AppSec USA 2016 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tracks [clear filter]
Thursday, October 13

9:30am EDT

Everything is Terrible: Three Perspectives on Building, Configuring, and Securing Software
Developers, operations, and security all have differing agendas and benchmarks for success. One is tasked with building new features, the next with delivering and making them available, and the third is tasked with mitigating the risks associated with the previous two.

Core to the DevOps movement is the idea of building empathy with people in other teams in order to align for business success. Providing the perspectives from three engineers who have each lived primarily in one of Dev, Ops, or Security, but have also worked collaboratively to try not to kill each other. They will talk about their backgrounds, provide practical examples from daily experiences, and share suggestions on building common tooling that minimizes friction and enhances collaboration.

This talk will discuss
- The misalignment of priorities that organisations often force upon these groups
- Struggles with collaboration and working cultures
- Common bottlenecks associated with release cycles and security processes
- Building empathy and optimizing for communication that doesn't involve fisticuffs (or other 19th century combat styles)

The audience will come away with:
- Ideas for handling these complicated situations
- Approaches for building workflows and possible tooling suggestions to minimize the tire fires
- A new appreciation for those on the other sides of the silo walls

avatar for Chris Barker

Chris Barker

Turning in his pager for an airline miles membership, Chris Barker now helps fellow system administrators refine and automate their infrastructure. In his past life as a systems administrator, he has administered Linux, Windows, and OS X systems in infrastructure ranging from small... Read More →
avatar for Adrien Thebo

Adrien Thebo

Adrien is a software engineer at Puppet. He started in IT Ops in 2005 and started writing code to automate everything, inadvertently becoming one of the earliest devops hipsters (he did devops before it was cool). Adrien joined Puppet in 2011, first on the Operations team where he... Read More →
avatar for Bill Weiss

Bill Weiss

Sr Manager of SysOps, Puppet
As a red-and-blue-team member turned sysadmin herder, Bill Weiss had an early introduction to automation in security, and he's spent the rest of his career trying to bring that idea to more places. He started out working in the .gov, moved to Chicago to spend several years at a financial... Read More →

Thursday October 13, 2016 9:30am - 10:30am EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

10:45am EDT

Practical Static Analysis for Continuous Application Security
Static code analysis tools that attempt determine what code does without actually running the code provide an excellent opportunity to perform lightweight security checks as part of the software development lifecycle. Unfortunately, building generic static analysis tools, especially for security, is a costly, time-consuming effort. As a result very few tools exist and commercial tools are very expensive - if they even support your programming language.

The good news is building targeted static analysis tools for your own environment with rules specific to your needs is much easier! Since static analysis tools can be run at any point in the software development lifecycle, even simple tools enable powerful security assurance when added to continuous integration. This talk will go through straight-forward options for static analysis, from grep to writing rules for existing tools through writing static analysis tools from scratch.

avatar for Justin Collins

Justin Collins

Brakeman Guy
Justin has been an application security engineer at SurveyMonkey, Twitter, and AT&T Interactive, and is the primary author of Brakeman, a free static analysis security tool for Ruby on Rails. His commercial product, Brakeman Pro, was acquired by Synopsys in 2018.

Thursday October 13, 2016 10:45am - 11:45am EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

1:00pm EDT

Using language-theoretics and runtime visibility to align AppSec with DevOps
Programming languages are becoming more powerful and capable, and applications more porous than ever before -- burdening developers and security professionals alike. Evolving constraints, patterns and definition lists make validating data inputs and preventing injections while maintaining application performance unwieldy and difficult. Nobody wants vulnerabilities in their code, but with the rise of Agile DevOps, security is usually playing catch-up. 

A new breed of embedded runtime security tools coined Runtime Application Self-Protection (RASP) are enabling developers and security admins to see beyond potential vulnerabilities and identify the actual attacks that are hitting their applications in production. RASP comes in several shapes and sizes, and this talk is designed to introduce the audience to the RASP implementation based on the LANGSEC methodology and its mission to align Security and DevOps – giving both teams the visibility and automation they need to work in synchrony.

LANGSEC has been a promising yet heady topic on the fringes of AppSec for several years, and its ready for a mainstream debut. LANGSEC attempts to use the grammar and linguistic constructs of the programming language itself to solve vulnerability classes that arise from user input unintentionally changing the expected behavior of an application (XSS, SQLi, command injection, CSRF, format string, stack / heap overflow, file inclusion). 

This session will begin by pointing out the flaws and limitations of any application security model that is dependent on traditional techniques that rely on signatures, definitions, pattern-matching, regular expressions or taint analysis. Once solely the obscure domain of compiler geeks, Language Security, a.k.a. LANGSEC, is a completely different approach and has gained a lot of traction as a much more robust approach to securing and releasing applications more quickly and easily.

avatar for Kunal Anand

Kunal Anand

Co-founder and CTO, Prevoty
Kunal Anand is the co-founder and CTO of Prevoty, a runtime application security platform. Prior to that, he was the Director of Technology at the BBC Worldwide, overseeing engineering and operations across the company’s global Digital Entertainment and Gaming initiatives. Kunal... Read More →

Thursday October 13, 2016 1:00pm - 2:00pm EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

2:15pm EDT

Cleaning Your Applications' Dirty Laundry with Scumblr
Like many cutting-edge companies, the environment at Netflix is constantly changing. New applications are deployed everyday, code is pushed every hour, and systems are spun-up and down at will to support changing demand patterns of online video streaming. This, combined with Netflix's 100% cloud model, provides significant challenges in understanding our assets, the risk they pose, and the vulnerabilities they expose.

In order to help address these issues we developed and released an open-source tool call Scumblr in 2014. Scumblr was initially focused on the outside--find interesting intelligence from the Internet and bring it to our attention. Internally at Netflix, however, we've set our sights on new challenges and have found new and innovative ways to use the Scumblr platform to make an AppSec engineer's life a little bit easier. Through a series of small tweaks as well as larger architectural changes, Scumblr has become a versatile tool that allows us to track a wide range of information including changes to endpoints on netflix.com, risk profiles for each application in our environment, and the status of vulnerabilities across a thousands of applications. We've made changes to Scumblr to make it faster, more flexible, and more powerful and we're ready to share these changes with the open source community.

Attendees of this talk will get an understanding for how we designed a tool that has been successful in tackling a broad range of security challenges. We'll share our latest uses for the tools include details on how we're using Scumblr for vulnerability management, application risk tracking and other uses. Finally, we'll discuss how you can replicate what we've done by sharing new plugins that integrate with Arachni, AppSpider, Github, while also showing just how easy it is to create new integrations that open up new opportunities for automation, data collection and analysis.

avatar for Scott Behrens

Scott Behrens

Senior Application Security Engineer, Netflix
Scott Behrens is a senior application security engineer for Netflix. Before Netflix, Scott worked as a senior security consultant at Neohapsis (Cisco) and as an adjunct professor at DePaul University where he taught a graduate course on software security assessment. Scott's expertise... Read More →
avatar for Andrew Hoernecke

Andrew Hoernecke

Andy Hoernecke is a Senior Application Security Engineer on the Product and Application Security Team at Netflix where he spends his time on security automation, identifying and driving systemic security improvements to the Netflix architecture, and developing open source security... Read More →

Thursday October 13, 2016 2:15pm - 3:15pm EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001
Friday, October 14

9:30am EDT

Protect Containerized Applications With System Call Profiling
Container technologies like Docker are gaining mainstream interest from development and operations teams. Unlike virtual machines, containers running on the same host share the underlying OS kernel. As such, a malicious container can influence the execution of other containers through the common kernel by either exploiting a kernel vulnerability or simply leveraging the privileges of the compromised container. In this talk we describe an approach to harden and isolate containerized applications via system call profiling. We show that one can develop accurate system call profiles via static analysis of the container images and knowledge of the host system. Using this profile in runtime, one can monitor for and protect against malicious behavior that deviates from the profile. We show that one can build these profiles automatically from analyzing information within the container image and Dockerfiles. We show that runtime profiling and monitoring adds approximately 5-8% performance overhead for running applications. We demonstrate system call profiling on a sample micro-service application and show that it is a non-intrusive and effective method to detect behavioral anomalies with low false positives.

avatar for Chenxi Wang

Chenxi Wang

Dr. Chenxi Wang is Chief Strategy Officer of Twistlock, where she is responsible for product strategy and thought leadership. Chenxi built an illustrious career at Forrester Research, Intel Security, and CipherCloud. At Forrester, Chenxi covered mobile, cloud, and enterprise security... Read More →

Friday October 14, 2016 9:30am - 10:30am EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

10:45am EDT

Practical tips for web application security in the age of agile and DevOps
The SDLC has been the standard model for web application security over the last decade and beyond, focussing heavily on gatekeeping controls like static analysis and dynamic scanning. However, the SDLC was originally designed in a world of Waterfall development and its heavy weight controls often cause more problems than they solve in todays world of agile, DevOps, and CI/CD. 

This talk will share practical lessons learned on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to: 
1) Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices
2) Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly 
3) Measure maturity of your organizations security efforts in a non-theoretical way

avatar for Zane Lackey

Zane Lackey

Chief Security Officer, Signal Sciences
Zane Lackey is the Co-Founder / Chief Security Officer at Signal Sciences and the Author of Building a Modern Security Program (O’Reilly Media). He serves on multiple public and private advisory boards and is an investor in emerging cybersecurity companies. Prior to co-founding... Read More →

Friday October 14, 2016 10:45am - 11:45am EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

1:00pm EDT

DevOops: Redux
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:

-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)

avatar for Chris Gates

Chris Gates

Sr. Security Engineer
Chris Gates has extensive experience in network and web application penetration testing, Red Teaming and Purple Teaming. Chris is currently learning to be a part time fixer instead of full time breaker. In the past he has spoken at the United States Military Academy, BlackHat, DefCon... Read More →
avatar for Ken Johnson

Ken Johnson

CTO, nVisium
Ken Johnson, CTO of nVisium, has been hacking web applications professionally for 8 years. Ken is both a breaker and builder and currently leads the nVisium product team. Previously, Ken has spoken at DerbyCon, AppSec USA, RSA, AppSec DC, AppSec California, DevOpsDays DC, LASCON... Read More →

Friday October 14, 2016 1:00pm - 2:00pm EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

2:15pm EDT

Scaling Security Assessment at the Speed of DevOps
Scaling Security Testing at the Speed of DevOps

Recent software development trends, namely DevOps, Continuous Integration, Continuous Delivery, and Continuous Deployment, have empowered developers and drastically reduced the DevTest window forcing teams to adopt highly automated test infrastructures. While the adoption of these trends and automated test frameworks have improved feature delivery and time to market, they have complicated security assessment, producing substantial gaps between the current release and the last security audited code. Consumers are now being forced to
adopt new code releases daily or hourly without substantive security review, especially in the Software as a Service (SaaS) sector. As engineering teams rapidly embrace these development methodologies, the community must evolve security testing strategies so as to enhance the security posture of products, services, and solutions.

This evolution must address three primary problems elucidated by the
aforementioned development trends:

1. Testability: Security requirements should be testable and verifiable.
2. Scalability: Security requirement should be capable of being
automated in a best-effort fashion so as to scale effectively.
3. Accessibility: Security tools and results should be easily digestible
by software engineers and testers, and new security tools should be
accessible to all development and test engineers.

Therefore, we have developed and are preparing to open source a new distributed security testing framework called Norad which facilitates security assessment at scale. This framework automates multiple open-source and vendor security tools and aggregates their results for review. It also provides an SDK which promotes the development of community developed security test content. This talk will explain Norad's design philosophy, architecture, and demonstrate its usage.

avatar for Blake Hitchcock

Blake Hitchcock

Software Engineer, Cisco
Blake Hitchcock has been building and breaking web applications for 6 years with Cisco. He loves writing in Ruby, and 'Burp' is not just something he does after a few too many kielbasas. When he's not doing web stuff, Blake enjoys fitness, food, sports, and cheering for his beloved... Read More →
avatar for Brian Manifold

Brian Manifold

Brian Manifold has worked as a software/security engineer at Cisco for the past 4 1/2 years. His main areas of interest at work are web development and web security. Outside of work he enjoys playing music, anything CNC (milling, 3d printing, etc..) related, hardware electronics... Read More →
avatar for Roger Seagle

Roger Seagle

Principal Engineer, Cisco
Roger Seagle Jr. is a Principal Engineer in the STO TIP team at Cisco. Previously, he worked in Cisco's Advanced Security Initiatives Group (ASIG) where he assessed the security posture of Cisco products and advised product teams on patching and mitigating vulnerabilities. Roger regularly... Read More →

Friday October 14, 2016 2:15pm - 3:15pm EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

3:30pm EDT

AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program
Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough to do. This talk will cover how to take the lessons learned from forward thinking software development and show you how they have been applied across several business. This isn’t a theoretical talk. It covers the results of successfully applying these strategies to AppSec across multiple companies ranging from 4,000 to 40,000+ employees. Yes, real stats on improvements seen will be provided.

Beyond providing concrete examples of how to optimize your AppSec program, the talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, CI/CD and Agile, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in. It will also introduce several new OWASP projects which will help you on your journey: the OWASP AppSec Pipeline project, OWASP Defect Dojo and the AppSec Pipeline toolbox. This talk’s content plus these open source projects are more than you’ll need to get started buying down the technical security debt and unshackle you from traditional AppSec thinking.

avatar for Matt Tesauro

Matt Tesauro

Senior AppSec Engineer, Duo Security
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was... Read More →

Friday October 14, 2016 3:30pm - 4:30pm EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

3:30pm EDT

Breaking and Fixing your ‘Docker’ ized environments
This presentation extracts few points from CIS Docker 1.12 benchmark which was co-authored by me. Ref: https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker12.100

Abstract: The concept of containerization was in Linux from ages in the form of jails, zones, LXC etc. but it is since 2 years it gained tremendous recognition. The credit goes to "Docker" which made the concept of containerization very useful and handy by adding many benefits to existing container technologies. Tech giants like Redhat, Google, IBM, VMware etc. are not only the biggest contributors to this most active open source project but also major users of it. Only Google spins up more than 2 billion containers per week, more than 3,300 containers per second. Inspired from Docker, Microsoft also started its container technology by extending its research project "Drawbridge". The effect of containers already impacted the virtual machine market and this impact is going to increase significantly in near future.

Security is always an important issue for any upcoming technology and Docker is no exception to it. This presentation starts with a brief introduction to containers vs. virtualization technology, Docker ecosystem and then goes deep into "Docker Security". It touches each and every component listed below in the Docker container pipeline and gives details about the ways on how they can be broken and then defensive measures to secure them.

Container Pipeline Components:
a) Images
b) Container Runtime
c) Host security
d) Daemon security
e) Communication security ( daemon <=> client , daemon to registry etc.) f) Registry security Below is the brief overview only on Images, containers components.

1. Images
a. Image security analysis in which I have extracted more than 50 Docker hub images (which also includes official images) and found critical vulnerabilities like Heartbleed, Shellshock, CSRF, XSS etc. in them. The presentation also provides a comprehensive security analysis on Docker hub images , how vulnerable are they and gives details about alternative options available for getting secure images
b. Protecting images
- Efficient scanning : binary level scanning, hash based comparison instead of version string matching mechanisms
- Docker Content Trust: Ensures authenticity, integrity and freshness guarantees (Is this really secure to use?)
- 20 golden rules to be followed for "writing Dockerfiles and maintaining images" securely

2. Containers
a. Detailed explanation about how containers isolation can be torn apart
b. Docker claims that their containers are "Secure by Default" and also a popular report on Linux containers released by NCC Group states that "Docker has strong defaults". In this presentation, I will be proving that Docker defaults are vulnerable to DOS, side channel, remote exploitation etc. vulnerabilities. Besides, I will also be explaining about a few other ways of exploiting Docker containers if CIS Docker bechmark rules were not adhered
c. 20 golden rules to be followed for ensuring secure container runtime

Apart from the topics mentioned above, this presentation also throws a light on the tools available in market for securing container ecosystem along with the pros and cons of each tool : Twistlock, Aquasec, Nautilus etc.

avatar for Manideep Konakandla

Manideep Konakandla

Carnegie Mellon University
Is an Author, Security Researcher, Speaker and a J.N Tata Scholar. He is current Security Researcher + Masters student in Information Security @Carnegie Mellon University, USA and is currently researching on "Security of containers with focus on Docker". He has authored a book at... Read More →

Friday October 14, 2016 3:30pm - 4:30pm EDT
Grand Central Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

3:30pm EDT

Containerizing your Security Operations Center
As security professionals, we have no shortage of tools available to us in our offensive and defensive pursuits. How we choose to deploy, maintain, and share these tools across teams can prove to be burdensome and overly complex. Security teams are becoming swept up in the DevOps movement and we are being encouraged to bring visibility into our workflows and toolsets. This means moving things from our local boxes to a more available and collaborative environment. This talk will share lessons learned from building a pluggable, cloud­based "Security Operations Center" running entirely on containers to help security teams rapidly build out scanning pipelines, centralize alerts, investigate malware, and easily collaborate with teams across the organization. I’ll dive into the architecture and design of the cluster and how to quickly get a POC running in Kubernetes

avatar for Jimmy Mesta

Jimmy Mesta

CTO, Manicode Security
Jimmy Mesta is an application security leader that has been involved in Information Security for nearly 10 years. He is the chapter leader of OWASP Santa Barbara and co-organizer of the AppSec California security conference. Jimmy has spent time on both the offense and defense side... Read More →

Friday October 14, 2016 3:30pm - 4:30pm EDT
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001