AppSec USA 2017
Talks
Beyond Takeover: Attacker’s in. Now what?
We have been conducting ongoing research on the dynamics of credential theft. Our intent was to learn about how accounts are being taken over once credentials are compromised through a Phishing campaign. It is a "victim's POV" approach to Phishing...
Itsik Mantin
Monitoring Application Attack Surface and Integrating Security into DevOps
A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provid...
Dan Cornell
Making Vulnerability Management Less Painful with OWASP DefectDojo
DefectDojo was created in 2013 when one security engineer at Rackspace stupidly opened his mouth in front of his leadership team. Vulnerability management is traditionally tedious, time consuming, and mentally draining. DefectDojo attempts to stre...
Greg Anderson
A Static Tainting Analysis Method for Aspect-Oriented Programs
Many web applications contain security vulnerabilities that enable attackers to access sensitive data or gain control of client computers or the servers on which those applications are running. These vulnerabilities are caused by web applications ...
Evan H. Dygert
WAFs FTW! A modern devops approach to security testing your WAF
Although Web Application Firewalls (WAFs) are recognized as an effective aspect of a defense in depth strategy, there are few tools that attempt to objectively review their effectiveness. Research companies like NSS or Gartner perform benchmarks o...
Zack Allen
Test Driven Security in the DevOps pipeline
The myth of attackers breaking through layers of firewalls or decoding encryption with their smartphones makes for great movies, but poor real world examples. In the majority of cases, attackers go for easy targets: web frameworks with security vu...
Julien Vehent
Keynote - Fixing Threat Models with OWASP Efforts
Global organizations have been working off of a broken or non-existent threat model. Distracted with compliance, plagued with undefined attack surfaces, a deluge of inoperable threat intel, risk distortions, and made complacent by a sea of control...
Tony UcedaVelez
Federated Login CSRF
Login CSRF is a well-known vulnerability that allows an attacker to hijack a victim’s browser to login to an application using the attacker’s own credentials. This paper applies a similar concept on an application using federated identities. Speci...
Murali Vadakke Puthanveetil
Top 10 Security Best Practices to secure your Microservices
I have worked on enterprise APIs being used by millions of users worldwide both as a Enterprise Security Architect and as a developer building these services. In this session, I will talk about Top 10 ways to design and build secure Microservices ...
Chintan Jain
Beyond End to End Encryption
In an age of ever more sophisticated cybercrime and mass surveillance secure communication is an increasingly rare premium commodity. In this talk we take a look at how the threat model for secure messaging applications has evolved beyond the trad...
Joël Alwen, Tom Leavy
Leveraging the ASVS in the Secure SDLC
Writing secure code is not as glamorous as releasing the next cool feature. However, we know that fixing security vulnerabilities in production is hard and costly. In order to have a more secure application it is important to consider what makes a...
Derek Fisher
An Overview of API Underprotection
The OWASP 2017 top ten is adding a new category of underprotected APIs. This reflects how RESTful Web APIs are rapidly becoming the backbone of communication on the modern web. A whole series of new challenges are thus presented for dealing with s...
Richard Taylor
Building Secure ASP.NET Core MVC Applications
Building secure applications is a difficult task, especially in combination with building it based on a new application framework. ASP.NET Core is a new open-source and cross-platform framework completely rewritten from scratch. It can run on Wind...
Niels Tanis
How to stop worring about application Container security
Containers make it easier to deploy the applications that drive business value, but also profoundly challenge existing security models. Learn from our journey as a security team that went from not knowing what containers were to championing their ...
Brian Andrzejewski
Leveraging Blockchain for Identity and Authentication in IoT is good for Security
Since the beginning of the internet, attempts have been made to solve the problem of privacy and security. Every effort has had challenges of inconvenience, cost and insecurity. How do we prove our identity? Blockchain technology and its mut...
Donald Malloy
Practical Dynamic Application Security Testing within an Enterprise
The incorporation of DevOps within a large enterprise is generally accomplished through strategic planning on the organizational level. Having a common pipeline for Continuous Integration (CI) and Continuous Deployment (CD) can enhance the securit...
Nicholas Doell, Nicholas Kenney
Securing C code that seems to work just fine
Fastly offers a content delivery network (CDN) that ubiquitous and high-profile web properties like GitHub, Pinterest, and The New York Times rely on for performance, reliability, and security of their web applications. Fastly edge nodes seamlessl...
Jonathan Foote
How to detect CSRF vulnerability, reliably?
CSRF vulnerability is one among the OWASP top 10 and detection of this vulnerability in web applications has proved to be a difficult problem. Most dynamic application security testing tools provide the option of scanning for CSRF vulnerability, h...
Umesh Salian
Juggling the Elephants: Making AppSec a Continuous Program
As security professionals charged with protecting large enterprise application portfolios, we continually find ourselves managing a wide array of disparate security initiatives, each of which demands to be treated as a top priority. Few of these i...
Tony Miller
Handling of Security Requirements in Software Development Lifecycle
The bigger the company you're working in, the more technologies and methodologies used by development teams you are going to face. At the same time, you want to address security risks in an appropriate, reliable and traceable way for all of them. ...
Rene Reuter, Daniel Kefer
How To Approach InfoSec Like a Fed(eral Auditor)
For more than a decade, independent arms of the federal government have published application and hardware security standards that only a minor subset of the InfoSec community has a true grasp on. The Federal Information Processing Standard (FIPS)...
Scott Cutler
Friday the 13th: Attacking JSON
2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution (RCE from now on) gadget finally brought this forgotten vulner...
Oleksandr Mirosh, Alvaro Muñoz
Measuring End-to-End Security Engineering
This talk will introduce a new approach to SDL. At Twilio we call it End to End Security Engineering. It’s End-to-End because it covers the full product lifecycle, from Security Design to Monitoring and gives the ability to measure the state of se...
Davit Baghdasaryan, Garrett Held
Cookie Security Myths and Misconceptions
Cookies are an integral part of any web application and secure management of cookies is essential to web security. However, during my years as a security consultant I've often encountered various myths and misconceptions regarding cookie security ...
David Johansson
iGoat: A Self Learning Tool for iOS App Pentesting and Security
OWASP iGoat is an open source self-learning tool for iOS developers, mobile app pentesters. The best thing about iGoat is that it follows client-server architecture and supports all iDevices including iPad, iPhone, iPod and Macbook simulator for i...
Swaroop Yermalkar
Building a Secure DevOps Pipeline
Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough...
Aaron Weaver, Matt Tesauro
Embedding GDPR into the SDLC
Embedding GDPR into the SDLC We will map the GDPR requirements to the typical software security activities as part of a Secure Development Lifecycle. This will cover: • How to include the DPO as part of the software security governance? • Pro...
Steven Wierckx
Moving Fast and Securing Things
“Process” is often seen as a antithetical to the fast-moving nature of startups; security processes, in particular, can be regarded as a direct impediment to shipping cool features. On the other hand, the security of an organization and its users ...
Max Feldman, Zachary Pritchard, Fikrie Yunaz
An Agile Framework for Building GDPR Requirements into SDLC
The consequences of not complying with the requirements of General Data Protection Regulation (GDPR) is immense for all international data processors. The fines and penalties even for small companies can be as high as 20 million EUR, and GDPR requ...
Farbod H Foomany, Mina Miri
Bug Bounty Programs: Successfully Controlling Complexity and Perpetual Temptation
Bug Bounty Programs: Successfully Controlling Complexity and Perpetual Temptation Speakers Michael Gallagher Senior Manager Application Security, PayPal Michael Gallagher has been with PayPal for over two years as Senior Manager Applicat...
Sean Martin, Sean Melia, Cassio Goldschmidt, Michael Stoker, Michael Gallagher
Androsia: A tool for securing in memory sensitive data
Each Android app runs in its own VM, with every VM allocated a limited heap size for creating new objects. Neither the app nor the OS differentiates between regular objects and objects that contain security sensitive information like user authenti...
Samit Anwer
When Molehill Vulnerabilities Become Mountainous Exploits
Here’s a story: you have built the ultimate AppSec program for your organization, and you complete the vital step of scanning your code for vulnerabilities along the development process. Your policy was very clear and strict about high priority vu...
Matt Rose
Keynote - Building a Culture of Security at The New York Times
The traditional approach for security teams has involved the existence of a siloed department, slow gatekeeping controls designed in a world of Waterfall development, and processes that aren't nearly as agile as they should be. The New York Tim...
Runa Sandvik
NoSQL Is Not NoVulnerable
SQL Injection has long been a common dangerous vulnerability found in many web applications. But many modern web applications forgo the use of SQL in favor of more modern databases commonly referred to as “NoSQL” databases. These databases don’t j...
Johannes Ullrich
Where we’re going… we won’t need passwords
This session will cover a real-word approach to an enterprise wide, multi-factor authentication deployment at a fortune 500 financial services company with 30,000+ workforce. We’ll discuss the technical challenges we faced in adapting modern passw...
Michael Stewart, Matt Hajda
What We Learned Remediating XSS in GitHub Open Source Projects
Our goal was to fix as many high-risk vulnerabilities throughout the GitHub Open Source project portfolio as we could with a minimum of effort. The intent was to simulate portfolio wide remediation in a large and diverse organization within a cont...
Mike Fauzy
Differences Between Web Application Scanning Tools when Scanning for XSS and SQLi
Web Application Vulnerability Scanners are becoming increasingly automated and are facing more difficulties as web technologies change and evolve. As is evident from the October 2015 “Talk-Talk hack”, where a 16-Year-old boy performed an easily...
Robert Feeney
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
According to the 2016 Verizon Data Breach Investigation Report, web application attacks are the top source of data breaches today. During the past decade, address space layout randomization (ASLR) has become a feature present in all major OS and a...
John Matthew Holt
Secure Product Lifecycle (SPLC) as a Service
A Secure Product Lifecycle (SPLC) is integral in ensuring software is written with security in mind, but companies struggle to create a successful process with limited security resources and minimal impact to engineering teams. This session will d...
Taylor Lobb, Julia Knecht
Supply Chain Anarchy - Trojaned Binaries in the Java Ecosystem
In 1984, Ken Thompson wrote, “You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)” [1] Yet modern software applications are 80% open source components.[2] The supply chain is ...
Jeff Williams
Automating TLS Configuration Verification
Best practices for HTTPS deployment have been steadily improving over the past decade. TLS usage on web servers has been steadily increasing and there are dozens of tools (O-Saft being the most popular) now available to test the correctness of the...
Steven Danneman
Black-Box Approximate Taint Tracking by Utilizing Data Partitioning
The information security industry has a long history of challenges when it comes to ensuring the safety of user input data. User input must be escaped when using a template to build a string. Whether in HTML, SQL, or shell commands it is best prac...
Boris Chen
Enhancing Physical Perimeter Defense Using SDR
Part One: The Problem The current solutions of sensor based perimeter defense have their limitations. Taking home defense as an example, sensors are located at all possible breach points of the perimeter (windows, doors, etc). The alarm is trigge...
Yitao Wang
There’s a new sheriff in town; dynamic security group recommendations with Grouper and Dredge
At Netflix Security, we try our best to enable developers by removing roadblocks and providing systems with “sane” defaults that keep everyone from shooting themselves in the foot. When dealing with AWS security groups, not shooting yourself in th...
Kevin Glisson
Passive Fingerprinting of HTTP/2 Clients
HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a ...
Elad Shuster
This Old App, a guide to renovating apps for the cloud
Most businesses have at least one old clunker app kicking around, and the longer it has been around and more clunky it is, the more likely it is to be vital to your business (otherwise you’d have gotten rid of it, right?). So how do you approach g...
Chris Wells, Christian Price
HUNT: Data Driven Web Hacking & Manual Testing
What if you could turbocharge your web hacking without having to sacrifice efficiency? Since pure automation misses so much important information, why not use powerful alerts created from real threat intelligence? What if you had these powerful al...
JP Villanueva
Capture the Flag for Developers
“Capture the Flag” for Developers: Upping your Training Game Click here to add to My Sched. Getting developers to care about security is tough, but turning your developer training into a hands-on puzzle game with a Capture the Flag (CTF...
Mark Hoopes
Core Rule Set for the Masses
Everyone who has used, or attempted to use, OWASP ModSecurity Web Application Firewall knows something about fine-tuning rules. ModSecurity Core Rule Set (CRS) was designed to catch more, show more and let you decide what to do with security alert...
Tin Zaw, Robert Whitley
ReproNow: Save time Reproducing and Triaging Security bugs
Crowdsourcing security aka Bug Bounty Programs are adapted by almost all companies today: big, small, mid size. While companies reap a lot of benefits, the challenge is to have a security engineer/engineers reproduce each of the bug, understand th...
Lakshmi Sudheer, Vinayendra Nataraja
Crafting the next-generation Man-in-the-Browser Trojan
Current Man-in-the-Browser (MITB) trojans like Trickbot or Dridex are pretty much similar to first generation bots like Zeus or Zbot. They all include a list of targets and corresponding webinjects and still offer essentially the same features suc...
Pedro Fortuna