AppSec EU 2018
Talks
The Last XSS Defense Talk: Why XSS Defense has radically changed in the past 7 years
Why are we still talking about Cross Site Scripting in 2018? Because it's painfully difficult to defend against XSS even to this day. This talk is a fundamental update to the 2011 AppSec USA talk "The Past Present and Future of XSS Defense". We'll...
Jim Manico
Perimeter-less: Engineering the future of Defense
In this talk, Allison Miller will discuss how today’s defenders are adapting to the new normal of our ever evolving ecosystem -- expanding exposure surfaces, complexity in every corner, continuous change, not to mention bigger big data and badder ...
Allison Miller
How Leading Companies Are Scaling Their Security
The last decade has seen significant changes in how organizations develop and release software- fleets of servers are provisioned programmatically and new code is pushed to production dozens of times a day. Oftentimes, developers outnumber securit...
Clint Gibler
The Perimeter Has Been Shattered
Mobility and the Internet of Things (IoT) have disrupted the corporate enterprise network on the scale that PCs disrupted mainframes in the 1980s. Yet most enterprises continue to approach security as if though there is still a hard perimeter wit...
Georgia Weidman
Prepare(): Introducing Novel Exploitation Techniques in Wordpress
WordPress is used by 30% of all the websites. Due to its wide adoption it is a popular target for attackers. Security vulnerabilities are actively exploited in outdated cores and plugins in order to compromise large amounts of installations. Altho...
Robin Peraglie
WordPress
FIESTA: an HTTPS side-channel party
In the past few years, several attacks exploiting side-channel issues in TLS traffic have been launched with the aim of extracting information protected by HTTPS. CRIME, BREACH,, and TIME are all good examples of such attacks. But they are known,...
Jose Selvi
Outsmarting Smart Contracts
The most common blockchain-based application is Bitcoin - cryptocurrency worth a couple of thousands $ per BTC. But Bitcoin is built on the Blockchain 1.0. The second generation of blockchain opened a much broader field of application and is descr...
Damian Rusinek
Remediate The Flag - Practical AppSec Training Platform
Developers aren’t born knowing how to code securely and appsec training is often boring and does not provide practical examples. For the business it is usually not possible to assess competency in secure coding and difficult to calculate ROI on se...
Andrea Scaduto
Attacking Modern Web Technologies
In this talk, top ranked white-hat hacker Frans Rosén will focus on methodologies and results of attacking modern web technologies. He will explain how he accessed private Slack tokens by using postMessage and WebSocket-reconnect, and how vulnerab...
Frans Rosen
From Rogue One to Rebel Alliance: Building Developers into Security Champions
Are you responsible for more than just AppSec? What do you do when you have more teams to support than security experts? How can you make security champions out of dissenters in the development team? There just aren’t enough security experts to g...
Peter Chestna
Don't Feed the Hippos
The security community is trying to solve insecurity caused by bugs and flaws in software for many years now, but with what success? We almost never look in successes and failures experiences in other areas, but we could really learn from. This t...
Martin Knobloch
Building an AppSec Program with a Budget of $0: Beyond the OWASP Top 10
The premise of this session is how to build an application security program with a budget of $0. The session explores the OWASP universe, and how different open-source projects are connected together as foundational pieces of an application securi...
Chris Romeo
XSS is dead. We just don't get it.
XSS is about twenty years old by now and appears to be alive and kicking. JavaScript alerts are still popping left and right and bug bounty programs are drowning in submissions. But is XSS really still a problem of our time? Or is it just an ...
Mario Heiderich
Exploiting Unknown Browsers and Objects
Browsers are embedded everywhere, from popular applications like Steam and Spotify to headless crawlers, IoT devices and games consoles. They execute JavaScript but you don't have a dev console and some don't even allow you to interact with them. ...
Gareth Heyes
Mr Sandman: Time Lock Puzzles for Good and Evil
Delayed execution is a concept of significant interest to attackers, who seek to use it so that their malware is able to bypass the analysis period of sandboxes and antivirus emulators. Historically, techniques used to delay execution have include...
Matt Wixey
OAuth is DAC. What do you do for MAC?
Such is the frustration of the development community with SAML, that most new projects requiring access control turn to OAuth. Yet the goals of the OAuth are completely different to SAML’s: the former gives the end user control over who has access...
Johan Peeters
Docker 201 Security
Docker containers offer several advantages for developers. Most notably they fit perfectly in software development processes, they enable fast, reproducible deployments and when properly done, with little change the same container can run either i...
Dirk Wetter
Docker
Secure Messengers and Man in The Contacts
In 2016, Man in the Contacts attack was published (MitC, https://www.securingapps.com/blog/ManInTheContacts_CYBSEC16.pdf) which consists in taking control of a smartphone's contacts with a legitimate application, then altering contact data to eith...
Jeremy Matos, Laureline David
Continuous Kubernetes Security
Now that we have passed "peak orchestrator" and as Kubernetes eats the world, we are left wondering: how secure is Kubernetes? Can we really run Google-style multi tenanted infrastructure safely? And how can we be sure what we configured yesterday...
Andrew Martin
Kubernetes
Serverless Infections - Malware Just Found a New Home
With Lambda by Amazon, Cloud function by Google, and Azure functions by Microsoft, we are seeing more and more organizations leveraging the advantages introduced by serverless computing. But what does serverless computing entail when it comes to s...
Amit Ashbel
Serverless
Testing iOS Apps without Jailbreak in 2018
Penetration tests of iOS applications usually require jailbreak. On the other hand, software developers often enforce a new version of iOS to run the application. Unfortunately, as history shows, with the release of subsequent versions of the iOS ...
Wojciech Reguła
iOS
Making Continuous Security a Reality with OWASP’s AppSec Pipeline
You’ve probably heard many talks about DevSecOps and continuous security testing but how many provided the tools needed to actually start that testing? This talk does exactly that. It provides an overview of the open source AppSec Pipeline tool ...
Aaron Weaver, Matt Tesauro
WAF Bypass Techniques Using HTTP Standard and Web Servers’ Behavior
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smugg...
Soroush Dalili
Building a Valid Threat Library for Cloud Based Applications
Tapping the power of various inherent cloud monitoring and log components in order to build a dynamic threat library that can substantiate your threat model is very possible. In this talk we'll look at both Azure and AWS compnents to leverage whe...
Tony UcedaVelez
Detecting and Preventing Malicious Domain Registrations in the .eu TLD
In this talk, we report on an extensive analysis of 14 months of domain registration in the .eu TLD. In particular, we zoom in into domain names that are registered for malicious purposes (such as spam, phishing, botnets C&C, ...). The goal of our...
Lieven Desmet
Unicode: The hero or villain?
Full Title: Unicode: The hero or villain? Input Validation of free-form Unicode text in Web Applications The most difficult fields to validate are so called free text fields", as the most frequent stereotype of web application input valiation g...
Paweł Krawczyk
Secure Software Development Framework: Towards an SDL for all SDLCs
The Security Development Life-cycle (SDL) is a process that helps developers to build more secure software. This is accomplished by embedding secure architecture, design, development and validation activities into the overarching Software Developm...
Damilare D. Fagbemi
Jumpstarting Your DevSecOps Pipeline with IAST and RASP
DevSecOps is so much more than "automating the scan button." In this talk, we will create a continuous, effective, and scalable DevSecOps pipeline using only *free* tools. We'll use IAST (Interactive Application Security Testing) to accurately pi...
Jeff Williams
Passive Fingerprinting of HTTP/2 Clients
HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a ...
Elad Shuster
Securing Containers on the High Seas
It can be a difficult challenge for most organizations to migrate to containers and develop a secure strategy for implementation and management. Making the shift from legacy virtualization and monolithic deployments to containers requires a solid ...
Abdullah Munawar, Jack Mannino
Gamifying Developer Education with CTFs
CTFs are a staple of the security world. Nearly every conference has one, and the number of available CTFs (as well as competitors) is constantly growing. However, CTFs are rarely put to use outside of the security community. A frequent cause of s...
Max Feldman, John Sonnenschein