AppSec USA 2016 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Lightning Talks [clear filter]
Thursday, October 13


Lightning Talk - Demystifying CSP
There have been many attempts to make the Web a more secure place, or at least make it harder to attack web applications. One of them is CSP, Content Security Policy. In my talk, I will cover history of CSP, how it evolves from its original version, and what features will be available in the near future.
One of the challenges in deploying CSP is to understand what versions and directives are supported by different web browsers. In this presentation, I will share current CSP compatibility matrix for major web browsers to provide better understanding of CSP support. I will also demonstrate a framework that I developed to make it easy for anyone to run the same CSP feature set of tests to inspect the results as well as to add new feature check.
In the last part of the presentation, I will show the usage of CSP by Alexa top web sites and how good their CSP policies are. I will also explain common CSP mistakes and strategies to fix them. Last but not least, I will demonstrate various tools, frameworks and libraries which would be useful to improve CSP policies.

avatar for Ilya Nesterov

Ilya Nesterov

Engineering manager, Shape Security
Ilya Nesterov is currently an engineering manager at Shape Security. Prior to Shape, Ilya worked at F5 Networks, and earned his master's degree from Tomsk Polytechnic University. His interests include, but are not limited to, modern Web Application security threats and countermeasures... Read More →

Thursday October 13, 2016 9:15am - 9:25am
Room C


Lightning Talk - Assessing and Exploiting XML Schemas Vulnerabilities
Specifications for XML and XML schemas have been designed with multiple security flaws. At the same time, these specifications provide the tools required to protect XML applications. This provides a complex scenario for developers and a fun environment for hackers.

Even though XML schemas are used to define the security of XML documents, they are also used to perform a variety of attacks: file retrieval, server side request forgery, port scanning, and/or brute forcing.

This talk will analyze how new attack vectors can be inferred by analyzing the current vulnerabilities and how it is possible to affect common libraries and software. Recommendations will be shared to safely deploy applications relying in XML.

avatar for Fernando Arnaboldi

Fernando Arnaboldi

Security Consultant
Fernando Arnaboldi is a developer and a security consultant who specializes in penetration testing and code reviews on multiple platforms. He has focused his research on breaking the security of different programming languages and has presented his findings in security conferences... Read More →

Thursday October 13, 2016 9:30am - 9:40am
Room C


Lightning Talk - Application Security in a DevOps World: Three Methods for Shifting Left
Application Security in a DevOps World: Three Methods for Shifting Left 
Operations has always resided clearly outside of development. Release candidates are tossed over the fence by development and operations was expected to “just make it work.” The same can be said about many other activities, including application security. This isn’t intended to be derision aimed at development—it’s just a feature of how processes have historically been demarcated. 
But with the emergence of the DevOps movement, organizations are beginning to apply the “shift-left” principle associated with early testing toward other facets of application development. Security, which has been treated as something you can test into an application, should be built into an application according to DevOps principles. 
In this presentation, we discuss how to get development and operations working together to build security into the application. We’ll outline three methods and discuss their merits and drawbacks:
• Penetration testing: This is the approach most commonly used.
• Hybrid testing: By applying flow (dynamic analysis) early in the process, you can that look for possible paths through the code that lead to security flaws.
• Preventative testing: By taking a standards-based approach and implementing a set of activities that target defects that lead to security vulnerabilities, you are able to get ahead of security issues that diminish the effectiveness of DevOps approaches.

avatar for Aaron Lindsay

Aaron Lindsay

Aaron Lindsay been helping Parasoft’s clients harden code, develop functional testing solutions, and virtualize their environments for almost 4 years. He has worked on projects all across America and South America, incorporating service virtualization into verticals that range from... Read More →

Thursday October 13, 2016 9:45am - 9:55am
Room C


Lightning Talk - Automated Gadget Chain Generation for Object Injections
Object injection vulnerabilities account for the most sophisticated attacks against web applications today. They persist when an attacker is able to modify the unified string representation of an object that is passed to the application. By injecting a specifically crafted object, the attacker can trigger the execution of existing code fragments, so called gadgets. Depending on the application's source code and programming language, different gadget chains are possible that can lead to diverse security issues, such as remote code execution. Due to todays applications' code complexity and size, finding all possible gadget combinations is a difficult task. This lightning talk will present new static code analysis techniques for the automated detection of PHP object injection vulnerabilities and the automated generation of gadget chains.

avatar for Hendrik Buchwald

Hendrik Buchwald

CSO, RIPS Technologies
Hendrik Buchwald is a computer science graduate from the Ruhr University Bochum and a professional software engineer. He is co-founder and the CSO of RIPS Technologies, a Bochum-based IT security company with focus on code analysis solutions for web applications.

Thursday October 13, 2016 10:00am - 10:10am
Room C


Lightning Talk - If you can dodge a wrench!..... (or how not to security test your web app):
Have you ever initiated a test that inadvertently sent 2,000 emails to your executives? How about dumping your Production Database?

As web applications become more advanced, security teams have become increasingly reliant on using automated scanners to discover vulnerabilities within their environment. However, unlike NetSec scanners, web application scanners have the potential to break your web app, resulting in loss of data, downtime and more importantly, lost revenue.
But don't shut down your scanning program just yet! I will walk you through the common mistakes, pitfalls and pre-scanning techniques that will ensure a more harmonious relationship between your scanner and web application.

In this talk you will learn pre-scan reconnaissance techniques, what changes you should make to your application, and how to dodge common scanner configuration mistakes.

Thursday October 13, 2016 10:15am - 10:25am
Mount Vernon Square B Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Lightning Talk - WAF Evolution, or How I Stopped Worrying About Vulnerabilities
In this talk, we'll explore how application firewalls must evolve to continue to provide powerful, operationally scalable security policies. Gone are the days of "virtually" patching vulnerabilities when remediation time continues to shrink in more agile, devops-driven infrastructures. Infrastructure-based pplication security must pivot to focus on client behavior an characteristics, rather than on the web app itself. Security must also be extended to the browser, to protect even the user who will click on anything from compromise. 
Elements of this topic have been covered in my columns on Information Security Buzz: http://www.informationsecuritybuzz.com/articles/the-death-of-waf-as-we-know-it/http://www.informationsecuritybuzz.com/articles/when-a-bot-isnt-a-bot/http://www.informationsecuritybuzz.com/articles/is-bot-detection-the-best-value-in-infosec/

avatar for Brian McHenry

Brian McHenry

Senor Security Solutions Architect, F5 Networks
As a Senior Security Solutions Architect at F5 Networks, Brian McHenry focuses on web application and network security. McHenry acts as a liaison between customers and the F5 product teams, providing a hands-on, real-world perspective. He is also a regular contributor on InformationSecurityBuzz.com... Read More →

Thursday October 13, 2016 10:15am - 10:25am
Room C


Lightning Talk - Taking Back Privacy to Gain Control
The word ‘privacy’ has become an increasingly prevalent and polarizing term and it is a problem. 

Asking someone to define ‘privacy’ is like asking them for their definition of God. The question is intensely personal, colored by distinct experiences and backgrounds. After talking to hundreds of people and spending a career thinking about it, it’s possible we’ve been contemplating the wrong question.

The word privacy itself has obscured the issue because the “battle over privacy” isn’t really about privacy at all — it’s about control. Thinking about it in more specific examples, when someone decides to do naked yoga with the curtains closed (or open, as it were), they’re really saying: “I choose to let you see me or not…but either way it’s my choice.” 

Privacy becomes a hot button topic when information or our actions are recorded without our consent or knowledge. We’re outraged that the NSA engaged in domestic surveillance and creeped out that companies are profiling us at such a detailed level that they can predict intimate events like pregnancy. 

However, as participating members of our modern, tech-enabled society, this is the trade-off we make. We’re not just giving up privacy for convenience; we’re surrendering control, and we do it because we don’t believe we have a viable alternative. 

This is not how the real world works.

At home, we can decide when to turn off the lights and close the blinds. We control who, how and what about ourselves is shared. This is our right — our choice — and it’s a decision that will differ from person to person because everyone has a varying degree of comfort when it comes to sharing pieces of his or her personal life. That’s the definition of control.

Which leads back to the problem: talking about privacy in the first place. Not only does it fail to address the real issue (control), it fails to include everyone in the conversation. Let’s be honest, some people simply don’t mind doing yoga naked with the curtains open. They aren’t as concerned about their privacy as others might be, but that doesn’t mean they don’t like having the freedom to choose when and how wide to open their windows. Steve Shillingford, CEO of Anonyome Labs wants to open the door to this problem and discuss. He believes individuals should be able to control their identities and personal information — plain and simple. 

Recent data from Pew (January 2016) suggests that while Americans aren’t necessarily opposed to sharing their information, they are frustrated and concerned by the lack of control they have regarding how, when and with whom that information is shared. In fact, 93% of surveyed adults said that being in control of who could access their information was important to them, and 90% said that control over what information was collected was important. So why are we talking about privacy at all?

avatar for Steve Shillingford

Steve Shillingford

Anonyome Labs
Steve Shillingford, current Founder and CEO of Anonyome Labs, has more than 20 years of experience driving growth and revenue at industry-leading technology companies. Shillingford has served as an Advisor at Signal Peak Ventures since 2013, and also serves on the boards of E8 Security... Read More →

Thursday October 13, 2016 10:30am - 10:40am
Room C


Lightning Talk - Beyond The ‘Cript: Practical iOS Reverse Engineering
There is an app for everything these days. And if you are current on your Infosec news you know every new app comes with its own vulnerabilities. One class of bugs has been relatively easy to find, with frameworks becoming increasingly available to help. 

But more and more developers are hardening their apps against common issues using jailbreak detection and best practices, and some of the easy issues are starting to dry up.

Luckily for the top testers, there is another class of bug that can still (and only) be found with deeper knowledge of iOS and its underlying assembly code.

The aim of this talk is to build a bridge between the mundane methodologies and vulnerabilities that everyone can find (and that are now being defended against), and a new approach that finds additional bugs that require assembly knowledge to discover. 

The talk looks at the fundamentals of reversing, a primer on iOS architecture, binary patching, reversing MACH-0 binaries, and ends with some real-world examples involving jailbreak detection.

avatar for Michael Allen

Michael Allen

Security Consultant, IOActive, Inc
Michael E. Allen is a security consultant at IOActive with more than ten years of experience in the Information Security industry. His primary interests are in programming, exploit development, and reverse engineering. Mr. Allen has extensive skills in design, implementation, enhancement... Read More →

Thursday October 13, 2016 10:45am - 10:55am
Room C


Lightning Talk - LANGSEC 101: Taking the Theory Mainstream
LANGSEC has been a promising yet heady topic on the fringes of AppSec for several years, and its ready for a mainstream debut. Heard about LANGSEC but don't know what it is or whether you should use it? Programming languages are getting more powerful and capable, burdening developers and security professionals alike. LANGSEC attempts to solve vulnerability classes that arise from user input unintentionally changing the expected behavior of an application. 

This session provides an easy-to follow introduction to the LANGSEC philosophy, and is geared towards those with no prior experience building parsers or understanding of formal language theory. Attacks that can be addressed with the effective implementation of LANGSEC include:

- Cross-site scripting (XSS) 
- SQL Injection 
- Command Injection 
- Format String 
- Stack Overflow 
- Heap Overflow
- File Inclusion 

Nobody wants these vulnerabilities in their code. This session will begin by pointing out the flaws and limitations of any application security model that is dependent on traditional techniques that rely on signatures, definitions, pattern-matching, regular expressions or taint analysis. Once solely the obscure domain of compiler geeks, Language Security, a.k.a. LANGSEC, is a completely different approach and has gained increasing momentum as a much more thorough, robust way to implement application security.

avatar for Kunal Anand

Kunal Anand

Co-founder and CTO, Prevoty
Kunal Anand is the co-founder and CTO of Prevoty, a runtime application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company’s global Digital Entertainment and Gaming initiatives. Kunal... Read More →

Thursday October 13, 2016 11:00am - 11:10am
Room C


Lightning Talk - Building your Own Security ChatBot
ChatOps, a term widely credited to GitHub, is all about conversation-driven development and enabling teams to quickly and easily manage their development and deployment pipelines. Security for many years has been siloed and often only the security team runs these security tools. With ChatOps for security, common tools such as nmap, ZAP, Burp, and static code tools are available as a security chatbot. Need to run an nmap scan? No problem! Ask @SecurityBot to scan your server and even limit what destination IP's can be scanned. 

Often times there are many great security tools that hide behind obscure command line flags or have complex setup requirements or dependencies. Learn how to convert these tools into accessible tools that the security team and developers can take advantage so that these tools are only a conversation away. No binary tool distribution or configuration, just chat!

avatar for Aaron Weaver

Aaron Weaver

Application Security Manager, NA Bancard
Aaron Weaver is the Application Security Manager at NA Bancard. Prior to that he was at Cengage Learning and Protiviti where he built out their secure coding practice. Aaron has managed application security programs at large organizations and leads OWASP Philadelphia. Aaron speaks... Read More →

Thursday October 13, 2016 11:15am - 11:25am
Room C


Lightning Talk - Can IT & Engineering get along for the sake of building, deploying, and maintaining app security?
Mobile Security has become a top priority for companies as both critical customer and company data flows through these apps constantly. Whether, enterprise workforce or consumer facing apps, how can we as Engineering and IT teams work together to make app security a top priority, but also create development and deployment templates that ensure the proper protections are in place in a standardized way and the necessary components are included at the code level to enable the type of ongoing cyber threat monitoring required once apps are live

avatar for Mark Stutzman

Mark Stutzman

Mark Stutzman, CEO of Appmobi will discuss the strategies necessary for teams to work together to ensure mobile app security and the tools they should consider that enable both secure development and deployment as well as real time monitoring and threat resolution.

Thursday October 13, 2016 11:30am - 11:45am
Room C


Lightning Talk - The hidden bug in public bug bounties
On the surface, public bug bounty programs look like a no-brainer. You invite a number of security researchers to find security issues in your application and you only pay for valid results. Who can say no to that? However as we explore in this talk, for many organizations, launching a public bug bounty program is a buggy idea. It’s like storming the castle before gathering systematic intelligence and planning strategic attacks.

In this talk we will look at some of the challenges of public bug bounties such as:
- Low signal to noise  which drives up the cost per bug
- Significant program management needed to run the program

We will look at the return on investment between running a public bug bounty program and engaging in more focused crowdsourced pen tests.

We’ll dive deeper into experiences drawn from the crowdsourced appsec industry over the last 4 years, as well as analysis of public accessible data in connection with data gathered from 200+ organizations running security programs on the Cobalt platform.

avatar for Jacob Hansen

Jacob Hansen

CEO, Cobalt Labs
Jacob Hansen is the CEO and Co-Founder of Cobalt Labs. Cobalt delivers crowdsourced pen tests and private bug bounties to modern organizations.Prior to founding Cobalt, Jacob was a consultant at Accenture in Copenhagen and London, where he delivered Enterprise IT Solutions for Fortune... Read More →

Thursday October 13, 2016 11:45am - 11:55am
Room C


Lightning Talk - Demystifying Windows Application
The talk will cover the security architecture of windows 7 and windows 8, os features , bitlocker encryption ,sand-boxed application model ,UEFI secure boot ,and windows mobile application development life cycle . later on this will cover the testing the windows mobile application testing as per owasp mobile top 10 and lack of binary protection . Will show real world scenario of application flaws in applications like drop box , facebook , ebay , box  and the exploitation techniques .Will demonstrate the hacks and discuss about the secure coding techniques for mitigation the security flaws .

avatar for Rupali Dash

Rupali Dash

Analyst, Goldman sachs
Rupali is working in goldman sachs as a security analyst . She is more focused into mobile application security and has been awarded for her work from big billion companies .She also works on IOT and a subject matter expert for developing secure applications in platforms like Android... Read More →

Thursday October 13, 2016 12:00pm - 12:10pm
Room C