds of bug bounty programs, we're uniquely positioned to provide advice on how to succeed. Whether you're already running a bug bounty program, are looking to run a bug bounty program, or are a researcher, this talk aims to deepen your knowledge of the subject.

Speakers

Grant McCracken

Solutions Architect, Bugcrowd

Grant is currently the Director of Program Operations and Solutions at Bugcrowd, and has been in the application security space for the last eight years, and the bug bounties for the last five. He's gotten his OSCP, given talks at Appsec USA and EU, and enjoys helping others get into... Read More →

Daniel Trauner

Daniel Trauner is a Senior Application Security Engineer at Bugcrowd – a crowdsourced cybersecurity solution. He works with (and is sometimes a part of) the thousands of security researchers worldwide who collectively attempt to understand, break, and fix anything that companies... Read More →

Friday October 14, 2016 2:15pm - 3:15pm EDT
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Mobile/IoT

2:15pm EDT

Misconfigured CORS and why web application security is not getting easier.

Web Application Security is actually really hard to enter into the "big-leagues" with a mature security program like facebook, google, and the like. These orgs are very mature and oftentimes roll out the newest, lastest, greatest security features.

Part of entering in to the big leagues usually requires the implementation of advanced browser security features and HTTP Response headers.

I want to tell a personal story about finding a massive vulnerability in about 1000 out of the Alexa top 1million sites that caused sites to basically turn off SAMEORIGIN policy.
- How I thought to try my exploit
- Who was vulnerable
- Details of the exploit

I want to talk about the difficultly understanding the details of the CORS headers that caused the issue. Lots of things to understand.

I want to then talk about individual security technologies and their operational issues associated with them.
- CSP
- HPKP
- HSTS
- SRI
- CORS etc etc etc.

There's a lot of operational issues to cover.

Finally I want to make a plea to stick to the basics before you try to roll these things out. Most sites don't get any utility from these features and they only cause problems.

Speakers

Evan Johnson

Security, Cloudflare

An engineer at heart, Evan works at Cloudflare with all of the software engineering teams on the systems and products they are building. the first security engineer hired at Cloudflare, and also worked at LastPass as a software engineer, and was the first security hire at Segment... Read More →

Friday October 14, 2016 2:15pm - 3:15pm EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, Builder/Breaker

2:15pm EDT

Scaling Security Assessment at the Speed of DevOps

Scaling Security Testing at the Speed of DevOps

Recent software development trends, namely DevOps, Continuous Integration, Continuous Delivery, and Continuous Deployment, have empowered developers and drastically reduced the DevTest window forcing teams to adopt highly automated test infrastructures. While the adoption of these trends and automated test frameworks have improved feature delivery and time to market, they have complicated security assessment, producing substantial gaps between the current release and the last security audited code. Consumers are now being forced to
adopt new code releases daily or hourly without substantive security review, especially in the Software as a Service (SaaS) sector. As engineering teams rapidly embrace these development methodologies, the community must evolve security testing strategies so as to enhance the security posture of products, services, and solutions.

This evolution must address three primary problems elucidated by the
aforementioned development trends:

1. Testability: Security requirements should be testable and verifiable.
2. Scalability: Security requirement should be capable of being
automated in a best-effort fashion so as to scale effectively.
3. Accessibility: Security tools and results should be easily digestible
by software engineers and testers, and new security tools should be
accessible to all development and test engineers.

Therefore, we have developed and are preparing to open source a new distributed security testing framework called Norad which facilitates security assessment at scale. This framework automates multiple open-source and vendor security tools and aggregates their results for review. It also provides an SDK which promotes the development of community developed security test content. This talk will explain Norad's design philosophy, architecture, and demonstrate its usage.

Speakers

Blake Hitchcock

Software Engineer, Cisco

Blake Hitchcock has been building and breaking web applications for 6 years with Cisco. He loves writing in Ruby, and 'Burp' is not just something he does after a few too many kielbasas. When he's not doing web stuff, Blake enjoys fitness, food, sports, and cheering for his beloved... Read More →

Brian Manifold

Cisco

Brian Manifold has worked as a software/security engineer at Cisco for the past 4 1/2 years. His main areas of interest at work are web development and web security. Outside of work he enjoys playing music, anything CNC (milling, 3d printing, etc..) related, hardware electronics... Read More →

Roger Seagle

Principal Engineer, Cisco

Roger Seagle Jr. is a Principal Engineer in the STO TIP team at Cisco. Previously, he worked in Cisco's Advanced Security Initiatives Group (ASIG) where he assessed the security posture of Cisco products and advised product teams on patching and mitigating vulnerabilities. Roger regularly... Read More →

Friday October 14, 2016 2:15pm - 3:15pm EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, DevOps

2:35pm EDT

Moving to the Left: DevOps practices and the changing role of SecOps

As shown in the 2016 State of DevOps Survey, DevOps practices are changing the role of security teams, moving them “to the left” in the SDLC as part of the design phase and no longer simply validating production as being secure. Result: 50% less time remediating security issues.

The State of DevOps Survey has been running for the last 5 years, and the past two in particular have shown that DevOps practices are moving beyond just “Dev” and “Ops” to involve security teams as well as other areas of the business. Various labels are being used to describe this world: SecDevOps, DevSecOps, RuggedDevOps, but the critical inflection point is that the combination of strong automation platforms, continuous delivery, infrastructure-as-code and version control are all enabling security teams to validate and secure apps and infrastructure at the design phase. This minimizes the amount of manual validation of production by security teams, enables faster remediation of security issues and ultimately results in more secure deployments, but only if security teams take this opportunity to revisit existing practices that have built up over time.

In this talk we’ll be covering the high level results of the 2016 State of DevOps Report, the changing role of security teams as well as some anonymized user stories illustrating both how to best take advantage of a growing DevOps practice within your organization and major missteps observed in the field.

Speakers

Bill Weiss

Sr Manager of SysOps, Puppet

Friday October 14, 2016 2:35pm - 3:10pm EDT
Room C

DevOps Connect

3:15pm EDT

Glad You Could Join Us: Bringing Security into the DevOps Fold

We all know that “DevOps” is a pormanteau of Development and Operations, but where is the “Sec”? Security has long been the red-headed stepchild of the DevOps cultural movement. The time has come to fully integrate traditional security testing practices into a Continuous Delivery pipeline.

We will discuss the current state of security in DevOps, what it means to have a security pipeline, and some challenges and solutions of such a transformation.

Speakers

Bryan Batty

Having spent more than ten years building secure software applications, Bryan Batty is now a Managing Consultant for Coveros, and focuses primarily on security and DevOps transformations, especially as it relates to building security into the software development pipeline. Over the... Read More →

Friday October 14, 2016 3:15pm - 3:50pm EDT
Room C

DevOps Connect

3:30pm EDT

AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program

Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business. This isn’t a theoretical talk. It covers the results of successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees. Yes, real stats on improvements seen will be provided.

Beyond providing concrete examples of how to optimize your AppSec program, the talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in. It will also introduce several new OWASP projects which will help you on your journey: the OWASP AppSec Pipeline project, OWASP Defect Dojo and the AppSec Pipeline toolbox. This talk’s content plus these open source projects are more than you’ll need to get started buying down the technical security debt and unshackle you from traditional AppSec thinking.

Speakers

Matt Tesauro

Senior AppSec Engineer, Duo Security

Friday October 14, 2016 3:30pm - 4:30pm EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, DevOps

3:30pm EDT

Breaking and Fixing your ‘Docker’ ized environments

This presentation extracts few points from CIS Docker 1.12 benchmark which was co-authored by me. Ref: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker12.100

Abstract: The concept of containerization was in Linux from ages in the form of jails, zones, LXC etc. but it is since 2 years it gained tremendous recognition. The credit goes to "Docker" which made the concept of containerization very useful and handy by adding many benefits to existing container technologies. Tech giants like Redhat, Google, IBM, VMware etc. are not only the biggest contributors to this most active open source project but also major users of it. Only Google spins up more than 2 billion containers per week, more than 3,300 containers per second. Inspired from Docker, Microsoft also started its container technology by extending its research project "Drawbridge". The effect of containers already impacted the virtual machine market and this impact is going to increase significantly in near future.

Security is always an important issue for any upcoming technology and Docker is no exception to it. This presentation starts with a brief introduction to containers vs. virtualization technology, Docker ecosystem and then goes deep into "Docker Security". It touches each and every component listed below in the Docker container pipeline and gives details about the ways on how they can be broken and then defensive measures to secure them.

Container Pipeline Components:
a) Images
b) Container Runtime
c) Host security
d) Daemon security
e) Communication security ( daemon <=> client , daemon to registry etc.) f) Registry security Below is the brief overview only on Images, containers components.

1. Images
a. Image security analysis in which I have extracted more than 50 Docker hub images (which also includes official images) and found critical vulnerabilities like Heartbleed, Shellshock, CSRF, XSS etc. in them. The presentation also provides a comprehensive security analysis on Docker hub images , how vulnerable are they and gives details about alternative options available for getting secure images
b. Protecting images
- Efficient scanning : binary level scanning, hash based comparison instead of version string matching mechanisms
- Docker Content Trust: Ensures authenticity, integrity and freshness guarantees (Is this really secure to use?)
- 20 golden rules to be followed for "writing Dockerfiles and maintaining images" securely

2. Containers
a. Detailed explanation about how containers isolation can be torn apart
b. Docker claims that their containers are "Secure by Default" and also a popular report on Linux containers released by NCC Group states that "Docker has strong defaults". In this presentation, I will be proving that Docker defaults are vulnerable to DOS, side channel, remote exploitation etc. vulnerabilities. Besides, I will also be explaining about a few other ways of exploiting Docker containers if CIS Docker bechmark rules were not adhered
c. 20 golden rules to be followed for ensuring secure container runtime

Apart from the topics mentioned above, this presentation also throws a light on the tools available in market for securing container ecosystem along with the pros and cons of each tool : Twistlock, Aquasec, Nautilus etc.

Speakers

Manideep Konakandla

Carnegie Mellon University

Is an Author, Security Researcher, Speaker and a J.N Tata Scholar. He is current Security Researcher + Masters student in Information Security @Carnegie Mellon University, USA and is currently researching on "Security of containers with focus on Docker". He has authored a book at... Read More →

Friday October 14, 2016 3:30pm - 4:30pm EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, DevOps

3:30pm EDT

Containerizing your Security Operations Center

As security professionals, we have no shortage of tools available to us in our offensive and defensive pursuits. How we choose to deploy, maintain, and share these tools across teams can prove to be burdensome and overly complex. Security teams are becoming swept up in the DevOps movement and we are being encouraged to bring visibility into our workflows and toolsets. This means moving things from our local boxes to a more available and collaborative environment. This talk will share lessons learned from building a pluggable, cloudbased "Security Operations Center" running entirely on containers to help security teams rapidly build out scanning pipelines, centralize alerts, investigate malware, and easily collaborate with teams across the organization. I’ll dive into the architecture and design of the cluster and how to quickly get a POC running in Kubernetes

Speakers

Jimmy Mesta

CTO, Manicode Security

Jimmy Mesta is an application security leader that has been involved in Information Security for nearly 10 years. He is the chapter leader of OWASP Santa Barbara and co-organizer of the AppSec California security conference. Jimmy has spent time on both the offense and defense side... Read More →

Friday October 14, 2016 3:30pm - 4:30pm EDT
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Tracks, DevOps

3:55pm EDT

Mapping the Risk in Your Value Stream

Mapping can help visualize the flow between your customers and the raw materials your business uses to provide them with products or services. This session will examine how mapping risk onto your value stream can improve your chances of success and keep failures bounded to expectations.

Description

While enumerating system states may increase our understanding of our options it does not account for probabilities and likely outcomes. Any attempt to instantly transition a system to a desired state is usually expensive and unsuccessful.

By visualizing our value stream and weighing our options we’re able to trade the high risk for lower but more likely payouts. These low risk wagers provide the intermediate steps needed to reach our goals without taking some huge leap of faith.

By painting a more complete picture with our numbers we’re enabling our audiences to make educated decisions. We’ll look at different types of value stream mapping techniques and how to automate data collection for different types of metrics.

Basic Value Stream Mapping
Wardley Mapping
Five Required Families of Metrics
Enumerating Risks
Automating Analysis
Taking Action with Data
Evolving System Models

Speakers

Chris Corriere

Chris Corriere has been working with data, phones, networks and writing software for over fifteen years. His background in mathematics and engineering has allowed him to adapt to new and industry specific technologies and provided many unique consulting opportunities. As a devOps... Read More →

Friday October 14, 2016 3:55pm - 4:30pm EDT
Room C

DevOps Connect

4:30pm EDT

Afternoon Coffee Break & Passport Program Raffle

Friday October 14, 2016 4:30pm - 5:00pm EDT
Grand Ball Room Foyer

Break

5:00pm EDT

Keynote - What does winning look like?

Speakers

Dan Geer

Dan Geer is currently the CISO for In-Q-Tel, a not-for-profit investment firm that works to invest in technology that supports the missions of the Central Intelligence Agency and the broader U.S. intelligence community. Looking at just a few of his accomplishments, Geer was a key... Read More →

Friday October 14, 2016 5:00pm - 6:00pm EDT
Grand Ball Room Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Keynote