AppSec USA 2014
Talks
OWASP A9: A Year Later - Are you still using components with known vulnerabilities?
It's been more than a year now since the introduction of the new A9 to the OWASP Top Ten list. How are you doing to ensure you are not "using components with known vulnerabilities" in your applications? Join this session to hear real-world case st...
Ryan Berg
AppSec Survey 2.0 : FineTuning an AppSec Training Program Based on Data cut
Measuring the effectiveness of any security activity is widely discussed – security leaders debate the topic with a religious fervor rivaling that of any other hot button issue. Virtually every organization has some sort of application security tr...
John B. Dickson
Use After Free Exploitation
Use After Free vulnerabilities are the cause of a large number of web browser and client-side compromises. Software bugs residing on the heap can be difficult to detect through standard debugging and QA. This presentation will first define the Use...
Stephen Sims
Hacking .NET(C#) Applications: The Black Arts (ASM attacks)
Attacking in live memory has been the area of highly skilled attackers with focused&costly tools. This presentation will cover new tools and techniques to allow attackers with basic entry level skill to attack .NET applications live in memory allo...
Jon McCoy
11,000 Voices: Experts Shed Light on 4-Year Open Source & AppSec Survey
In 2013, OWASP updated its top 10 list to include “(A9) Avoiding the use of open source components with known vulnerabilities.” The guideline was added as OWASP leaders came to understand that 90% of a typical application is composed of open sourc...
Derek E. Weeks
iOS App Integrity: Got Any?
iOS apps are vulnerable to static analysis and attack through binary code patching. Incorporating jailbreak and debugger detection algorithms can be rendered useless with a quick binary patch. Once patched the app can be further exploited, its app...
Gregg Ganley, Gavin Black
Building Your Application Security Data Hub: The Imperative for Structured Vulnerability Information
One of the reasons application security is so challenging to address is that it spans multiple teams within an organization. Development teams build software, security testing teams find vulnerabilities, security operations staff manage applicatio...
Dan Cornell
Clientside security with the Security Header Injection Module SHIM
Client-side security headers are useful countermeasures for Man-In-The-Middle, Clickjacking, XSS, MIME-Type sniffing, and Data Caching vulnerabilities. In this talk, we will review several security headers (e.g. Strict-Transport-Security, X-Frame-...
Eric Johnson, Aaron Cure
Not Go Quietly Adaptive Strategies and Unlikely Teammates
Don’t be a hero; assemble your team of avengers from unlikely allies. Nearly every aspect of our job as defenders has gotten more difficult and more complex—escalating threat, massive IT change, burdensome compliance reporting, all with stagnant s...
Joshua Corman
Anatomy of memory scraping credit card stealing POS malware
Learn the nuts-and-bolts of how a memory scraping, credit card stealing point-of-sale (POS) malware works and identify strategies that you can implement to make it hard for the bad guys. Sensitive information, like credit card numbers, are encr...
Amol Sarwate
Modern Web Application Defense with OWASP Tools
To address security defects developers typically resort to fixing design flaws and security bugs directly in the code. Finding and fixing security defects can be a slow, painstaking, and expensive process. While development teams work to incorpora...
Frank Kim
Warning Ahead: Security Storms are Brewing in Your JavaScript
JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language? Before dismissing...
Helen Bravo
Bringing a Machete to the Amazon
Amazon Web Services (AWS) is billed as an amazingly secure and resilient cloud services provider, but what is the reality once you look past that pristine environment and the manicured forests give way to dark jungle as you start to migrate existi...
Erik Peterson
Lean Security for Small or Medium Sized Business
For a small or medium sized business (SMB) the fallout from a security or privacy incident can be at best a PR nightmare. At their worst it can cause irrecoverable damage and end your business by impacting sales or ad revenue. Your user base may t...
Anson Gomes, Jonathan Chittenden
Red Phish, Blue Phish: Improved Phishing Detection Using Perceptual Hashing
While lacking the sex appeal of memory corruption based attacks, phishing remains a problem for many end users. Defenses against phishing have not advanced significantly. We will discuss current approaches to phishing detection, and present a new ...
Daniel Peck
From the Ground Up
This project started by a challenge given to me at Appsec EU conference in Hamburg as I said that it should be possible to do dynamic source-sink analysis in basic Java applications. My challengers then told me: "Prove it". It took a while, but fa...
Steven van der Baan
Top 10 Web Hacking Techniques of 2013
Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages...
Matt Johansen, Johnathan Kuskos
Ground Truths of a Rugged DevOps Practitioner
DevOps isn't just a buzzword. It isn't a miracle cure. It isn't the security apocolypse. From the perspecitve of a practitioner who has been on a DevOps journey, we can explore the lessons learned - including surprises. This session will be a mixt...
Matt Tesauro
Stop Chasing Vulnerabilities - Introducing Continuous Application Security
For too long, application security has been “experts-only” and practiced one-app-at-a-time. But modern software development, both technology and process, is mostly incompatible with this old approach and legacy appsec tools. Software development h...
Jeff Williams
IEEE Computer Societys Center for Secure Design
The IEEE Computer Society's CSD (Center for Secure Design) was formed in 2014 with the goal of identifying common design flaws and creating tools or design patterns so architects and developers can avoid introducing those design flaws into softwar...
Jim DelGrosso
Threat Modeling Made Interactive
Threat modeling is an important part of any secure development process. By identifying potential threats early in the development, you can build effective mitigations into your system, rather than relying on costly patches and bug fixes. Existi...
Eunsuk Kang
Where the Security Rubber Meets the DevOps Road
DevOps is a natural evolution of Agile, Lean, Continuous Integration and other patterns common amongst high performers and continuous process improvement. As someone who has helped dozens of organizations get started with DevOps patterns and tool ...
Damon Edwards
Catch me if you can: Building a Web Malware Analyzer using Machine Learning
With close to 10,000 new, legitimate websites being added to the Google malware blacklist every day, its clear that infecting websites to spread malware has become the go-to choice for malicious hackers. In this talk I will focus on how the proble...
Anirban Banerjee
Runtime Manipulation of Android and iOS Applications
With over 1.6 million applications in the Apple AppStore and Google Play store, and around 7 billion mobile subscribers in the world, mobile application security has been shoved into the forefront of many organizations. Mobile application security...
David Lindner, Dan Amodio
Ten Secrets to Secure Mobile Applications
Many high profile mobile apps have been in the news for failures to use encryption, bad web service design, and privacy violations against users. Join us to get a grasp on how to threat model mobile applications and what the top vulnerabilities an...
Jason Haddix, Daniel Miessler
AutoScaling Web Application Security in the Cloud
Securing web applications has placed extreme demands on security professionals – in addition to understanding attack patterns and defense tactics, effectively protecting web apps requires some level of programming and database management expertise...
Misha Govshteyn
Static Analysis for Dynamic Assessments
Today’s dynamic and static web vulnerability scanners are capable of analyzing complex web applications for security weaknesses. They automate testing of many common vulnerabilities. However, there is a gap between Static and Dynamic scanners. The...
Greg Patton
Keynote: Bug Parades, Zombies, and the BSIMM: A Decade of Software Security
Only thirteen years ago, the idea of building security in was brand new. Back then, if system architects and developers thought about security at all, they usually concentrated on the liberal application of magic crypto fairy dust. We have come ...
Gary McGraw
Headless Browser Hide and Seek
Headless browsers have quietly become indispensable tools for security teams, researchers, and attackers focusing on web applications. Tools like PhantomJS enable anyone to interact with highly dynamic websites to find vulnerabilities, performance...
Sergey Shekyan, Bei Zhang
Cloud Security at Scale and What it Means for Your Application
Cloud computing is all the rage, but few organizations have really thought about what security means for their applications and networks in cloud-centric deployments. Netflix is amongst the largest users of public cloud resources and consumes roug...
Ben Hagen
Mobile Security Attacks: A Glimpse from the Trenches
Hackers today apply covert and persistent techniques to attack mobile devices. Attend this presentation to learn about the latest threats on mobile devices from the team who uncovered iOS malicious profiles and HTTP Request Hijacking. We will desc...
Yair Amit, Adi Sharabani
Keynote: CISO Perspectives: Aligning Secure Software Application Development with Business Interests
Software security is first, and foremost, a business problem. Attackers have learned that nearly all web applications can be exploited via application-level vulnerabilities. Using any one of a long list of common entry points, an attacker can make...
Renee Guttmann
Reversing Engineering a Web Application - For Fun, Behavior & WAF Detection
Screening HTTP traffic can be something really tricky and attacks to applications are becoming increasingly complex day by day. By analyzing thousands upon thousands of infections, we noticed that regular blacklisting is increasingly failing and w...
Rodrigo Montoro
DevOps and Security: The Facts, The Myths, The Legend
DevOps (despite it's increasing popularity amongst both startups and now enterprises as well) still has a bad image with large chunks of the security community. While there are some challenges it brings, this negative reputation is largely undeser...
David Mortman
Hacking the Oracle Application Framework: A case study in deep-dive pen testing
The Oracle Application Framework (OAF) is the base of dozens of Oracle’s web-based business applications (the eBusiness Suite) and is used by many other organizations to develop their own in-house applications. Last year, the speaker published a m...
David Byrne
When you can't afford 0days: Client-side exploitation for the masses
A bag of fresh and juicy 0days is certainly something you would love to get as a Christmas present, but it would probably be just a dream you had one of those drunken nights. Hold on! Not all is lost! There is still hope for pwning targets with...
Michele Orrù
The DevOps of Everything
The DevOps movement is going to celebrate it’s fifth anniversary this October. I was fortunate enough to attend the inaugural event in Ghent in October 2009. Over the past five years I have been deeply involved with this movement as a practitione...
John Willis
Keynote: The Future of Incident Response
Network attacks are inevitable. Protection and detection can only take you so far, and response -- incident response -- is finally getting the attention it deserves. I look at the economic and psychological drivers the computer security industry, ...
Bruce Schneier
Blended Web and Database Attacks on Real-time, In-Memory Platforms
It is well known there is a race going on in the “Big Data” arena. One of the stronger competitors in the “Big Data” market is Real-Time, In-Memory Platforms. An interesting thing about this platform and, the one we will talk about specifically, i...
Juan Perez-Etchegoyen
Your Password Complexity Requirements are Worthless
If you think password hashes are safe in a database, you are wrong. If you think users choose good passwords, you are wrong. If you think you KNOW what makes up a good password, you are wrong. If you think that password complexity allows forces...
Rick Redman
Project Monterey or How I Learned to Stop Worrying and Love the Cloud
At Netflix developers deploy code hundreds of times a day. Each code push could be a production canary taking only a percentage of the total requests or a test determining which new feature is improving customer experience the best. The large numb...
Kevin Glisson