AppSec USA 2016 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tracks [clear filter]
Thursday, October 13


Continuous Integration: Live Static Analysis using Visual Studio & the Roslyn API
For over 10 years, Visual Studio has provided basic source code analysis through FxCop and StyleCop. While these code analyzers focus mainly on design conformance, code consistency, and best practices, there is very little support for enforcing secure coding techniques. To address this gap, Microsoft started a project back in 2011 called CAT.NET to help identify secure coding bugs such as XSS, SQL Injection, and XPath Injection. Unfortunately, CAT.NET failed and never made it past the first version. Aside from purchasing expensive commercial static analysis tools, .NET development teams have been left without an easy way to integrate secure code scanning rules into Visual Studio. At least until now...

With the release of Visual Studio 2015, the open-source .NET Compiler Platform (aka “Roslyn”) exposes a set of code analysis APIs capable of querying the source code, identifying a security issue, and reporting it as code is written! In this talk, we will explore the code analysis APIs and show you how to create a live static analysis rule. Come prepared to see demonstrations of Visual Studio static analysis rules in action, and walk away with a static analysis rule pack to run against your organization’s .NET applications.

avatar for Eric Johnson

Eric Johnson

Senior Security Consultant, Cypress Data Defense, LLC
Eric Johnson is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. Eric is a Certified SANS Instructor and is a course author for DEV544: Secure Coding in .NET, DEV531: Mobile App Security Essentials, and several... Read More →

Thursday October 13, 2016 9:30am - 10:30am
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


SPArring with the Security of Single Page Applications
SPArring with the Security of Single Page Applications

When SPArring with the security of a Single Page Application (SPA) you need to be like a Mixed Martial Artist (MMA) fighter who understands several specialties to be successful.

In MMA, a fighter needs to be skilled in several martial arts styles, such as boxing, kickboxing, Muay Thai for the stand up portion of the fight. Then, he needs to know wrestling or judo to take the fight to the ground, and once he’s on the ground, he needs to know Jujitsu and Sambo to submit his opponent. 

When doing battle with a SPA, a pen-tester must become an MMA hacker…A Mixed Multilayer Application Hacker. As an MMA Hacker, you need to understand the multitude of complex application layers that are only getting more complex and interconnected by the day.

This discussion will include MMA Hacker training on the following application layers:
Interface layer: Become familiar with SPA frameworks (AngularJS, ReactJS). These SPA frameworks fundamentally change the browser communication that security experts have long understood. 
Backend layer: Dig into different REST API’s and learn how they are used and where to find the weaknesses.
Network layer: Learn more about WebSockets and how they fundamentally change TCP/HTTP as you have always known it to be.
Interconnectivity layer: Get to know how SPA’s are often interconnected with 3rd party API’s or presentation elements and how this can create security issues that get inherited from trusting the 3rd party.
Tools: Understand what tools are available to help you address these challenges, and the potential gaps exist in the tools we all depend on.

Join this talk to start your MMA Hacker training today!

avatar for Dan Kuykendall

Dan Kuykendall

Senior Director, Application Security Products , Rapid7
Dan Kuykendall is the Senior Director of Application Security Products at Rapid7 where he directs the strategic vision, research and product development for the company’s application security solutions. In addition to keeping up with the latest attack patterns, Dan remains focused... Read More →

Thursday October 13, 2016 10:45am - 11:45am
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Next Gen Web Pen Testing: Handling Modern Applications in a Penetration Test
As technology advances and applications make use of newer technology, our penetration testing techniques and methods have to keep up. In this presentation, Jason Gillam and Kevin Johnson of Secure Ideas will walk attendees through new web technologies and how testing methods can change to handle the nuances. Some examples of technologies and changes that will be discussed during the talk are; HTTP/2, CSP, CORS and RESTful APIs. During the presentation, Kevin and Jason will walk through each new system or feature and methods to test it. After presenting these techniques, Jason and Kevin will walk through the new modern vulnerable application and the release of the new SamuraiWTF 4.0.

avatar for Jason Gillam

Jason Gillam

Secure Ideas LLC
Jason Gillam is a Principal Security Consultant with Secure Ideas. He has over 15 years of industry experience in enterprise software solutions, system architecture, and application security. Jason has spent most of his career in technical leadership roles ranging from startups to... Read More →
avatar for Kevin Johnson

Kevin Johnson

CEO, Secure Ideas
Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions... Read More →

Thursday October 13, 2016 1:00pm - 2:00pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Threat Modeling with Architectural Risk Patterns
Current approaches to Threat Modeling emphasise manual analysis typically performed by developers together with a security specialist.  This has a high initial cost, both in terms of time and the skills required to perform it.  Both of those constraints are under pressure as organisations increase the speed and volume of software development.  In enterprise environments there is the additional challenge of scaling this activity across thousands of products with a limited number of software security specialists to guide the process.  Lack of necessary security skills is also a reason that many smaller companies never attempt threat modeling in the first place.
This talk will present a software-centric method of threat modeling that uses risk patterns to increase the speed of creating a threat model and that also introduces a degree of consistency into the process.  We’ll present a series of incremental improvements to the use of risk patterns from a simple checklist based approach to the use of a flexible rules engine.


This method could be implemented by tooling to automatically generate a threat model based on architectural decisions.  The technique employs principals from Object Oriented software design such as inheritance and method overloading so that the contents of the patterns can be practically maintained and extended without unnecessary repetition.  Organisations can use this method to extract the expertise from their software security experts so that threat modeling knowledge is retained and can be re-used within the organisation.

avatar for Stephen de Vries

Stephen de Vries

Founder, CEO, Continuum Security SL
Stephen is the founder of Continuum Security and focussed on building AppSec tools to support security in the SDLC, including the IriusRisk threat modeling tool and BDD-Security open source security testing framework. His background is in software development and security testing... Read More →

Thursday October 13, 2016 2:15pm - 3:15pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


How to Find the Next Great Deserialization CVE
The talk will generalize the recent spate of deserialization attacks, including a brief discussion of an originally authored exploit for a recently discovered CVE. 

The commonalities between deserialization attacks will then be discussed, laying the framework for a "how to" guide on finding and exploiting deserialization vulnerabilities.

The talk will also explain the incredible difficulty faced when using traditional appsec defenses (input validation, signaturing) to stop these vulnerabilities, and explain free and open source options for builders to protect themselves from such attacks.

avatar for Arshan Dabirsiaghi

Arshan Dabirsiaghi

Chief Scientist, Contrast Security
Arshan is an accomplished security researcher with over 10 years of experience advising large organizations on application security. Prior to Contrast Security, Arshan spent 8 years at Aspect Security in a research role where he used static and dynamic technology to perform security... Read More →

Thursday October 13, 2016 3:30pm - 4:30pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


HTTPS & TLS in 2016: Security practices from the front lines
Implementing strong security for Internet‐facing services has grown more challenging and more complex over the past two years. With protocol‐level vulnerabilities like FREAK, BEAST, CRIME, POODLE, & LOGJAM, Ops teams are forced to reevaluate long‐held assumptions about foundation system network code. What are the right tradeoffs between modern network security requirements versus widespread legacy client and user interoperability? How do we apply these to traditional Apache and Nginx servers, mobile app web services, and non‐browser infrastructure like libcurl, proxies, API endpoints, and load balancers? And what's the deal with Curve25519, ChaCha/Poly1305, LibSodium, BoringSSL, and LibreSSL?
Here, we present a practitioner's crash guide to modern site and web service endpoint encryption using HTTPS. We cover the "TLS 101" (and 201) fundamentals of certificates: ECDSA vs RSA, 2K vs 4K, ephemeral Diffie‐ Hellman (elliptic curve versus static), Domain Validation vs Extended Validation. We'll talk about intermediate and root authorities (and why Superfish is such a problem), and then look at some best practices around https including certificate transparency (CT), pinning (HPKP), and strict transport security (HSTS). Lastly, we'll give updates from the OpenSSL 1.1 audit, and point to well curated configuration guides and recipes for https and TLS.

avatar for Eric Mill

Eric Mill

Eric Mill is a software engineer and advocate for a web that is safe and secure for all of its users. Eric is currently an advisor and engineer in a federal government agency, and has previously worked at the Sunlight Foundation on open data infrastructure and policy.
avatar for Kenneth White

Kenneth White

Director, Open Crypto Audit Project
Kenneth White is a security researcher whose work focuses on networks and global systems. He is Director of the Open Crypto Audit Project (OCAP), currently managing a large‐scale audit of OpenSSL on behalf of the Linux Foundation's Core Infrastructure Initiative. In his day job... Read More →

Thursday October 13, 2016 3:30pm - 4:30pm
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001
Friday, October 14


Putting an “I” in Code Review – Turning Code Reviewing Interactive
Everybody knows that manual code review can be a tedious and lengthy effort, with complexity growing exponentially with the size of the code. However, understanding code flow and focusing on relevant parts can become much easier when employing interactive debugging techniques. This allows combining the best of penetration testing and code review benefits to achieve maximum results in the most efficient manner. In this talk we will explain and demonstrate this eye-opening technique for effectively performing a manual code review on a live system using a debugger and provide a quick starter kit for implementing this technique. 

avatar for Ofer Maor

Ofer Maor

Director of Security Strategy, Synopsys
Ofer Maor is a security expert and entrepreneur with over 20 years of experience in information and application security. Ofer has been involved in application security from its early days, through research, penetration testing, consulting, and product developmentAs the founder and... Read More →

Friday October 14, 2016 9:30am - 10:30am
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Exploiting CORS Misconfigurations for Bitcoins and Bounties
Hear the story of how a specification’s innocent intentions toward security and simplicity mingled with Real World Code and ultimately spawned hosts of unfortunately exploitable systems.

Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It’s already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.

In between looking at websites with harmful misconfigurations that range from depressingly predictable to utterly unfathomable, I'll reflect on where the CORS specification and implementations collaborated to save developers from themselves, and where the good intentions didn't work out so well. From this, I’ll propose several potential solutions and mitigations aimed at specification authors, browser vendors, developers and pentesters with varying degrees of optimism.

avatar for James Kettle

James Kettle

Director of Research, PortSwigger Web Security
James Kettle is Director of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience... Read More →

Friday October 14, 2016 10:45am - 11:45am
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Automating API Penetration Testing using fuzzapi

Despite the widespread use of REST API calls using various frameworks, security researchers continue to discover many vulnerabilities in APIs. Vulnerabilities are frequently found in the APIs of applications produced by even the most mature development teams – which include internet giants Facebook, Google and Microsoft etc.

Where do the developers fail? After studying several API vulnerabilities across the internet, the main problem our team has identified is that developers often have little understanding of how to write or implement secure REST APIs. Most fail while trying to solve the complexity of writing APIs for web and mobile platforms simultaneously. Another significant problem the team has identified is that most DevOp engineers and Penetration testers have no standard platform that provides coverage of common vulnerabilities typically found in APIs. It has been a challenge for penetration testers to practice security testing on APIs across multiple platforms in the absence of such vulnerable applications.

Our project is trying to address this problem for the broader community by developing a platform to better understand and practice testing for the most common API vulnerabilities. Rather than a tool that only identifies vulnerabilities in web services, we have built a platform that enables everyone to test and understand a large range of API vulnerabilities that exist in both web and mobile applications. 

As part of this presentation, our team will release an API Fuzzer as an OWASP Project to help developers test the APIs they develop during the early stages of the SDLC. The tool can be integrated into the build pipeline to allow developers to identify vulnerabilities prior to Pen Testing. Also, Pen testers can also use this tool against various APIs during their testing which will allow them to automate few tasks.

avatar for Abhijeth Dugginapeddi

Abhijeth Dugginapeddi

Abhijeth D(@abhijeth) is a security Consultant working for a bank in Australia. Previously worked with Adobe Systems, TCS and Sourcenxt. Security Enthusiast in the fields of Penetration Testing, Application/Mobile/Infrastructure Security. Believes in need for more security awareness... Read More →
avatar for Lalith Rallabhandi

Lalith Rallabhandi

Lalith Rallabhandi (@lalithr95) currently works as a Developer Intern at Shopify. He has previously worked with Hackerrank, Zomato and Google Summer of Code. Likes to code, break stuff mostly with web applications and is a Ruby on rails Enthusiast. Found bugs with Google, Microsoft... Read More →

Friday October 14, 2016 1:00pm - 2:00pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001


Misconfigured CORS and why web application security is not getting easier.
Web Application Security is actually really hard to enter into the "big-leagues" with a mature security program like facebook, google, and the like. These orgs are very mature and oftentimes roll out the newest, lastest, greatest security features.

Part of entering in to the big leagues usually requires the implementation of advanced browser security features and HTTP Response headers.

I want to tell a personal story about finding a massive vulnerability in about 1000 out of the Alexa top 1million sites that caused sites to basically turn off SAMEORIGIN policy. 
- How I thought to try my exploit
- Who was vulnerable
- Details of the exploit

I want to talk about the difficultly understanding the details of the CORS headers that caused the issue. Lots of things to understand.

I want to then talk about individual security technologies and their operational issues associated with them.
- CORS etc etc etc.

There's a lot of operational issues to cover.

Finally I want to make a plea to stick to the basics before you try to roll these things out. Most sites don't get any utility from these features and they only cause problems.

avatar for Evan Johnson

Evan Johnson

Security Systems Engineer, CloudFlare
I'm Evan Johnson. I work at CloudFlare and previously worked at LastPass. I developed a password manager in my spare time called passgo, https://github.com/ejcx/passgo. On twitter he is @ejcx_

Friday October 14, 2016 2:15pm - 3:15pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001