We are excited to announce the Project Summit USA 2016. OWASP is providing a platform for two full days at APPSEC USA 2016. An open forum setting for ideas, innovations, gain contributors and share feedback for projects to advance to the next level.
Join our Project Leaders in a discussion on OWASP Projects!
Please feel free to add Hot Topics that you would like to see discussed.
Contacts:
Senior Projects Technical Coordinator Matt Tesauro
Project Coordinator Claudia Aviles-Casanova
You will need to bring a laptop with 100MB or greater of free hard disk space and the following software installed:
You should clone the course exercises, demos, and examples from https://github.com/rcseacord/JavaSCR.git prior to the class. Make sure that you have imported the code into your IDE and that you can build and test the sample programs.
“The CERT Oracle Secure Coding Standard for Java” and “Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs” books authored by Robert C. Seacord and published by Addison-Wesley can be purchased in advance at InformIT. We will be covering chapters 1-8 of The CERT Oracle Secure Coding Standard for Java in class, if you want to prepare by reviewing these chapters.
We are excited to announce the Project Summit USA 2016. OWASP is providing a platform for two full days at APPSEC USA 2016. An open forum setting for ideas, innovations, gain contributors and share feedback for projects to advance to the next level.
Join our Project Leaders in a discussion on OWASP Projects!
Please feel free to add Hot Topics that you would like to see discussed.
Contacts:
Senior Projects Technical Coordinator Matt Tesauro
Project Coordinator Claudia Aviles-Casanova
You will need to bring a laptop with 100MB or greater of free hard disk space and the following software installed:
You should clone the course exercises, demos, and examples from https://github.com/rcseacord/JavaSCR.git prior to the class. Make sure that you have imported the code into your IDE and that you can build and test the sample programs.
“The CERT Oracle Secure Coding Standard for Java” and “Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs” books authored by Robert C. Seacord and published by Addison-Wesley can be purchased in advance at InformIT. We will be covering chapters 1-8 of The CERT Oracle Secure Coding Standard for Java in class, if you want to prepare by reviewing these chapters.
In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. The team that uncovered iOS malicious profiles, WiFiGate, HTTP Request Hijacking, No iOS Zone and Invisible Profiles are taking it upon themselves to coach developers and organizations on how to regain control, and turn the tables on the hackers behind next-generation mobile malware.
In his presentation, Yair will discuss cutting-edge techniques used by malware writers to circumvent mobile security paradigms such as app-sandboxing and containers. Mr. Amit will then break down the current set of techniques (signatures, static analysis & dynamic analysis) used to identify malware on mobile devices, and identify the pros and cons of these approaches. He will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions.
During a live, interactive demo, Yair will create a mobile malware on stage, meant to be undetected by static and runtime analysis technologies.
Many developers and companies looking to implement security are turning towards OWASP to use Defender libraries that they can implement to secure their critical applications. Since this implies a form of trust in OWASP, many users of these projects might forget or not be aware that many of them are Open Source and lack an expected security assurance review, which at the moment is not done by OWASP.
Testing web applications for security can be a challenging task. But testing that security control libraries are robust in the face of attack is an even more difficult challenge for even the most sophistical assessment professionals.
BugCrowd provides their platform and services to allow OWASP projects conduct specific Bug Bounty programs for Defender category projects but also, any other Code Project that needs to be installed and could create vulnerabilities in the installed computer.
The following projects are part of OWASP Bug Bounty:
NO PROBLEM!
Head on over to the Members Lounge located in the Mount Vernon room
Here you can grab a snack, quench your thirst, recharge those batteries, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.
Not an OWASP Member? That’s okay, swing on over to the Lounge and you can sign up on the spot!
Look for the signs or ask a volunteer for directions
This method could be implemented by tooling to automatically generate a threat model based on architectural decisions. The technique employs principals from Object Oriented software design such as inheritance and method overloading so that the contents of the patterns can be practically maintained and extended without unnecessary repetition. Organisations can use this method to extract the expertise from their software security experts so that threat modeling knowledge is retained and can be re-used within the organisation.
From light bulbs to drones, sophisticated technology is integrated into nearly every aspect of our lives. Today, nearly everyone is technologically curious if not active in a maker or hackerspace. The world is, essentially, a security researcher’s dream. The ease with which devices can now be altered also makes some companies uncomfortable or eager to profit off of user generated content. Mediating these competing needs is the law, written largely for generations-old technology by political bodies not conversant in the nuances of bleeding edge tech.
Enter DRM, which can be used to prevent your devices from completing legal tasks or punish researchers who seek to secure them. OWASP is proud to offer you a chance to speak with the EFF’s Cory Doctorow about their current lawsuit and the intersection of security research and DRM. The second half of the one hour session will be opened up to a Q&A by the audience.Serverless is the awesome future of cloud computing. This session will focus on practical security approaches for serverless in four key areas: software supply chain, delivery pipeline, data flow, and attack detection.
Serverless is a design pattern gaining a lot of traction in DevOps shops. The serverless pattern allows scale without managing the servers or processes running the application. This is done across the continuum of cloud–from storage as a service to database as a service but the center of serverless is Functions as a Service (FaaS). FaaS offerings on the market include AWS Lambda, Azure Functions, and Google Cloud Functions. Now processes run for milliseconds before being destroyed and then get instantiated for subsequent requests.
Security changes under serverless and our traditional modes of firewalling and hardening all the things just won’t cut it. Practices like vulnerability discovery, code scanning and intrusion detection change in a serverless architecture. Other changes for serverless include how applications are built and deployed to how teams are structured.
This session will focus on practical security approaches and the four key areas of serverless security: software supply chain, delivery pipeline, data flow and attack detection. Even if you don’t have any experience with serverless, don’t worry, in this session we will start with the basics and you will learn what serverless is (it’s still being defined) and practical patterns for serverless adoption.
NO PROBLEM!
Head on over to the Members Lounge located in the Mount Vernon Room Square A
Here you can grab a snack, quench your thirst, recharge those batteries, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.
Not an OWASP Member? That’s okay, swing on over to the Lounge and you can sign up on the spot!
Look for the signs or ask a volunteer for directions
Application security has changed dramatically from even just a decade ago. Today, if you do not build in security and deliver continuously, you are at risk. This is the story of how we have updated our practices to incorporate security at every phase, through the intersection of DevOps and Cybersecurity. The session will touch on lessons learned through real world experience and things you can do to begin integrating security into your DevOps pipeline through the use of ongoing authorization.
When it comes to looking at Security and DevOps, one has to look at it in two dimensions: 1. Securing the Application 2. Securing the Application Delivery Pipeline. Securing the application is focused on ensuring the application being developed and delivered, and the associated data are secure. That they are being built and delivered using Secure Engineering practices that ensure its security and integrity, and that of the business, and end-users.
Securing the Application Delivery Pipeline, focuses on securing the Delivery Platform itself - the application development and delivery tools, the Infrastructure and environments, configurations, automation tools, repositories, and associated Services and APIs are all secure.
This session will look at the security consideration that need to be taken, to put the Security in DevOps.
We've heard software is eating the world; software is infecting the world. Our dependence on connected technology is growing faster than our ability to secure it - in areas affecting public safety and human life. Adding millions of lines of code and connecting everything to everything else exposes cyber physical systems to new accidents and adversaries. This is truly where bits & bytes meet flesh & blood. While many in security fear DevOps and see it as the end of security as we know it... maybe that's a good thing. Our best is not good enough. Despite best practices, modern SW and Security have allowed 100 of the F100 to lose IP and sensitive information - even our governments routinely succumb to adversaries. These failure rates cannot stand with the consequences of failure being measured - not in record count - but in human lives and GDP. Paradoxically, it may take DevOps to rise to these challenges. Rugged DevOps is finding un-obvious common ground and break throughs like SW supply chain principles, greater visibility and response agility, immutable infrastructure, and the like. We must be better. This is what better looks like.
Despite the widespread use of REST API calls using various frameworks, security researchers continue to discover many vulnerabilities in APIs. Vulnerabilities are frequently found in the APIs of applications produced by even the most mature development teams – which include internet giants Facebook, Google and Microsoft etc.
Where do the developers fail? After studying several API vulnerabilities across the internet, the main problem our team has identified is that developers often have little understanding of how to write or implement secure REST APIs. Most fail while trying to solve the complexity of writing APIs for web and mobile platforms simultaneously. Another significant problem the team has identified is that most DevOp engineers and Penetration testers have no standard platform that provides coverage of common vulnerabilities typically found in APIs. It has been a challenge for penetration testers to practice security testing on APIs across multiple platforms in the absence of such vulnerable applications.
Our project is trying to address this problem for the broader community by developing a platform to better understand and practice testing for the most common API vulnerabilities. Rather than a tool that only identifies vulnerabilities in web services, we have built a platform that enables everyone to test and understand a large range of API vulnerabilities that exist in both web and mobile applications.
As part of this presentation, our team will release an API Fuzzer as an OWASP Project to help developers test the APIs they develop during the early stages of the SDLC. The tool can be integrated into the build pipeline to allow developers to identify vulnerabilities prior to Pen Testing. Also, Pen testers can also use this tool against various APIs during their testing which will allow them to automate few tasks.
Got it, DevSecOps… now could you stop dropping the microphone and show me how. It’s time for DevOps and Security to come together and show how tools and processes can make it possible for software developers and security professionals to unite in a common mission. It’s not easy to bring everything together and make it possible to build better, safer software at scale. Using developer tools like Jira, Jenkins, and Nexus; it is not only possible to increase the efficiency of software delivery but to strengthen applications at the same time. Digging into these tools, we’ll take a look at how security defects and feature requests are now becoming part of a developer’s backlog. And we’ll look at unique ways to evolve both DevOps and Security to increase the speed of finding and fixing security issues while deploying software and still enjoying your job.
Every software development organization on the planet relies on a software supply chain —but most can’t see it and don’t understand the volume of components flowing through it. In the 2016 State of the Software Supply Chain Report, I detailed the practices of over 35,000 software development organizations who consumed billions open source and third-party components in 2015. Across billions components downloaded, I found that 1 in 17 had a known security vulnerability. I also found a similar ratio of components flowing through these software supply chains into finished applications.
Those leading AppSec and DevOps practices who have pursued improved visibility, supplier choices, and control mechanisms across their software supply chains have boosted developer productivity by as much as 30%, crumbled mountains of security debt, and shifted millions of dollars from sustaining operations to accelerating innovation. Yet the vast majority of organizations developing software are blind to their free-for-all consumption volume, patterns, and velocity. Their software supply chain practices are silently sabotaging efforts to accelerate development, improve efficiency and maintain the integrity of their applications.
Results from the report will be shared with attendees, including:
This discussion is not intended to simply shed light on bad practices. It is about making your software supply chain visible. Attendees will learn how those on the forefront of Development and Application Security are improving the quality and security of components used across their software supply chains.
As shown in the 2016 State of DevOps Survey, DevOps practices are changing the role of security teams, moving them “to the left” in the SDLC as part of the design phase and no longer simply validating production as being secure. Result: 50% less time remediating security issues.
The State of DevOps Survey has been running for the last 5 years, and the past two in particular have shown that DevOps practices are moving beyond just “Dev” and “Ops” to involve security teams as well as other areas of the business. Various labels are being used to describe this world: SecDevOps, DevSecOps, RuggedDevOps, but the critical inflection point is that the combination of strong automation platforms, continuous delivery, infrastructure-as-code and version control are all enabling security teams to validate and secure apps and infrastructure at the design phase. This minimizes the amount of manual validation of production by security teams, enables faster remediation of security issues and ultimately results in more secure deployments, but only if security teams take this opportunity to revisit existing practices that have built up over time.
In this talk we’ll be covering the high level results of the 2016 State of DevOps Report, the changing role of security teams as well as some anonymized user stories illustrating both how to best take advantage of a growing DevOps practice within your organization and major missteps observed in the field.
We all know that “DevOps” is a pormanteau of Development and Operations, but where is the “Sec”? Security has long been the red-headed stepchild of the DevOps cultural movement. The time has come to fully integrate traditional security testing practices into a Continuous Delivery pipeline.
We will discuss the current state of security in DevOps, what it means to have a security pipeline, and some challenges and solutions of such a transformation.
Mapping can help visualize the flow between your customers and the raw materials your business uses to provide them with products or services. This session will examine how mapping risk onto your value stream can improve your chances of success and keep failures bounded to expectations.
Description
While enumerating system states may increase our understanding of our options it does not account for probabilities and likely outcomes. Any attempt to instantly transition a system to a desired state is usually expensive and unsuccessful.
By visualizing our value stream and weighing our options we’re able to trade the high risk for lower but more likely payouts. These low risk wagers provide the intermediate steps needed to reach our goals without taking some huge leap of faith.
By painting a more complete picture with our numbers we’re enabling our audiences to make educated decisions. We’ll look at different types of value stream mapping techniques and how to automate data collection for different types of metrics.