AppSec USA 2015
Talks
Going Bananas for Cloud Security: AWS deployment with security_monkey
Engineers at Netflix enjoy great freedom to deploy their applications without much interference from the security team. This hands off approach works great to enable quick deployments, nimble experimentation, and allow the security team to be seen...
Patrick Kelley
Hack the Cloud Hack the Company: the Cloud Impact on Enterprise Security
iSEC Partners routinely carry out Attacker Modeled Penetration Tests that use any and all means possible to gain entry to a company. The goal is to test organizations against true-to-life attack and penetration activities that real attackers use i...
Kevin Dunn
QARK: Android App Exploit and SCA Tool
Ever wonder why there isn't a metasploit-style framework for Android apps? We did! Whether you're a developer trying to protect your insecure app from winding up on user devices, an Android n00b or a pentester trying to pwn all the things, QAR...
Tushar Dalvi, Tony Trummer
Enterprise-wide SSL Automation w/Lemur + CloudCA
At Netflix Security we try our best to enable developers by removing roadblocks and providing systems with “sane” defaults that keep everyone from shooting themselves in the foot. When dealing with SSL shooting yourself in the foot particularly im...
Kevin Glisson
Building your own large scale web security scanning infrastructure in 40 minutes
There exists a lot of web security scanners and many are doing a descent good job. Yet there are times and genuine reasons when you wished you had your own scanning infrastructure. You perhaps wished how great it would be if you could build your o...
Bishan Kochar, Albert Yu
PHP Security, Redefined
Let’s be honest, PHP has had a rocky history with security. Over the years the language has been highly criticized for it’s lack of a focus on security and secure development practices. In more recent years, however, a resurgence has happened in t...
Chris Cornutt
Secure Authentication without the Need for Passwords
The recent major hacks at Sony, Target, Home Depot, Chase and Anthem all have something in common; they all gained access by stolen credentials. Hacking credit/debit cards is a growth industry, 66% CAGR. As more information and transactions are co...
Don Malloy
New Methods in Automated XSS Detection
For the past 15+ years all major automated XSS detection methods rely on payloads. Payloads are static exploit strings with previously known variations of exploits and exploit syntaxes. This presentation shows examples dynamic methods that do not ...
Ken Belva
Game of Hacks: The Mother of All Honeypots
We created a “Game of Hacks” – a viral Web app marketed as a tool to train developers on secure coding – with the intention of building a honeypot. During a 6-month timeframe, we witnessed each attack that came at this game, secured the app agains...
Igor Matlin
A New Ontology of Unwanted Web Automation
Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is com...
Colin Watson
'SecureMe Droid' Android Security Application
SecureMe – Droid is an Android security application that notifies the user of publicly known vulnerabilities found in the installed version of applications on the user’s device. The application has been built on a client-server model so that user’...
Abhineet Jayaraj, Vishal Asthana
Sinking Your Hooks in Applications
Attackers typically have more compute resources and can spend much more time breaking components of applications than the engineers that write them in the first place. Since the pressure is on developers to release new code, even at the expense of...
Richard Meester, Joe Rozner
Wait, Wait! Don't pwn Me!
Test your wits and current AppSec news knowledge against our panel of distinguished guests. In the past, panelists have included Joshua Corman (Sonatype), Chris Eng (Veracode), Space Rogue (The Universe), Matt Tesauro (RackSpace), Ed Burns (Oracle...
Shannon Lietz, Mark Miller, Jacob West, Josh Corman
AppSensor: Real-Time Event Detection and Response
AppSensor is a very active OWASP project that defines a conceptual framework, methodology, guidance and reference implementation to design and deploy malicious behavior detection and automated responses directly within software applications. The A...
John Melton
Continuous Cloud Security Automation
Security can be hard to get right. In many organizations, security teams can be relatively small and scaling such teams to tackle the world of continuous software delivery is a very practical challenge. Getting core security tools adopted can be d...
Rohit Pitke
Modern Malvertising and Malware web-based exploit campaigns
The purpose of this presentation will be to introduce the audience to new techniques attackers are using to target users of web applications for exploitation. The first part of this presentation will be an introduction to the modern Malware la...
James Pleger
Chimera: Securing a Cloud App Ecosystem with ZAP at Scale
One of the biggest challenges in maintaining a cloud application ecosystem with software developed by Independent Software Vendors (ISV's) and Developers is ensuring that data within that ecosystem stays secure. It's impossible for a centralized s...
Tim Bach
Turtles All the Way Down: Storing Secrets in the Cloud and the Data Center
Getting credential storage right is not easy. You may be using PKI correctly, you may be careful not to check passwords into your source code repository, but you need to put your secrets somewhere. You can encrypt them, but where do you put th...
Daniel Somerfield
Future Banks Live in The Cloud: Building a Usable Cloud with Uncompromising Security
Running today’s largest consumer Bitcoin startup comes with a target on your back and requires an uncompromising approach to security. This talk explores how Coinbase is learning from predecessors’ bitcoin breaches and pulling out all the stops to...
Rob Witoff
Keynote: 50 Shades of AppSec
The AppSec industry is enormously diverse and it only continues to diverge as we put more software into more things with more connections. It’s an industry that’s fluctuating between the sophisticated to the absurd, the intelligent to the primitiv...
Troy Hunt
Ah mom, why do I need to eat my vegetables?
Mom had a good reason for you to eat your vegetables; same thing goes with Application Security. It’s the good solid meat and potatoes (and broccoli) that help our programs grow up big and strong. The latest software development practices are out ...
John Pavone
Keynote: Cybersecurity Partnership, Technology and Trust
The Department of Homeland Security is a critical leader in our nation’s cybersecurity. By helping enable industry to protect themselves and to build stronger cyber technologies and services, and fostering trust and partnership to create a robust ...
Phyllis Schneck
Detecting and managing bot activity more efficiently
Bots, also commonly referred to as scrapers or spiders, are omnipresent on the Internet. Studies show that bot activity represents a great percentage of the overall traffic on the Internet. Bots are built for different purposes from simple health ...
David Senecal
Keynote: The Moral Imperatives and Challenges for Modern Application Security
It is becoming clear that the traditional methods of application security, such as the research-vuln-patch loop and developer education, are not scaling to the demands of the modern world. As more populations come onto the internet for the very fi...
Alex Stamos