AppSec USA 2013
Talks
Leveraging OWASP in Open Source Projects
The CAS AppSec Working Group is a diverse volunteer team of builders, breakers, and defenders that is working to improve the security of Jasig CAS, an open source WebSSO project. This presentation will show how the team is leveraging OWASP resour...
Bill Thompson, Aaron Weaver, David Ohsie
Verify your software for security bugs
Verification is an important phase of developing secure software that is not always addressed in depth that includes dynamic analysis and fuzzing testing. This step allows checking that security has been built in the implementation phase: secure c...
Simon Roses Femerling
Panel: Don't Tell Me Software Security (Audio only)
Test your wits and current AppSec news knowledge against our panel of distinguished guests Joshua Corman, Chris Eng, Space Rogue and Gal Shpantzer. "Wait Wait... Don't Pwn Me!" is patterned after the NPR news quiz show where we challenge the panel...
Gal Shpantzer, Mark Miller, Josh Corman, Space Rogue, Chris Eng
Pushing CSP to PROD
Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organizations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our ex...
Brian Holyfield, Erik Larsson
Making the Future Secure with Java
The world is not the same place it was when Java started. It's 2013, and attackers are intensely motivated, sophisticated, and well organized. Java security is a significant concern across many organizations as well as for individuals. Attend t...
Milton Smith
iOS Application Defense - iMAS
iOS application security can be *much* stronger and easy for developers to find, understand and use. iMAS (iOS Mobile Application Security) - is a secure, open source iOS application framework research project focused on reducing iOS application...
Gregg Ganley
Wassup MOM? Owning the Message Oriented Middleware (Audio only)
Message Oriented Middleware (MOM) allows disparate applications to communicate with each other by exchanging information in the form of messages. A MOM and its clients create an enterprise messaging application that forms the transactional backbon...
Gursev Singh Kalra
AppSec at DevOps Speed and Portfolio Scale
Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops. Unfortunately, software assurance hasn't kept up with the times. For the most p...
Jeff Williams
BASHing iOS Applications
The toolchain for (binary) iOS application assessment is weak BUT, like an island of misfit toys, there can be stregnth in numbers. Join us as we explore what actually needs to be done in a mobile assessment and how we can do it right from our SSH...
Jason Haddix, Dawn Isabel
Thinking Differently About Security
Almost all security professionals have one or more headshaking security stories caused by everything from sloppy design to execrable coding to insanely asymmetric risk assumption. Technical acumen is not enough if we want to improve actual securit...
Mary Ann Davidson
An Introduction to the Newest Addition to the OWASP Top 10
This panel of industry experts will dissect the new OWASP A9 guidelines that look at the widespread use of insecure open source libraries in today's modern application development. Executives from Sonatype, will offer exclusive component usage da...
Ryan Berg, Jeff Williams
Mobile app analysis with Santoku Linux
Did you think there were a lot of mobile devices and platforms out there? Check out the hundreds of mobile tools being developed. We calculated it would take more time to install, test and maintain the various mobile tools than to actually fuzz ...
Andrew Hoog
Case Study: 10 Steps to Agile Development without Compromising Enterprise Security
In an Agile, fast paced environment with frequent product releases, security code reviews & testing is usually considered a delaying factor that conflicts with success. Is it possible to keep up with the high-end demands of continuous integration ...
Yair Rovek
All the network is a stage, and the APKs merely players: Scripting Android Applications
The existance of open well defined APIs for many popular websites has been a boon to spammers, but as they have grown in popularity the operators have begun to care more about the integrity of the network. 3rd party access to these APIs is becomin...
Daniel Peck
Tagging Your Code with a Useful Assurance Label
With so many ways for software to be vulnerable, businesses needs a way to focus their assurance efforts on those potential vulnerabilities that are most dangerous to them and their software. This talk will offer a new way to focus and organize y...
Robert Martin
PiOSoned POS - A Case Study in iOS based Mobile Point-of-Sale gone wrong
Mobile Point of Sale (POS) are becoming more and more common in a wide variety of retail outlets. And why not, it adds speed and convenience to shopping and can increase a retailers ability to sell. But POS and Mobile are hard to get right and sec...
Mike Park
Hacking Web Server Apps for iOS
Since the iPhone has been released, people have been trying to figure out different ways to turn it into a common data storage device. Many applications have been released in the iTunes Store in order to add this capability, some using USB transp...
Bruno Oliveira
OWASP Hackademic
Teachers of Application Security in higher education institutions and universities are presented with some unique challenges, especially when compared to other scientific or even computer science fields. This is mainly because students have to le...
Konstantinos Papapanagiotou
Hack.me: a new way to learn web application security
The Hack.me (https://hack.me) project is a worldwide, FREE for all platform where to build, host and share simple and complex vulnerable web applications. It's completely online and doesn't require any software to be installed, just a web browser....
Armando Romeo
Why is SCADA Security an Uphill Battle?
This talk will present technical security challenges faced by organizations that have SCADA, critical infrastructure or control systems installations. It will provide examples of attacks and examples of security controls that orginizations can imp...
Amol Sarwate
Revenge of the Geeks: Hacking Fantasy Sports Sites
In this talk, I'll show how all my IT security geek friends in the OWASP community can win the Super Bowl! I'll walk through the anatomy of a hack against popular Fantasy Football and Baseball mobile applications showing every "sneak play" require...
Dan Kuykendall
The 2013 OWASP Top 10
The OWASP Top 10 has become the defacto standard for web application security and is referenced by numerous important standards and guidelines around the world, including the Payment Card Industry (PCI) standard, as just one example. This presen...
Dave Wichers
OWASP Periodic Table of Elements
After 25 years of software engineering since the first Internet worm was written to exploit a buffer overflow vulnerability, web developers are still building insecure software. It is time for a new approach. The vast majority of software bug clas...
James Landis
Mantra OS: Because The World is Cruel
OWASP Mantra OS was developed under the mantra of "OWASP because the world is cruel"; The reason this mantra is used for a underlying principle for the development of Mantra OS is because simply it is better for the pen tester to find the exploit...
Gregory Disney-Leugers
Can AppSec Training Really Make a Smarter Developer?
Most application risk managers agree that training software developers to understand security concepts can be an important part of any software security program. Couple that with the Payment Card Industry, who mandate that developers should have...
John Dickson
What You Didn't Know About XML External Entities Attacks
The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects. Certain features built into the design of XML, namely inline schemas and document type definitions (DTDs) are a well-known source of po...
Timothy Morgan
2013 AppSec Guide and CISO Survey
As organization born from grass root ideals and volunteering efforts that stared 12 years ago from the visionaries of the like of Mark Curphey and the likes OWASP has grown in members. OWASP mission has been to make application security visible to...
Tobias Gondrom, Marco Morana
Big Data Intelligence
Subtitle: "Harnessing Petabytes of WAF statistics to Analyze & Improve Web Protection in the Cloud" As web application attacks turn into massive campaigns against large corporations across the globe, web application firewall data increases expon...
Tsvika Klein, Ory Segal
Top Ten Proactive Controls
You cannot hack your way secure! The OWASP Proactive Controls is a "Top 10 like document" aimed to help developers build secure applications. This project is phrased and built in a positive, testable manner that describes the Top 10 software c...
Jim Manico
The Cavalry Is US: Protecting the public good
Description: In the Internet of Things, security issues have grown well beyond our day jobs. Our dependence on software is growing faster than our ability to secure it. In our efforts to find the grown-ups who are paying attention to these risks, ...
Josh Corman, Nicholas Percoco
HTML5: Risky Business or Hidden Security Tool Chest?
The term "HTML5" encompasses a number of new subsystems that are currently being implemented in browsers. Most of these were created with a focus on functionality, not security. But the impact of these features is not all negative for security. Qu...
Johannes Ullrich
Accidental Abyss: Data Leakage on The Internet
PII is personally identifiable information. In the information age, seemingly useless bits of PII can be found everywhere on the web from Facebook to Amazon to county records. Using purely legal methods and nothing more than artful searching I w...
Kelly FitzGerald
The Perilous Future of Browser Security
The tradeoffs required to make a secure browser are often largely poorly understood even amongst the best of security people. It makes sense since so few people actually work on browsers. There is little knowledge about what it requires to make ...
Robert Hansen
Application Security: Everything we know is wrong
The premise behind this talk is to challenge both the technical controls we recommend to developers and also our actual approach to testing and developing secure software. This talk is sure to challenge the status quo of web security today. ...
Eoin Keary
Insecure Expectations
Many developers rely on tests or specs (with expectations) to verify that our code is working properly. Few of us leverage the tests we are already writing to demonstrate security controls are properly applied. In this technical talk, we will walk...
Matt Konda
OWASP Zed Attack Proxy
The Zed Attack Proxy (ZAP) is now one of the most popular OWASP projects. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing...
Simon Bennetts
Contain Yourself: Building Secure Containers for Mobile Devices
In today's world, everyone wants access to information from his or her personal mobile device. As a business, this includes your customers and/or employees. What if the information they want access to is highly sensitive? While it's tempting to...
Ron Gutierrez
HTTP Time Bandit
While web applications have become richer to provide a higher level user experience, they run increasingly large amounts of code on both the server and client sides. A few of the pages on the web server may be performance bottlenecks. Identifying ...
Tigran Gevorgyan, Vaagn Toukharian
NIST - Missions and impacts to US industry, economy and citizens
Founded in 1901 and now part of the U.S. Department of Commerce, NIST is one of the nation's oldest physical science laboratories. Congress established the agency to remove a major handicap to U.S. industrial competitiveness at the time—a second-r...
James St. Pierre, Matthew Scholl
OWASP Broken Web Applications (OWASP BWA): Beyond 1.0
The OWASP Broken Web Applications (OWASP BWA) Project produces a free and open source virtual machine (VM) loaded with more than twenty-five web applications with a variety of security vulnerabilities. The project VM is well suited for use as a l...
Chuck Willis
Forensic Investigations of Web Exploitations
Investigation of hacking incidents often requires combine effort of different technologies. Evidence and forensics artifacts are often found in various forms and formats. Network Forensics is one of the components in the process of finding comprom...
Ondrej Krehel
PANEL: Aim-Ready-Fire (Audio only)
Software assurance in the past 5 - 6 years has emerged as the key focus area for information security professionals. The C - suite has recognized software assurance to be more than a hygiene problem as the application security breaches have starte...
Ajoy Kumar, Sean Barnum, Ramin Safai, Suprotik Ghose, Jason Rothhaupt, Pravir Chandra, Wendy Nather
PANEL: Women in Information Security (Audio only)
NPR reports that 80% of computer programmers are men. As an engaged group that believes in the benefits of gender diversity, OWASP wants to know what we can do to close that gap. In this session, we have invited women from different stages of thei...
Joan Goodchild, Dawn-Marie Hutchinson, Valene Skerpac, Carrie Schaper, Gary Phillips