Talks
Events

AppSec USA 2016

Talks

Misconfigured CORS and why web appsec is not getting easier

Web Application Security is actually really hard to enter into the "big-leagues" with a mature security program like facebook, google, and the like. These orgs are very mature and oftentimes roll out the newest, lastest, greatest security features...

Evan Johnson

Keynote - The Less Hacked Path

Since the dawn of the Internet and the Web, a broad series of hacking attack vectors have descended. Malicious hackers, researchers, and governments have demonstrated and deployed these attacks onto computers, mobile devices, and nuclear power pla...

Sammy Kamkar

Practical tips for web application security in the age of agile and DevOps

The SDLC has been the standard model for web application security over the last decade and beyond, focussing heavily on gatekeeping controls like static analysis and dynamic scanning. However, the SDLC was originally designed in a world of Waterfa...

Zane Lackey

Putting an 'I' in Code Review Turning Code Reviewing Interactive

Everybody knows that manual code review can be a tedious and lengthy effort, with complexity growing exponentially with the size of the code. However, understanding code flow and focusing on relevant parts can become much easier when employing int...

Ofer Maor

Barbarians at the Gate(way)

This talk will examine the tools, methods and data behind the DDoS and web attacks against cloud platforms and traditional architectures that are prevalent in the news headlines. Using collected information, the presentation will demonstrate wh...

Dave Lewis

Automating API Penetration Testing using fuzzapi

Despite the widespread use of REST API calls using various frameworks, security researchers continue to discover many vulnerabilities in APIs. Vulnerabilities are frequently found in the APIs of applications produced by even the most mature develo...

Abhijeth Dugginapeddi, Lalith Rallabhandi

Cleaning Your Applications' Dirty Laundry with Scumblr

Like many cutting-edge companies, the environment at Netflix is constantly changing. New applications are deployed everyday, code is pushed every hour, and systems are spun-up and down at will to support changing demand patterns of online video st...

Andrew Hoernecke, Scott Behrens

Your License for Bug Hunting Season

You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many ven...

Casey Ellis, Jim Denaro

Should there be an Underwriters Laboratories certification for software in IoT products? (Audio only)

Should there be an Underwriters Laboratories certification for software in IoT products? The US Cybersecurity National Action Plan released in February 2016 announced that the US government, specifically the Department of Homeland Security, is ...

Anita D'Amico, Kevin Greene, Joshua Corman

Using language-theoretics and runtime visibility to align AppSec with DevOps

Programming languages are becoming more powerful and capable, and applications more porous than ever before -- burdening developers and security professionals alike. Evolving constraints, patterns and definition lists make validating data inputs a...

Kunal Anand

Protect Containerized Applications With System Call Profiling

Container technologies like Docker are gaining mainstream interest from development and operations teams. Unlike virtual machines, containers running on the same host share the underlying OS kernel. As such, a malicious container can influence the...

Chenxi Wang

Next Gen Web Pen Testing: Handling Modern Applications in a Penetration Test

As technology advances and applications make use of newer technology, our penetration testing techniques and methods have to keep up. In this presentation, Jason Gillam and Kevin Johnson of Secure Ideas will walk attendees through new web technolo...

Kevin Johnson, Jason Gillam

Keynote - Cryptography in the age of Heartbleed

The past decade has seen an unprecedented number of high-profile data breaches. To address this threat, businesses have begun to invest heavily in encryption technologies, both to protect data and to reduce liability in the event of a breach. Howe...

Matthew Green

Breaking and Fixing your ‘Docker’ ized environments

The concept of containerization was in Linux from ages in the form of jails, zones, LXC etc. but it is since 2 years it gained tremendous recognition. The credit goes to "Docker" which made the concept of containerization very useful and handy by ...

Manideep Konakandla

Exploiting CORS Misconfigurations for Bitcoins and Bounties

Hear the story of how a specification’s innocent intentions toward security and simplicity mingled with Real World Code and ultimately spawned hosts of unfortunately exploitable systems. Cross-Origin Resource Sharing (CORS) is a mechanism for r...

James Kettle

Everything is Terrible: Three Perspectives on Building, Configuring, and Securing Software

Developers, operations, and security all have differing agendas and benchmarks for success. One is tasked with building new features, the next with delivering and making them available, and the third is tasked with mitigating the risks associated ...

Adrien Thebo, Chris Barker, Bill Weiss

AppSec++ Take the best of Agile, DevOps and CI/CD into your AppSec Program

Is software development outpacing your ability to secure your company’s portfolio of apps? You don’t have to buy into Agile, DevOps or CI/CD to realize the business wants to move faster. And it's not like you didn’t already have more than enough t...

Matt Tesauro

HTTPS & TLS in 2016: Security practices from the front lines

Implementing strong security for Internet‐facing services has grown more challenging and more complex over the past two years. With protocol‐level vulnerabilities like FREAK, BEAST, CRIME, POODLE, & LOGJAM, Ops teams are forced to reevaluate long‐...

Eric Mill, Kenneth White

SPArring with the Security of Single Page Applications

When SPArring with the security of a Single Page Application (SPA) you need to be like a Mixed Martial Artist (MMA) fighter who understands several specialties to be successful. In MMA, a fighter needs to be skilled in several martial arts styl...

Dan Kuykendall

Needle: Finding Issues within iOS Applications

Assessing the security of an iOS application typically requires a plethora of tools, each developed for a specific need and all with different modes of operation and syntax. The Android ecosystem has tools like "drozer" that have solved this probl...

Marco Lancini

Threat Modeling With Architectural Risk Patterns

Current approaches to Threat Modeling emphasise manual analysis typically performed by developers together with a security specialist. This has a high initial cost, both in terms of time and the skills required to perform it. Both of those const...

Stephen De Vries

Patterns of Authentication and Self-Announcement in IoT

The need to connect ‘things’ to each other in the IoT ecosystem introduces new security requirements for authentication and self-announcement due to four major characteristics of IoT 1. Physical access and infinite time available to adversaries t...

Amir Pourafshar, Farbod H Foomany

Containerizing your Security Operations Center

As security professionals, we have no shortage of tools available to us in our offensive and defensive pursuits. How we choose to deploy, maintain, and share these tools across teams can prove to be burdensome and overly complex. Security teams ar...

Jimmy Mesta

Keynote - Software Supply Chain Lifecycle Management

As the cyber threat landscape evolves and as software dependencies grow more complex, understanding and managing risk in the software supply chain is more critical than ever, and it must focus on the entire lifecycle that includes development, acq...

Joe Jarzombek

Continuous Integration: Live Static Analysis using Visual Studio & the Roslyn API

For over 10 years, Visual Studio has provided basic source code analysis through FxCop and StyleCop. While these code analyzers focus mainly on design conformance, code consistency, and best practices, there is very little support for enforcing se...

Eric Johnson

Practical Static Analysis for Continuous Application Security

Static code analysis tools that attempt determine what code does without actually running the code provide an excellent opportunity to perform lightweight security checks as part of the software development lifecycle. Unfortunately, building gener...

Justin Collins

Practical Tips For Running A Successful Bug Bounty Program

Having a bug bounty program is one of the most efficient methods of finding security vulnerabilities today. But, as anyone who has tried to run a bug bounty program knows, it's not a trivial undertaking... As professionals who have helped to manag...

Daniel Trauner, Grant McCracken

Scaling Security Assessment at the Speed of DevOps

Recent software development trends, namely DevOps, Continuous Integration, Continuous Delivery, and Continuous Deployment, have empowered developers and drastically reduced the DevTest window forcing teams to adopt highly automated test infrastruc...

Roger Seagle, Brian Manifold, Blake Hitchcock

The Ways Hackers Are Taking To Win The Mobile Malware Battle

In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime so...

Yair Amit

Why using SMS in the authentication chain is risky

Passwords are horrible for security. Over the past 20 years we’ve bolstered the password with other factors, the most common being a one time password (OTP, TOTP, HOTP) that is either generated on a physical device the user holds, in a smartphone ...

Simon Thorpe

How To Find The Next Great Deserialization CVE

The talk will generalize the recent spate of deserialization attacks, including a brief discussion of an originally authored exploit for a recently discovered CVE. The commonalities between deserialization attacks will then be discussed, layin...

Arshan Dabirsiaghi

DevOops: Redux

In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe c...

Ken Johnson, Chris Gates

When encryption is not enough: Attacking Wearable

Communication protocols have evolved from the traditional Serial and LAN ports to complex and lightweight protocols of today, such as Bluetooth Low Energy (BLE), ANT+ and ZigBee. Bluetooth Low Energy (BLE) is a popular protocol of choice for weara...

Kavya Racharla, Sumanth Naropanth