Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Thursday, October 25
 

7:30am

Registration Open

Registration is in the Lobby of the hotel


Thursday October 25, 2012 7:30am - 8:45am
Texas Ballroom Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

9:00am

KEYNOTE: Infosec at Ludicrous Speed: Rugged DevOps and More... by Gene Kim

Information security is rightly afraid of being marginalized: it has already happened. With the advent of cloud, the velocity of change is breathtaking: while most IT struggle with monthly releases, agile IT businesses routinely conjure thousands of AWS servers, performing over 10 deploys per day. This agility and cost-savings delights the business. And with good reason, it terrifies security.In this talk, I’ll presenting key findings of my 10 years of research of high performing IT operations and security organizations, and my more recent research on the DevOps movement. I’ll talk about why I believe DevOps is so important to addressing the dysfunctional marriage between IT and the business, and what security must do to survive and thrive in this new regime.


Speakers
avatar for Gene Kim

Gene Kim

Author, Researcher, IT Revolution
Gene is a multiple award winning CTO, researcher and author.  He was founder and CTO of Tripwire for 13 years. He has written three books, including “The Visible Ops Handbook” and “The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win."  Gene is a huge fan of IT operations, and how it can enable developers to maximize throughput of features from “code complete” to “in production,” without causing chaos and... Read More →


Thursday October 25, 2012 9:00am - 9:45am
Texas Ballroom Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

9:00am

Open Source Showcase, Capture The Flag, Lockpick Villiage and OWASP Store
Open Source Showcase, Capture The Flag, Lockpick Villiage and OWASP Store

Thursday October 25, 2012 9:00am - 12:00pm
Foothills I (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

10:00am

Building Predictable Systems using Behavioral Security Modeling: Functional Security Requirements

Behavioral Security Modeling (BSM), first presented at AppSec USA 2011 in Minneapolis, was conceived as a way of modeling interactions between information and people in terms of socially defined roles and the expected behaviors of the system being designed. By reducing the difference between the expected system behaviors and the actual system behaviors, we can manage the vulnerabilities that are inevitably introduced when the expected and actual system behaviors are out of alignment. BSM asserts that robust, secure information systems are best achieved through carefully modeling human/information interactions in social terms.

Modeling human/information interactions starts with requirements gathering. While traditional security requirements describe how to "keep the bad guys from messing with our stuff," BSM functional requirements seek to define "what the good guys are allowed to do." To address this gap, we have developed a practical, SDLC agnostic method for gathering functional security requirements by defining limits on interactions through a series of questions to identify and clarify constraints, as well as uncover hidden constraints. We will discuss the development of the methodology and demonstrate its use, as described in our white paper, including early experiences implementing the approach.


Speakers
avatar for John Benninghoff

John Benninghoff

Security Consultant, Transvasive Security
John Benninghoff started Transvasive Security to develop Behavioral Information Security, a new philosophy of security that draws on knowledge of how people behave and interact with information. He has spoken at national and regional security conferences, and writes regularly for his company blog at transvasive.com. | | | | John began his information security career when he was asked to build and deploy a Network IDS using free... Read More →


Thursday October 25, 2012 10:00am - 10:45am
NTObjectives Room - Texas Ballroom II Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

10:00am

Top Ten Web Defenses

We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications.

The best security is contextual to each organization, application and feature. Real-world tradeoffs will be discussed in detail for each "control" and "control category" discussed.


Speakers
avatar for Jim Manico

Jim Manico

Author and Educator, OWASP volunteer, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also the founder of Brakeman Security, Inc. and is a investor/advisor for Signal Sciences. Jim is a frequent speaker on secure software practices and is a member of the JavaOne rockstar speaker community. Jim is also a volunteer and former board member for the OWASP foundation. He is the author of "Iron-Clad Java... Read More →


Thursday October 25, 2012 10:00am - 10:45am
Adobe Room - Texas Ballroom I Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

10:00am

Mobile Applications & Proxy Shenanigans

With over 5 Billion mobile devices presently in use, mobile applications enable new threats and attacks which introduce significant risks to organizations. As such, it is imperative that we perform our normal application security procedures on all mobile applications, including pen testing and code reviews. Pen testing mobile applications has proven to be difficult when typical application security testing practices are employed. Proxying mobile traffic for examination and modification is anything but straightforward and every application presents its own, unique challenges. David and Dan will explain the issues that arise when trying to proxy mobile application traffic. Join Dan and Dave as they provide guidance and a roadmap so that you may overcome these obstacles.


Speakers
avatar for Dan Amodio

Dan Amodio

Principal Consultant, Aspect Security
As a Principal Consultant, Dan manages and defines Aspect Security's line of Assessment Services-- helping organizations quantify their security risks from design to implementation. He works with staff and clients to develop the team members and deliverables. | | Dan holds a security clearance and directly supports a variety of client projects. He leads mobile security efforts, security architecture and design reviews, code reviews, and... Read More →
avatar for David Lindner

David Lindner

Managing Consultant and Global Practice Manager, Aspect Security
David Lindner, a Managing Consultant and Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 15 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David's focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD... Read More →


Thursday October 25, 2012 10:00am - 10:45am
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

10:00am

Reverse Engineering “Secure” HTTP APIs With An SSL Proxy

The proliferation of mobile devices has led to increased emphasis on native applications, such as Objective-C applications written for iOS or Java applications written for Android. Nonetheless, these native client applications frequently use HTTP APIs to communicate with a backend server. In addition, browser-based applications are growing more complex, and are also more likely to make asynchronous calls to HTTP APIs.

In this presentation, we walk through a common (but insecure) method of securing HTTP APIs with SSL. As we will demonstrate, properly configured SSL will protect a protocol from eavesdropping (man-in-the-middle attack) but will not protect that protocol from the end user himself. In particular, we demonstrate how an end user can use an SSL proxy to decrypt and reverse engineer the HTTP API.

We will show a hypothetical HTTP API over SSL that tracks high scores for games. Then we will demonstrate an attack on that HTTP API using mitmproxy, an open source SSL proxy, to show how an attacker can forge a high score, even though the protocol is tunneled over SSL. We will then demonstrate a modified HTTP API that is resistant to this type of attack.

Finally, we will wrap up by discussing other applications of SSL proxies to web application security testing, such as analyzing HTTP APIs to see if any personal information – such as a user’s address book – are being transmitted over the API. This is the same technique used by researcher Arun Thampi in February 2012 to determine that the Path application on iOS was secretly uploading users’ contacts to its HTTP API.


Speakers
AC

Alejandro Caceres

Computer Network Operations Engineer, Lunarline Inc.
I am a computer network operations engineer focused on building software products and interested in breaking things, mostly. I've been told I have a "hacker" mindset by my co-workers (I like to think that they meant it in a good way) and that is entirely true. I work on a number of open source projects related to pen testing and particularly enjoy dealing with unique ways of automating exploitation of web applications.
avatar for Mark Haase

Mark Haase

Sr. Security Software Engineer, Lunarline, Inc.
I've been writing software since I was 13, writing software as a job since Junior year of college, and working professionally as a software engineer since I graduated in financial services and then information security.


Thursday October 25, 2012 10:00am - 10:45am
Gemalto Room - Hill Country C Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

10:00am

Gauntlt: Rugged by Example

"Be Mean to Your Code" is the concept behind the ruggedization framework called Gauntlt (pronounced like gauntlet) which aims to bring the benefits of Behaviour Driven Development to the realms of automated security testing, application hardening and ruggedization. Gauntlt is an open source ruggedization framework using cucumber and written in ruby. Gauntlt has been developed in collaboration with Netflix to fulfill the role of the "Security Monkey" in their Simian Army--most popularly known for the Chaos Monkey.

Gauntlt is meant to be used by security experts with interest in automation as well as developers with interest in security. It can be used to deliver the results of a security audit or penetration test via failing gauntlt attacks (tests) which can in turn be added to the continuous delivery test suite. Developers know when they have resolved a particular vulnerability when gauntlt no longer reports a failure. Gauntlt can be used in regression tests to detect when a previously resolved vulnerability has been re-introduced.

The creators of Gauntlt, James Wickett, Mani Tadayon and Roy Rapoport, will talk about the history of the project, current roadmap and the planned security testing tools being added to Gauntlt. As part of this talk we will do a hands on demo where we will walk the audience through getting started using gauntlt pre-built attacks and then move to writing their own gauntlt attacks. Come find out how to start being "rugged by example" and how to get started with Gauntlt.

Note: Jeremiah Shirk is filling in for Roy Rapoport.


Gauntlt is MIT Licensed and hosted on github at http://github.com/thegauntlet/gauntlt.


Speakers
avatar for Jeremiah Shirk

Jeremiah Shirk

Engineering Manager, Venmo
avatar for Mani Tadayon

Mani Tadayon

Senior Software Engineer, ZestFinance
I love programming and am now learning Clojure, Lisp and Emacs. Since 2001, I've worked in web development, constantly updating my skills to keep up with new technologies, moving from .NET to php to ruby and beyond. At the same time, I've discovered the importance of strong foundations and continue to re-learn c, html and javascript. My educational background is broad: a bachelor's in Chinese, Japanese & German from UC Berkeley and a second... Read More →
avatar for James Wickett

James Wickett

Sr. Engineer, Signal Sciences Corp
James is an innovative thought leader in the DevOps and InfoSec communities and has a passion for helping big companies work like startups to deliver products in the cloud. He got his start in technology when he ran a Web startup company as a student at University of Oklahoma and since then has worked in environments ranging from large, web-scale enterprises to small, rapidly growth startups. As a Senior DevOps Engineer, James is currently... Read More →


Thursday October 25, 2012 10:00am - 10:45am
Gluu Room - Foothills II (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

11:00am

Building a Web Attacker Dashboard with ModSecurity and BeEF

The Browser Exploit Framework (BeEF) Project is extremely popular with application pentesters as it is a powerful tool for demonstrating the impacts of leveraging XSS vulnerabilities to achieve wider compromise into an organization. What if, however, we flipped the BeEF use-case around and instead put it in the hands of web application defenders? By using the open source ModSecurity WAF, we can dynamically hook web attackers with BeEF and monitor their activities and initiate various counter-meseasures.


Speakers
avatar for Ryan Barnett

Ryan Barnett

Lead Security Researcher, Trustwave SpiderLabs
Ryan C. Barnett is renowned in the web application security industry for his unique expertise. After a decade of experience defending government and commercial websites, Ryan joined Trustwave SpiderLabs Research Team. He specializes in application defense research and leads the open source ModSecurity web application firewall project. | | In addition to his commercial work at Trustwave, Ryan is also an active contributor to many... Read More →


Thursday October 25, 2012 11:00am - 11:45am
NTObjectives Room - Texas Ballroom II Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

11:00am

Early Lunch Option

Early Lunch Option available for Sponsors, Staff, and Speakers


Thursday October 25, 2012 11:00am - 11:45am
Texas Ballroom Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

11:00am

Secure Code Reviews Magic or Art? A Simplified Approach to Secure Code Reviews

Secure Code Review: Magic or Art? A Simplified Approach to Secure Code Review. Secure code review is one of the best ways to uncover vulnerabilities and reduce risk of online web applications being breached. However, secure code review has always been challenged as being skill and tools intensive. But what if this could be simplified so developers on your team could perform it? What if this could be achieved with minimal impact on deadlines? This presentation will delve into the science and process behind secure code review and will continue to discuss a simplified approach to secure code review: a simplified process to follow, free tools to use and some of the pitfalls to avoid.


Speakers
avatar for Sherif Koussa

Sherif Koussa

Principal Application Security Consultant, Software Secured
Sherif comes from a software development background where he designed, implemented and led software teams for 9 years. | His journey with application security started back in 2006 where he kicked off the OWASP Chapter in Ottawa, followed by leading a major release for WebGoat v5.0 by adding over 12 new lessons. | In addition, Sherif helped SANS\GIAC kick off the GSSP-NET and GSSP-JAVA exams. He is also leading the Static Code Analysis... Read More →


Thursday October 25, 2012 11:00am - 11:45am
Adobe Room - Texas Ballroom I Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

11:00am

Cracking the Code of Mobile Application

Learn how any Mobile Expert aims to crack the application open. While testing / reviewing Android or iOS applications, you will love these handy tricks which will teach you to extract the program code of any Mobile Application. Be it the famous encryption of Apple Applications or Google all famous Android or the RIM claimed Blackberry application, you got the application, you’ll get the learning to view the code. Using demonstrations on platforms/ gadgets like Apple, Android, Blackberry, Windows Mobile, we will highlight the benefits of using the same in day to day pen-testers life cycle.


Objectives:
•To give live demonstrations of cracking the code open from the various Android/Apple/Blackberry/Windows Mobile Applications.
•To share tested and proven methods of discovering insecurities via reverse engineering.
•To learn how to efficiently conduct reverse engineering of mobile applications.
•To develop a process doc for Mobile Reverse Engineering. 


Speakers
avatar for sreenarayan a

sreenarayan a

Information Security Consultant, Independant Consultant
Sreenarayan is currently working as an Independant Information Security Consultant. He was the principal researcher in the Mobile Application Security Team at Paladion, having developed Paladion's Android, iOS, Windows Mobile, BlackBerry Gray Box and Code Review checklists, and has trained 30+ engineers to detect security flaws in mobile applications. He has found flaws in leading Mobile-based financial applications and helped the respective... Read More →


Thursday October 25, 2012 11:00am - 11:45am
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

11:00am

Hacking .NET Application: Reverse Engineering 101

This speech will focus on Reverse Engineering and Evaluations of .NET Framework Desktop Software.
I will show the basics of doing Reverse Engineering
-How to get source code
-What to look for
-What are easy vulns to find

This speech will then go a step further into the bleeding edge by modifying the protection/security areas of applications, both adding and removing security systems. I will also show building basic Malware payloads and infecting critical software as well as finding Malware and disecting it.

This speech should give a security professional the basic understanding of how to do a light Black-Box code analysis.
This speech should give a programmer the basics of finding, fighting, and production of MalWare.


Speakers
avatar for Jon Mccoy

Jon Mccoy

Jon' OR DROP ALL TABLES OR 'McCoy, DigitalBodyGuard
Jon McCoy is into security with a focus on application security under the .NET Framework. Jon started security in forensics and moved to reverse engineering and incident response. He is the founder of DigitalBodyGuard.com and Wave3D.com along with heading a number of open source projects in the area of security tools and disabled assistance/augmentation systems.


Thursday October 25, 2012 11:00am - 11:45am
Gemalto Room - Hill Country C Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

11:00am

Doing the unstuck: How Rugged cultures drive Biz & AppSec Value

Rugged Software was an attempt to get application security unstuck and beyond the .0001% who were already seeking more defensible infrastructure. Over the past 3 years of experimentation, working outside of the security community, and this spring's Rugged Summit... now is the time to bring Rugged to the OWASP community.


Our dependence upon software is growing at a rate faster than our ability to secure it. While it's disappointing to see routine compromises by 13 yr old SQLi attacks, it is far more serious to see vulnerable SW permeate our cars, our critical infrastructure, and even our bodies (via medical devices). Despite excellent and valiant technical advances within the security community, the broader business and development communities remain largely unchanged.


This is more than a technical issue, but also a cultural challenge.To the business, "Security" has become a toxic and dirty word for at least 2 reasons: 1) It is a cost and 2) it is often an inhibitor - preventing the business from doing things it wants to do. People don't care how to do something until they know why it matters or how it is valuable.


This talk will explain the success that Rugged has had in driving more business value and adoption of security. We'll attempt to clear up misconceptions and apprehensions - as well as contextualize how Rugged complements existing bodies of work. We will explain how Rugged has found in DevOps an unexpected ally, blueprint, and invitation to have more substantive impact. Lastly we'll introduce and discuss the just-published "Rugged Handbook" straw man - and invite it to be beaten/enhanced.


Speakers
avatar for Josh Corman

Josh Corman

Director of Security Intelligence, Akamai Technologies
Joshua Corman is the Director of Security Intelligence for Akamai. Most recently he served as Research Director for Enterprise Security at The 451 Group. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges plaguing the IT industry, and helps to drive evolutionary strategies toward emerging technologies and shifting... Read More →


Thursday October 25, 2012 11:00am - 11:45am
Gluu Room - Foothills II (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

12:00pm

Lunch and Speed Debates

The much-acclaimed LASCON-style Speed Debates are coming at you!


Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Thursday October 25, 2012 12:00pm - 12:45pm
Texas Ballroom Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

1:00pm

KEYNOTE: Securing JavaScript by Douglas Crockford

The Web platform is hopelessly insecure, yet surprisingly, JavaScript can be transformed into a secure programming language by the subtraction of a small set of features. The design of JavaScript was influenced by Scheme. JavaScript's schemishness is the key to its salvation.


Speakers
avatar for Douglas Crockford

Douglas Crockford

The Boss of You, PayPal
Douglas Crockford was born in the wilds of Minnesota, but left when he was only six months old because it was just too damn cold. He is best known for having discovered that there are good parts in JavaScript. This was an important and completely unexpected discovery. He also discovered JSON, the world's best loved data interchange format.


Thursday October 25, 2012 1:00pm - 1:45pm
Texas Ballroom Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

2:00pm

Hacking with WebSockets

HTML5 isn't just for watching videos on your iPad. Its features may be the target of a security attack as much as they may be used to improve an attack. Vulnerabilities like XSS have been around since the web's beginning, but exploiting them has become increasingly sophisticated.
HTML5 features like WebSockets are part of the framework for controlling browsers compromised by XSS.

This presentation provides an overview of WebSockets: How they might increase the attack surface of a web site, their implications for privacy, and the potential security problems with protocols tunneled over them. Then it demonstrates how WebSockets can be used as an effective part of a hacking framework.

It closes with recommendations for deploying WebSockets securely, applying security principles to web app design, and providing a tool for exploring WebSockets security.


Speakers
avatar for Vaagn Toukharian

Vaagn Toukharian

Senior Software Engineer, Qualys
Senior Software Engineer for Qualys's Web Application Scanner. | Was involved with security industry since 1999. | Experience includes work on Certification Authority systems, encryption devices, large CAD systems, Web scanners. | Outside of work interests include IronMan triathlons and photography.


Thursday October 25, 2012 2:00pm - 2:45pm
NTObjectives Room - Texas Ballroom II Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

2:00pm

AppSec Training, Securing the SDLC, WebGoat.NET and the Meaning of Life

One of the most vital pieces of a secure SDLC is security training – not only for developers, but for Architects, QA and anyone else involved in the creation of software. Too frequently, this is minimized, overlooked or completely absent within an organization. In some cases, the very idea of application security is dismissed as unnecessary.

This talk starts by making a strong argument for developer education, and how it fits into any organization’s SDLC. Training will be put into the context of NIST’s “Security considerations in System Development Life Cycle” Document, Microsoft’s Simplified SDL, BSIMM3 and OWASP Open SAMM.

From there, we discuss other OWASP resources and projects dedicated to developer education, and an in-depth discussion of OWASP WebGoat.NET – an ASP.NET specific re-design of OWASP which meets the needs and addresses the challenges of modern application security training programs.

Lecture will be delivered by Jerry Hoff, VP of Static Code Analysis Division at WhiteHat Security. Jerry is the leader of the OWASP Appsec Tutorial Series, WebGoat.NET and AntiSamy.NET. Jerry is a former developer, author, and has over 10,000 hours delivering technical training. Jerry holds a Masters degree in Computer Science from Washington University in St. Louis.

Key Points:
- Developers need a better way to be education in AppSec
- Equip participants with the tools and evidence they need make an irrefutable case for developer security training
- Analysis of tools/docuemnts/videos that OWASP provides for training
- Introduction of WebGoat.NET: OWASP’s latest tool to help education developers
- Interactive demonstration of WebGoat.NET with full audience participation


Speakers
avatar for Jerry Hoff

Jerry Hoff

VP, Static Code Analysis Division, WhiteHat Security
Jerry Hoff is the VP of the Static Code Analysis Division at WhiteHat Security. In addition to WhiteHat, he is a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where he specialized in manual code review, web application penetration testing, and architecture reviews. Jerry also has years of development and teaching experience. He... Read More →


Thursday October 25, 2012 2:00pm - 2:45pm
Gemalto Room - Hill Country C Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

2:00pm

Bug Bounty Programs

Moderator: Jeremiah Grossman


Speakers
avatar for Michael Coates

Michael Coates

Director of Product Security, Shape Security
Michael Coates is the Chairman of the OWASP board, an international non-profit organization focused on advancing and evangelizing the field of application security.  In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack aware applications that leverage real time detection and response capabilities. | | Michael is also the Director of Product Security at Shape Security, a Silicon Valley startup... Read More →
avatar for Chris Evans

Chris Evans

Troublemaker, Google
Chris Evans is the author of vsftpd, a vulnerability researcher and for a paycheck, he built and now looks after the Google Chrome Security Team. Unruly bunch. | | Details of vsftpd are at https://security.appspot.com/vsftpd.html. His research includes vulnerabilities in all the major browsers (Firefox, Safari, Internet Explorer, Opera, Chrome); the Linux and OpenBSD kernels; Sun's JDK; and lots of open source packages. He blogs about some... Read More →
avatar for Jeremiah Grossman

Jeremiah Grossman

Founder, WhiteHat Security
Jeremiah Grossman is the Founder and iCEO of WhiteHat Security, where he sets overall company vision and oversees day to day operations. Over the last decade, Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. | | As a well-known security expert and industry veteran, Mr... Read More →
avatar for Adam Mein

Adam Mein

Security Program Manager, Google
Some people like to find bugs; Adam likes to make sure they get fixed. He gets lots of opportunities to fulfill this (admittedly, sad) ambition as Manager of Google's Vulnerability Management team and Web Reward Program. | | Outside of work, Adam spends most of his time chasing around his 10 month old son and supporting his beloved Canberra Raiders rugby league team.
AR

Alex Rice

Product Security, Facebook


Thursday October 25, 2012 2:00pm - 2:45pm
Adobe Room - Texas Ballroom I Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

2:00pm

How we tear into that little green man

Mobile applications are a part of every persons, and every organizations life. The potential for internal compromise is extremely high in relation to mobile applications due the common architecture that relies on a backend server. It is difficult to understand how easy it is to reverse engineer and modify mobile application unless you do it on a daily basis. In turn, it is difficult to realize what vulnerabilities exist within mobile applications, the backend servers accompanying those application, and what compromises can take place. This talk focuses on helping security experts and mobile developers understand how attackers reverse engineer mobile applications, what an attacker has access to, and how easy it is to circumvent local security implementations. Attendees will be shown real world applications, how the applications security was circumvented, and what consequences occurred. This talk will give insight to security professionals and developers how a malicious user will reverse engineer their applications and how to prevent those attacks. Throughout the talk Otertool - a tool to simplify reverse engineering of Android applications - will be demonstrated and made available to attendees.


Speakers
avatar for Mathew Rowley

Mathew Rowley

Senior Security Consultant, Matasano security
Mathew Rowley is a security consultant for Matasano Security with over 6 years experience as a computer security professional. His experience includes reverse engineering, mobile security, web application security assessment, hardware reversing, network security, fuzzing, and application development. | | | | Capabilities and Skills | | - Mobile Application Analysis and Reverse Engineering | | - Application Development | | - Protocol... Read More →


Thursday October 25, 2012 2:00pm - 2:45pm
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

2:00pm

Put your robots to work: security automation at Twitter

With daily code releases and a growing infrastructure, manually reviewing code changes and protecting against security regressions quickly becomes impractical. Even when using security tools, whether commercial or open source, the difficult work of integrating them into the development and security cycles remains. We need to use an automated approach to push these tools as close to when the code is written as possible, allowing us to prevent potential vulnerabilities before they are shipped. We worked with development, operations, and release teams to create a targeted suite of tools focused on specific security concerns that are effective and don’t introduce any noise. This presentation will give an overview of what we’ve done over the past year, what we have learned along the way, and will provide advice for anyone else going down this road.


Speakers
avatar for Justin Collins

Justin Collins

Security Engineer, Twitter
Justin is a security engineer at Twitter and a long-time computer science PhD student at UCLA. He spends most of his time working on Brakeman, a static analysis security scanner for Ruby on Rails.
avatar for Neil Matatall

Neil Matatall

Information Security Engineer, Twitter
Twitter security engineer, football fan, hiker. I like writing code. I like breaking code. I like protecting code.
avatar for Alex Smolen

Alex Smolen

Security Engineer, Twitter
Security Engineer at Twitter. Graduate of the UC Berkely I School. Previously at Foundstone. | | Interested in security and the human experience.


Thursday October 25, 2012 2:00pm - 2:45pm
Gluu Room - Foothills II (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

2:00pm

Open Source Showcase, Capture The Flag, Lockpick Villiage and OWASP Store
Open Source Showcase, Capture The Flag, Lockpick Villiage and OWASP Store

Thursday October 25, 2012 2:00pm - 5:00pm
Foothills I (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

3:00pm

Exploiting Internal Network Vulns via the Browser using BeEF Bind

Abstract:Browser exploits are a primary attack vector to compromise a victims internal network, but they have major restrictions including; limited current browser exploits; the huge price for 0-day browser exploits; and exploit complexity due to sandboxing. So, instead of exploiting the victims browser, what if the victims browser exploited internal systems for you?

The new "BeEF Bind Exploit Proxy" module does this! This BeEF (Browser Exploitation Framework) module will allow penetration testers to proxy exploits through a victims web browser to compromise internal services. Not only this, but the new "BeEF Bind" shellcode also enables the communication channel to the attacker to pass back through the existing browser session.

This attack technique (Inter-protocol Exploitation) removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker.

So how does the new BeEF Bind Exploit Proxy work? BeEF is configured to use the BeEF Bind Exploit Proxy, and is set as the payload for XSS exploits or Phishing attacks. Once the victim visits the malicious site, their web browser becomes hooked and performs JavaScript port scanning across the internal corporate network looking for chosen open ports. Once a server has been identified, the BeEF server is notified and begins to send exploits through the hooked web browser to the service on the internal server. Each of these exploits are configured to use the new BeEF Bind shellcode.

Once an exploit has successfully triggered a vulnerability within the internal service, the BeEF Bind shellcode is executed. This shellcode is designed to setup a web-listener that proxies commands through to a shell on the compromised server. This allows the attacker to send commands through the hooked web browser to the BeEF Bind payload. The command is executed on the compromised server and returned to the web browser in HTTP responses. The hooked web browser is then able to receive the command output and proxy it back to the attacker at the BeEF server.

Penetration testers can now inject steroids into their XSS exploits by replacing simple alert boxes with demonstrations of actual compromised internal machines. They can also now increase the scope and success rate of their Phishing attacks to compromise internal servers. This new approach also minimizes the likelihood of IDS/IPS detection, and does not require an additional socket open back to the attacker via the firewall.

Come and see our live demonstration of this new attack technique in action!


Speakers
avatar for Michele Orrù

Michele Orrù

Senior Security Consultant, Trustwave SpiderLAbs
Michele Orru a.k.a. antisnatchor is an IT and ITalian security guy. Lead core developer of the BeEF project, he mainly focuses his research on application security and related exploitation techniques. He is a frequent speaker at hacking conferences, including CONFidence, DeepSec, Hacktivity, SecurityByte, AthCon, HackPra, Semafor, Just4Meeting, OWASP, 44Con, EUSecWest, Ruxcon and more we just can't disclose. Besides having a passion for hacking... Read More →


Thursday October 25, 2012 3:00pm - 3:45pm
NTObjectives Room - Texas Ballroom II Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

3:00pm

Demystifying Security in the Cloud: AWS Scout

The scale and variety of Amazon Web Servers (AWS) has created a constantly changing landscape. What was previously managed by enterprise IT groups is now done through a variety of Amazon-based services, leaving many questions concerning the risk and security of these environments unanswered. This presentation will discuss the most common mistakes that we have seen in the field and show you how to audit them using AWS Scout.

Scout is a security tool that lets AWS administrators make an assessment of their environments security posture. Using the AWS API, we can gather configuration data for manual inspection or highlight high-risk areas automatically. Rather than pouring through dozens of pages on the web, we can get an clear view of the attack surface.


Speakers
JC

Jonathan Chittenden

iSEC Partners
Prior to his employment with iSEC, Jonathan worked for the Air Force as a civilian. His roles consisted of reverse engineering malware for both signature and exploitation development. This experience enabled Jonathan to be comfortable working at a low-level with unknown protocols and binaries. During this time, he also assisted in the development of an open-source intelligence application to be used to identify indicators of compromise... Read More →


Thursday October 25, 2012 3:00pm - 3:45pm
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

3:00pm

I>S+D! - Interactive Application Security Testing (IAST), Beyond SAST/DAST

Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a completely new approach - analyzing code execution, memory and data in runtime, allowing for accurate inspection of the application. We will discuss IAST technology (introduced into the 2011 Hype Cycle) compared with DAST/SAST, and the benefits it provides.

The goal of the talk is to examine and discuss technological concepts rather than specific products or solutions, and includes a technical drill-down into the technology specifics. The talk will begin by presenting the standard IAST building blocks and their benefits, and continue by showing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more…


Speakers
OM

Ofer Maor

CTO, Quotium
Ofer Maor has over sixteen years of experience in information security, and is a pioneer in the application security field. He has been involved in leading research initiatives, has published numerous papers, appears regularly at leading conferences and is considered a leading authority by his peers. He also currently serves as the Chairman of OWASP Israel and a member of the OWASP Global Membership Committee. In his current role as Founder... Read More →


Thursday October 25, 2012 3:00pm - 3:45pm
Gemalto Room - Hill Country C Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

3:00pm

The Diviner - Digital Clairvoyance Breakthrough - Gaining Access to the Source Code & Server Side Memory Structure of ANY Application (OWASP ZAP extension)


Information disclosure has always been a boon to hackers.
 
The Crown Jewel of information disclosure, source code disclosure, is arguably the most significant information an attacker can obtain, and can be used to expose potential code-level vulnerabilities, logic, and hard coded information.
 
Since vulnerabilities that disclose source code are not always available, we were lead to believe that the concept of security by obscurity can provide some level of protection, as fragile as it may be… but not anymore.
 
Divination Attacks, a new breed of information gathering attacks, provide the means to identify the memory structure and source code of application components, using black box techniques with unparalleled accuracy.
 
What is that useful for?  
 
Consider the methods that are required to detect the following complex exposures:
 
SQL Injection attacks that affects different pages in the application via database values or session attributes, and require the vulnerable page to be accessed through abnormal combinations of authentication, deliberate exceptions, and missing information.
 
Sounds confusing?
 
Talented or lucky testers might be able to detect these complex exposures in a limited scope, but have you ever heard of an automated vulnerability scanner, a passive security scanner, or any other black-box tool that can detect these "indirect" attacks with minimal user interference?
 
"Diviner" - a new OWASP ZAP extension, can be used to locate leads for direct and indirect attacks scenarios on a consistent basis, and can also enable testers to fingerprint server-side source code fragments and visualize the structure of the server memory and inter-page processes, thus, enhancing the tester's decision making process and enabling him to properly invest his time and efforts.


Speakers
avatar for Shay Chen

Shay Chen

CEO, Effective Security
Shay Chen is the CEO of Effective Security, an information-security boutique company specializing in information security assessments and in automating security processes of vulnerability management and SDLC. | | He has over twelve years in information technology and security, a strong background in software development, and a stream of previously published vulnerabilities, attack vectors, benchmarks and hacking methodologies. | | Shay is... Read More →


Thursday October 25, 2012 3:00pm - 3:45pm
Adobe Room - Texas Ballroom I Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

3:00pm

Rebooting (secure) software development with continuous deployment

If we are ever going to get ahead of the whack-a-mole security vulnerability game, we, as security professionals need to start getting involved more in the development of software. Let's review the origins of the traditional software development, and what assumptions are made. Then we'll review if those assumptions still hold for modern web applications, and what problems they cause, especially for security. Continuous deployment helps address these problems and allows for faster, more secure development. It's more than just "pushing code a lot", when done correctly it can be transformative to the organization. We'll discuss what continuous deployment is, how to get started, and what components are needed to make it successful, and secure.


Speakers
avatar for Nick Galbreath

Nick Galbreath

Owner, Client9
Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges and media trading platforms. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features.  Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media... Read More →


Thursday October 25, 2012 3:00pm - 3:45pm
Gluu Room - Foothills II (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

4:00pm

WTF - WAF Testing Framework
We will be presenting a new approach to evaluating web application firewall capabilities that is suitable to the real world use case. Our methodology touches on issues like False Positive / False Negative rates, evasion techniques and white listing / black listing balance. We will demonstrate a tool that can be used by organizations to implement the methodology either when choosing an application protection solution or after deployment.

Speakers
YA

Yaniv Azaria

Imperva
Yaniv holds a B.Sc and M.Sc in Computer Science. An industry veteran with experience in developing web applications, bio-informatic algorithms and database security products. Was team leader for database security research in Imperva for 3 years and for the past couple of years conducts general database and application security research in general.
avatar for Amichai Shulman

Amichai Shulman

Imperva
Amichai Shulman is co-founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Mr. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Mr. Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his... Read More →


Thursday October 25, 2012 4:00pm - 4:45pm
Gemalto Room - Hill Country C Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

4:00pm

Cross Site Port Scanning

Several web applications provide functionality to pull data from other Internet facing Web Applications for either internal use or to verify application availability. We see this in the form of applications pulling images using user specified URLs, applications showing server status for user specified URLs, applications pulling feeds, XML and manifest files etc. An attacker can abuse this functionality to send crafted queries to a remote web server using the application that provides this functionality. The responses can be studied and in the case of unique responses, can be abused to do a blind port scan on any Internet facing device or even on internal local networks and the same server/host.


In this paper we will see how this commonly available functionality in most web applications can be abused by attackers to port scan other servers, or perform a Cross Site Port Scan (XSPS). I found this issue with Facebook, where I was able to port scan any Internet facing server using Facebook’s IP addresses. Consecutively, I was able to identify this issue in several other prominent Web Applications on the Internet, including Google, Apigee, StatMyWeb, Mozilla.org, Face.com, Pinterest, Yahoo, Adobe and several others. We will take a look at the vulnerabilities that were present in the above mentioned web applications that allowed me to abuse the functionality to perform port scans on remote servers using predefined functionality.

An attacker can abuse this by specifying URLs in the form of http://servername:<portnum> to the application and review the response obtained. I have seen three unique responses based on port and service. The following are the different errors/response messages obtained:
1. For an open port running an HTTP service, the error/server response is specific to the call. An attacker may see HTML content or a function specific message like “Image not found” or “Invalid data stream”
2. For an open port running a service other than HTTP (like SSH, TELNET, SMTP or RDP), the error/server response is mostly generic like “Invalid data stream”, “Expected content-type was invalid” or “Received HTTP error code -1 while fetching source feed”
3. For a closed port, the errors/server responses are often descriptive like “HTTP/1.1 503 Service Unavailable”, “[Errno 101] Network is unreachable” or “DOWNLOAD_ERROR_CONNECTION_REFUSED” etc.

Based on these error messages, which are unique for every server tested, we can conclusively identify closed and open ports on remote servers. Even better in some cases, the application displays the actual responses received in raw format allowing us to use it for banner grabbing.

Cross Site Port Scanning is a technique that allows an attacker to abuse perfectly common functionality, like fetching a file or data from a remote server, to perform blind port scans on Internet facing servers. An application which accepts user input as a URL, fetches content from the user supplied URL and displays non-generic errors, is vulnerable to XSPS. An attacker can also enumerate ports on the server that makes the HTTP request on behalf of the user by providing a localhost as the URL with a port parameter.
Simply put, an application that accepts a URL like http://site/images/derp.jpg fetches the content on the server side and displays the image, is vulnerable, if it displays port status or connection specific errors when a user requests the following URLs:
http://site:22/images/nonexistentimage.jpg
http://site:23/images/nonexistentimage.jpg
http://site:3128/images/nonexistentimage.jpg
http://site:3389/images/nonexistentimage.jpg
An attacker would then be able to analyze the error messages and identify open and closed ports based on unique error responses. These responses may be raw socket errors (like “Connection refused” or timeouts) or may be customized by the application (like “Unexpected header found” or “Service was not reachable”) 


Speakers
avatar for Riyaz Walikar

Riyaz Walikar

I am a Web Application Security Engineer / Pentester / Network Security Architect for food, shelter, fun and passion. I have had luck with finding vulnerabilities with popular web applications like Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, Ebay, Apigee etc. for which I am on the Hall of Fame for most of these services. You can follow me on twitter @riyazwalikar | | My interests lie with vulnerability research, breaking web... Read More →


Thursday October 25, 2012 4:00pm - 4:45pm
NTObjectives Room - Texas Ballroom II Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

4:00pm

Static Analysis of Java Class Files for Quickly and Accurately Detecting Web-Language Encoding Methods
Attacks such as Cross-Site Scripting, HTTP header injection, and SQL injection take advantage of weaknesses in the way some web applications handle incoming character strings. One technique for defending against injection vulnerabilities is to sanitize untrusted strings using encoding methods. These methods convert the reserved characters in a string to an inert representation which prevents unwanted side effects. However, encoding methods which are insufficiently thorough or improperly integrated into applications can pose a significant security risk. This paper will outline an algorithm for identifying encoding methods through automated analysis of Java bytecode. The approach combines an efficient heuristic search with selective rebuilding and execution of likely candidates. This combination provides a scalable and accurate technique for identifying and profiling code that could constitute a serious weakness in an application.

Speakers
avatar for Alex Emsellem

Alex Emsellem

Intern Software Engineer, Aspect Security
Currently pursuing a bachelor's degree in Computer Science. I'm primarily focused on software reverse engineering and exploitation. Around ten years ago I found my first vulnerability in a web application, and remember it vividly. I live for innovative ideas and the cutting-edge.


Thursday October 25, 2012 4:00pm - 4:45pm
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

4:00pm

Analyzing and Fixing Password Protection Schemes

In this talk jOHN takes apart password protection scheme analyzing the attack resistance of hashes, hmacs, adaptive hashes (such as script), and encryption schemes. First, we present a threat model for password storage. Then audience members will learn the construction, performance, and protective properties of these primitives. Discussion of the primitives will be from a critical perspective modeled as an iterative secure design session.

Ultimately, this session presents the solution and code donated as part of the on-going OWASP PSM (password storage module) project. Discussion of this solution will include key techniques for hardening PSM learned through years of delivering production JavaEE code to customers.


Speakers
avatar for John Steven

John Steven

Internal Chief Technology Officer, Cigital Inc.
I spend incalculable time striving to make the perfect macchiato. Passionate about running and reading. I'm alarmed at the lack of innovation within application security over the past five years and anxious to get back to designing and implementing large-scale systems. | | Others have said: John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis... Read More →


Thursday October 25, 2012 4:00pm - 4:45pm
Adobe Room - Texas Ballroom I Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

4:00pm

DevOps Distilled: The DevOps Panel at AppSec USA

DevOps is the rage these days, but what does it really mean and what does it look like for the AppSec community? This panel will explain DevOps and explore its impact on AppSec and most importantly we will look at how DevOps is changing the shape of the business.

If people in your organization are talking about doing 10 deploys a day to production or are discussing chef and puppet, then this panel is for you. If you are interested in cucumber and integrating security testing into your continuous integration tooling, then this panel is for you. If you are just plain confused about DevOps and think it is just a new buzzword, then this panel is for you. If you are using the cloud at all, then this panel is for you.

This panel features some of the best and brightest minds in the DevOps community and is a don't miss event. We will be taking questions from the audience ahead of time by tweeting with the hashtag #DevOpsPanel the week leading up to the conference.


Speakers
avatar for Josh Corman

Josh Corman

Director of Security Intelligence, Akamai Technologies
Joshua Corman is the Director of Security Intelligence for Akamai. Most recently he served as Research Director for Enterprise Security at The 451 Group. Mr. Corman’s cross-domain research highlights adversaries, game theory and motivational structures. His analysis cuts across sectors to the core security challenges plaguing the IT industry, and helps to drive evolutionary strategies toward emerging technologies and shifting... Read More →
avatar for Nick Galbreath

Nick Galbreath

Owner, Client9
Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges and media trading platforms. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features.  Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media... Read More →
avatar for Gene Kim

Gene Kim

Author, Researcher, IT Revolution
Gene is a multiple award winning CTO, researcher and author.  He was founder and CTO of Tripwire for 13 years. He has written three books, including “The Visible Ops Handbook” and “The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win."  Gene is a huge fan of IT operations, and how it can enable developers to maximize throughput of features from “code complete” to “in production,” without causing chaos and... Read More →
avatar for David Mortman

David Mortman

Chief Security Architect, enStratus
David Mortman is the Chief Security Architect for enStratus and a Contributing Analyst at Securosis. Most recently he was the Director of Security and Operations for C3, LLC. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical... Read More →
avatar for James Wickett

James Wickett

Sr. Engineer, Signal Sciences Corp
James is an innovative thought leader in the DevOps and InfoSec communities and has a passion for helping big companies work like startups to deliver products in the cloud. He got his start in technology when he ran a Web startup company as a student at University of Oklahoma and since then has worked in environments ranging from large, web-scale enterprises to small, rapidly growth startups. As a Senior DevOps Engineer, James is currently... Read More →


Thursday October 25, 2012 4:00pm - 4:45pm
Gluu Room - Foothills II (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

5:00pm

LASCON Style Happy Hour

You dont want to miss this one!


Thursday October 25, 2012 5:00pm - 8:00pm
Texas Ballroom Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

8:00pm

Special Sneak Preview of the REBOOT Film

Special Sneak Preview of the REBOOT Film


Thursday October 25, 2012 8:00pm - 10:00pm
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704
 
Friday, October 26
 

7:00am

Race Condition - AppSec 5K Race
5k Charity Run OWASP AppSec USA 2012 will host a 5k Race to be held prior to conference sessions on Friday morning. The $50 fee covers race support and a limited edition Nike Dri-Fit t-shirt. All proceeds will be donated to the OWASP Projects Reboot initiative (https://www.owasp.org/index.php/Projects_Reboot_2012). If you’ve already registered for AppSec and would like to attend, simply LOG IN HERE and add it to your agenda. If you have not already registered for AppSec, you should REGISTER TODAY to reserve your pass. http://www.appsecusa.org/schedule/5k-charity-run/

Friday October 26, 2012 7:00am - 8:00am
Texas Ballroom Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

8:00am

Registration Open

In the Lobby


Friday October 26, 2012 8:00am - 8:30am
Texas Ballroom Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

8:30am

KEYNOTE: The State of OWASP
Come hear about the State of OWASP from the OWASP Board

Speakers
avatar for Tom Brennan

Tom Brennan

Consultant, ProactiveRISK
Global Board of Directors OWASP Foundation | 2016 Chairman NYMJCSC Conference | Consultant for Hire @ Proactive Risk
avatar for Michael Coates

Michael Coates

Director of Product Security, Shape Security
Michael Coates is the Chairman of the OWASP board, an international non-profit organization focused on advancing and evangelizing the field of application security.  In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack aware applications that leverage real time detection and response capabilities. | | Michael is also the Director of Product Security at Shape Security, a Silicon Valley startup... Read More →
avatar for Seba Deleersnyder

Seba Deleersnyder

managing partner application security, Toreon
Co-founder & managing partner application security at Toreon.com | As application security specialist for more than 10 years, Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, NationaleNederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. | Sebastien is the Belgian OWASP Chapter... Read More →
avatar for Eoin Keary

Eoin Keary

CTO and Founder, BCC Risk Advisory Ltd.
Eoin Keary is an international board member of OWASP. He leads the OWASP code review project. Eoin is the CTO and founder of BCC Risk Advisory Ltd. He has also led global security engagements for some of the world’s largest financial services and consumer products companies. Eoin is a well known technical leader in industry in the area of software security and penetration testing. Eoin lives in Dublin, Ireland. 
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →
avatar for Dave Wichers

Dave Wichers

COO, Aspect Security
Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a consulting company that specializes in application security services. He is also a long time contributor to OWASP, helping to establish the OWASP Foundation in 2004, serving on the OWASP Board since it was formed from 2004 through 2013, served as OWASP Conferences Chair from 2005 through 2008, is a coauthor of the OWASP Top 10 and has led the project since... Read More →


Friday October 26, 2012 8:30am - 9:00am
Texas Ballroom Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

9:00am

KEYNOTE: Some Lessons from the Trenches by Michael Howard

During the last year, Michael has moved from working with internal Microsoft product groups, such as Windows, Xbox, Windows Azure and Visual Studio to working more closely with Microsoft customers to help them improve their secure software design and development practices. During this time he has learned a great deal about mapping internal Microsoft thinking to the “real world.” In this keynote, Michael will share some of those experiences and describe some of the successful recommendations.


Speakers
MH

Michael Howard

Principal Cybersecurity Architect, Microsoft
Michael Howard is a principal cybersecurity architect in the Public Sector Services group. Prior to that, he was a principal security program manager on the Trustworthy Computing (TwC) Group’s Security Engineering team at Microsoft, where he was responsible for managing secure design, programming, and testing techniques across the company.   Howard is an architect of the Security Development Lifecycle (SDL), a process for... Read More →


Friday October 26, 2012 9:00am - 9:45am
Texas Ballroom Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

9:00am

Open Source Showcase, Capture The Flag, Lockpick Villiage and OWASP Store
Open Source Showcase, Capture The Flag, Lockpick Villiage and OWASP Store

Friday October 26, 2012 9:00am - 12:00pm
Foothills I (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

10:00am

Payback on Web Attackers: Web Honeypots

Honeypots have played a key role as a defensive technology for a long time in IT security with the first public work by Clifford Stoll’s The Cuckoo’s Egg on 1990 and later Bill Cheswick’s “An Evening With Berferd” on the 1991 [2]. For a detailed honeypot history we recommend the book Honeypots: Tracking Hackers.
Wikipedia defines a honeypot as a “trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers”.
Web attacks are the most common form of attack these days due to that it is easy to automatize attacks and web apps suffer from multiple attack vectors. For a detailed web attack landscape report we recommend Imperva’s Web Application Attack Report, Edition #2 – January 2012 [5].
Besides the use of honeypots for system and network security for a long time and the increase of web attacks per year, especially on the Web 2.0, web honeypots are still in infancy stage of research and development or usage as a security defense in corporate networks.
In this presentation, we explore the design and uses of a web honeypot with offensive and defensive capabilities called Carmen Rogue Web Server. Carmen Web Server v1.0 was developed around 2005 while the development of Carmen Web Server v2.0 has picked up on 2012 backed by VULNEX to address today threats focused on web attacks.
By developing a generic but highly customizable and easy to deploy web honeypot we try to make this technology accessible to security teams across the world to help them protect their networks by adding an extra layer of security.
Carmen can be used as a defensive tool to collect data from the attack like the password list from a brute force attack, all kind of attack patterns such as Cross-Site Scripting (XSS) and SQL Injection (iSQL) or even try to confuse attack tools using multiple methods such as Mix Server Simulation (Apache, IIS, etc.) or Fake Session ID Generation among others capabilities. On the opposite side Carmen can also be used as an offensive platform to test application security using fuzzing or to develop exploits by using its plugin and CGI capabilities.
This presentation will dig into web honeypot landscape and related work, the design approach taken for Carmen Web Server, use cases with demos and how to improve this technology.


Speakers
SR

Simon Roses Femerling

CEO, VULNEX
Simon Roses holds a B.S. from Suffolk University (Boston), Postgraduate in E-Commerce from | Harvard University (Boston) and Executive MBA from IE Business School (IE, Madrid). | | Currently is the CEO at VULNEX, driving security innovation. Former Microsoft, | PriceWaterhouseCoopers and @Stake. | | Simon has authored and cooperated in several security Open Source projects like OWASP | Pantera and LibExploit. He has also published security... Read More →


Friday October 26, 2012 10:00am - 10:45am
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

10:00am

Spin the bottle: Coupling technology and SE for one awesome hack

Social-Engineering is nothing new. From the dawn of man, social-engineering has been an avenue to obtain results through manipulation and deception (not always). As the creator of the Social-Engineer Toolkit (SET), I get a wide variety of experiences and new techniques in identifying ways to penetration organizations in a unique way. You never know what you are going to get on the other end. It's a game of chance, odds, and confidence. During this talk, we'll dive down into how social-engineering and technology can be used in order to compromise multiple avenues of an organization and live demonstrations of a new version of the Social-Engineer Toolkit. I'll also be walking through some of the different SE scenarios and how I overcame a number of challenges and hurdles while performing some of the most difficult red team exercises. Let's play a game of spin the bottle, where the person on the other end is a complete anomaly and unknown. Where your confidence matters and your pretext is everything.


Speakers
avatar for David Kennedy

David Kennedy

Dave Kennedy is founder and principal security consultant of TrustedSec, LLC - An information security consulting firm located in Cleveland Ohio. David was the former Chief Security Officer (CSO) for a Fortune 1000 where he ran the entire information security program. Kennedy is a co-author of the book “Metasploit: The Penetration Testers Guide,” the creator of the Social-Engineer Toolkit (SET), and the creator of Artillery... Read More →


Friday October 26, 2012 10:00am - 10:45am
Gemalto Room - Hill Country C Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

10:00am

Incident Response: Security After Compromise

Too often security and IT professionals believe that once a system is compromised, “security” has failed.  In the world of Incident Response, security is just beginning.  In this talk Richard Bejtlich will share thoughts on how to make incident response work for the benefit of an intrusion victim.  He will talk about key ideas that show an organization can suffer compromise yet not suffer real damage, despite the worst intentions of the adversary.


Speakers
avatar for Bejtlich, Richard

Bejtlich, Richard

Chief Security Officer, Mandiant
Richard Bejtlich is Chief Security Officer at MANDIANT. He was previously Director of Incident Response for General Electric, where he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). Prior to GE, he operated TaoSecurity LLC as an independent consultant, protected national security interests for ManTech Corporation's Computer Forensics and Intrusion Analysis division, investigated intrusions as part of Foundstone's... Read More →


Friday October 26, 2012 10:00am - 10:45am
Gluu Room - Foothills II (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

10:00am

Effective approaches to web application security

This presentation will focus on new and interesting approaches to web application security problems posed by a continuous deployment environment. Specifically, this presentation will cover useful security systems such as automatic vulnerability and application fault detection, effective platform defenses for XSS/SQLi, practical security alerting mechanisms, and visualizations of security related data. This talk demonstrates how to create these systems using free tools that improve security posture without commercial security products.


Speakers
ZL

Zane Lackey

Director of Security Engineering, Etsy
Zane Lackey is the Director of Security Engineering at Etsy and a member of the Advisory Council to the US State Department-backed Open Technology Fund. Prior to Etsy, Zane was a Senior Security Consultant at iSEC Partners. | | He has been featured in notable media outlets such as the BBC, Associated Press, Forbes, Wired, CNET, Network World, and SC Magazine. A frequent speaker at top industry conferences, he has presented at BlackHat, RSA... Read More →


Friday October 26, 2012 10:00am - 10:45am
NTObjectives Room - Texas Ballroom II Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

10:00am

Why Web Security Is Fundamentally Broken

Most people are disturbed when they witness just how much of their personal information is accessible the very moment they visit a website. Then, if you give that [malicious] website just one mouse-click --- out goes even more personally identifiable data. We’re talking about full names, where you live, the town where you grew up and went to school, martial status, list of friends, sites you are logged-in to, the software you use complete with version numbers, and in some cases, your browser’s auto-complete data and history of other sites you’ve visited. All of this is performed using nothing but HTML and JavaScript. No need for memory corrupting exploits that escape the confines of the browser walls.

Through a demo-driven presentation, the audience will see first-hand how and why all these attacks are possible, even in the presence of browser silent updates and the latest security improvements such as sandboxes, anti-phishing protections, and the availability of Content Security Policy, X-Frame-Options, Origin, Strict Transport Security, SSL, etc. And just so everyone is crystal clear, firewalls don’t help and neither does anti-virus software. The reason why none of this works is that these web attacks take advantage of flaws in the way the Web was designed to work! Adding insult to injury most of the techniques on display are NOT technically “new,” and this talk will cleverly wire these issues together to make a point, and tell a story. It is the story of Why Web Security Is Fundamentally Broken.

Here’s the punchline: The only known ways to fix these issues adequately is to “break the Web” -- i.e. negatively impact the usability of a significant percentage of websites. Doing so directly conflicts with business interests of the current browser vendors who are looking to grow market share and advertising revenue. Their choice is simple, be less secure and more adopted, rather than secure and obscure. This is the Web security trade-off that’s being made for us.


Speakers
avatar for Jeremiah Grossman

Jeremiah Grossman

Founder, WhiteHat Security
Jeremiah Grossman is the Founder and iCEO of WhiteHat Security, where he sets overall company vision and oversees day to day operations. Over the last decade, Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. | | As a well-known security expert and industry veteran, Mr... Read More →


Friday October 26, 2012 10:00am - 10:45am
Adobe Room - Texas Ballroom I Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

11:00am

The Magic of Symbiotic Security: Creating an Ecosystem of Security Systems

Throw out everything that you know about security tools today. No more six-figure appliances that only do one thing marginally well. No more proprietary protocols. We deserve better and we demand better. Envision a world where your security tools talk with eachother. They communicate and share data in order to leverage eachothers strengths and and help compensate for their weaknesses. They work together to solve problems. Envision "Symbiotic Security".

Symbiotic Security is a new term that was coined to describe the ability of a tool to consume data from other tools or provide data to other tools. As part of our research, we have examined various classes of tools on the market and identified these abilities in each of them resulting in a label of "Consumer", "Provider", or "Symbiotic". As a consumer of security tools, this completely revolutionizes the way that we make purchases.

As an example, let's pretend that you are purchasing a new Intrusion Prevention System for your enterprise. As you begin to evaluate the various tools from the Gartner Magic Quadrant, you quickly realize that they almost all have the same primary feature set. The key differentiator at this point aren't the rules or the hardware, but rather, the ability for the system to send and receive data with other systems. The IPS itself has some signatures and blocking abilities, but has zero relevancy data. Now, we give the IPS the ability to pull in vulnerability data and system configuration information from network and host scans and we gain relevancy. Add in some additional data on where the potential threat is coming from and now you have the data necessary to take a decisive action on threats. This new system is a "Consumer". Now, if you give the IPS the ability to send information to other devices on things like the source of relevant threats, those devices, like a firewall or HIPS, can now make intelligent blocking decisions as well. Our IPS now has "Provider" abilities. Since our IPS is labeled as both a "Provider" and "Consumer" it is deemed "Symbiotic". This convention can now be used both by the manufacturer to market the value-add of the device as well as a way for the purchasers to differentiate between otherwise similar devices.

In order to demonstrate the true powers of being symbiotic, we are releasing a free tool that epitomizes this concept. The tool, named ThreadFix, has been labeled as a "Consumer" because of it's abilities to pull vulnerability data from static and dynamic scanning tools, threat modeling, and manual penetration tests as well as alert logs and vulnerability details from IDS, IPS, and WAF products. ThreadFix has also been labeled as a "Provider" because of it's abilities to normalize the data consumed and pass it along to IDS, IPS, and WAF for action as well as to your bug tracking system for remediation tracking. Because it can serve both a consumer and provider role, we designate it as a "Symbiotic" tool, thus indicating that it can provide the utmost value to it's users.

We recognize that like any new concept it can take some time to embrace, but we feel certain that labeling tools according to their abilities as "Consumers" and "Providers" can help to facilitate a much needed turn towards openness in our industry. Vendors will get the message that consumers want to select tools that work together in order to achieve their maximum effectiveness. Consumers will get the added value of having tools that work outside of their silos to make their jobs more efficient and maximize their ROI. Please join us in embracing this bold new concept.


Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.
avatar for Josh Sokol

Josh Sokol

Information Security Program Owner, National Instruments
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Josh manages all compliance, security architecture, risk management, and vulnerability... Read More →


Friday October 26, 2012 11:00am - 11:45am
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

11:00am

Blended Threats and JavaScript: A Plan for Permanent Network Compromise

This is a version of the talk I gave at Black Hat USA 2012, updated specifically for the AppSec USA audience. The original BlackHat slides are available at "http://www.scribd.com/doc/101185061/Blended-Threats-and-JavaScript", and the source code used in the demonstrations is available at "https://github.com/superevr/ddwrt-install-tool".

During Black Hat 2006, it was shown how common Web browser attacks could be leveraged bypass perimeter firewalls and "Hack Intranet Websites from the Outside." In the years since, the fundamental problems were never addressed and the Intranet remains wide open, probably because the attack techniques described had important limitations. These limitations prevented mass scale and persistent compromise of network connected devices, which include but are not limited to home broadband routers. Now in 2012, with the help of new research and next-generation technologies like HTML5, browser-based Intranet attacks have overcome many of the old limitations and improved to a new degree of scary.

This presentation will cover state-of-the-art browser-to-network threats launched with JavaScript, using zero to minimal user interaction and complete every step of the exploit attack cycle. Starting with enumeration and discovery, escalating the attack further upstream and into embedded network devices, and ultimately mass-scale permanent compromise.


Speakers
avatar for PHIL PURVIANCE

PHIL PURVIANCE

Security Associate, Bishop Fox
The number of companies with bug bounty programs has increased dramatically over the last five years. A clever researcher can make easy money disclosing security vulnerabilities responsibly, and some have even turned it into a full-time job. | | But how do these programs actually work? I will use my personal experiences on both sides of the fence - as a bug hunter and as a bug bounty submission reviewer - to provide an exclusive look into... Read More →


Friday October 26, 2012 11:00am - 11:45am
Gemalto Room - Hill Country C Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

11:00am

Unbreakable Oracle ERPs? Attacks on Siebel & JD Edwards

Siebel and JDE platforms are a core part of our global business-critical infrastructure. Our credit card numbers, bills, personal information and consuming habits; top-tier companies' business processes and their most confidential information. It's all in there.

Despite their criticality, there is still today very scarce public information on how attackers may try to break into these systems and what we can do to stop them, placing the bad guys in a very powerful position. The Auditing and InfoSec industries have been traditionally focused only on enforcing segregation of duties controls, and that's not enough anymore.

Join us in this new presentation to understand, through several live demos, how intruders can remotely execute code, steal user passwords and manipulate proprietary technologies to perform espionage, sabotage and fraud attacks, without having a valid user in the systems. Furthermore, you will see how these attacks may be performed over the Internet.

Learn how to mitigate these risks, starting by learning how to assess them in your company using the new version of Bizploit, the opensource ERP Penetration Testing framework, to be released after the talk.


Speakers
avatar for Juan Perez-Etchegoyen

Juan Perez-Etchegoyen

CTO, Onapsis, Inc.
Juan Pablo is the CTO of Onapsis, leading the Research and Development teams that keep the Company in the cutting-edge of the ERP security field. Juan Pablo is fully involved in the design, research and development of the innovative Onapsis' software solutions. | Being responsible for managing the Onapsis Research Labs, Juan Pablo has also been actively involved in the coordination and research of critical security vulnerabilities in ERP... Read More →
avatar for Jordan Santarsieri

Jordan Santarsieri

Senior Security Researcher, Onapsis
Jordan Santarsieri is a senior Onapsis security consultant and researcher. Being also a member of the Onapsis Research Labs, he is engaged in a daily effort to identify, analyze, exploit and mitigate vulnerabilities affecting ERP systems and business-critical applications. | | Jordan has discovered critical vulnerabilities in SAP software and is a frequent author of the "SAP Security In-Depth" publication. Through his work, he has... Read More →


Friday October 26, 2012 11:00am - 11:45am
Gluu Room - Foothills II (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

11:00am

Early Lunch Option

Early Lunch Option available for Sponsors, Staff, and Speakers


Friday October 26, 2012 11:00am - 11:45am
Texas Ballroom Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

11:00am

Hack your way to a degree: a new direction in teaching application security at universities
Teachers of Application Security in higher education institutions and universities are presented with some unique challenges, especially when compared to other scientific or even computer science fields. This is mainly because students have to learn how to design, implement and protect applications against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system. The OWASP Hackademic Challenges Project introduces the "attacker's perspective" in higher education by implementing realistic scenarios with known vulnerabilities in a safe, controllable environment. Students can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective. Its main difference from other projects that implement vulnerable applications for educational purposes, is that it is has been created mainly for use in a classroom environment, while most other solutions take a more self-learning approach. The OWASP Hackademic Challenges were created two years ago in order to be used for teaching application security in a class of more than 200 students at the Technical Educational Institution of Larissa, Greece. Currently, they are used by more than a dozen universities around the world and are also part of the "Hacking Lab" and "OWASP University Challenge". In addition, we have received contributions to the project, mainly in terms of new challenges by several researchers, including the New Jersey Institute of Technology. In detail, the students’ involvement into practical pre-designed scenarios was attempted originally during the course of two university courses, in order for them to understand the way intruders think, the methodologies they follow and the liabilities one may face for the flawed security of applications and/or the supporting infrastructure. Based on the above, an educational software tool was developed which comprised a variety of realistic scenarios, where the student had to locate and exploit various vulnerabilities, in order to successfully complete the challenge. The OWASP Hackademic Challenges simulate real-world scenarios that application security consultants and penetration testers encounter during their day-to-day engagements, combined with the academic requirements of a related module. These exercises can be used to complement the respective theoretical lectures. Statistical analysis of the feedback we received from students through questionnaires, shows that the students embraced this approach and have benefited significantly from going through these exercises. In practice, the OWASP Hackademic Challenges help students become more enthusiastic about application security by gaining a realistic, hands-on experience on some real-world vulnerabilities. In this presentation we will give an overview of the Hackademic Challenges and analyze its scientific background. In addition, we will present the new interface that was developed during the Google Summer of Code 2012. This interface introduces significant capabilities and features mainly for teachers and administrators. A teacher is able to organize students into classes, monitor their progress as they solve the challenges and introduce new challenges to specific groups on a scheduled basis. Moreover, we will introduce an automated mechanism for adding new challenges to the system. A challenge can be automatically integrated to the system after it is tested by an administrator. The entire procedure is transparent to the user that submits the challenge and no changes to the server or the back-end are required. The OWASP Hackademic Challenges is the first project that supports automatic integration of new challenges, facilitating submission of new challenges by the community. A demo of the new Hackademic portal and challenges will also be delivered, emphasizing on how it can be used in a real classroom.

Speakers
avatar for Konstantinos Papapanagiotou, Spryros Gastreratos

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE
Both trainers are Hackademic project leaders, long time OWASP members and application security professionals


Friday October 26, 2012 11:00am - 11:45am
Adobe Room - Texas Ballroom I Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

11:00am

The Same-Origin Saga

I created what became known as the browser "Same-Origin Policy" (SOP) under duress for Netscape 2, 3, and 4 in the mid-nineties.SOP was intended to preserve the integrity of a user/website session against interference from untrusted other sites. As the web evolved, SOP split from a single precise policy into several variations on a theme, but it remains the default browser content security policy framework. I will review SOP's vulnerabilities and its "patches" that were intended to mitigate those avenues of attack. I will close by suggesting an extension to SOP that labels scripts loaded cross-site with origins that are distinguishable from (yet related to) the origin of the including web page or application.


Speakers
avatar for Brendan Eich

Brendan Eich

Chief Technology Officer, Mozilla
Brendan Eich is CTO of Mozilla and widely recognized for his enduring contributions to the Internet revolution. In 1995, Eich invented JavaScript (ECMAScript), the Internet’s most widely used programming language. He also co-founded the mozilla.org project in 1998, serving as chief architect. Eich helped launch the award winning Firefox Web browser in November 2004 and Thunderbird e-mail client in December 2004. Today, Eich’s... Read More →


Friday October 26, 2012 11:00am - 11:45am
NTObjectives Room - Texas Ballroom II Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

12:00pm

Lunch and WASPY Awards

Take this time to grab a bite, socialize and visit the booths in the Foyer areas.


Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.


Friday October 26, 2012 12:00pm - 12:45pm
Texas Ballroom Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

1:00pm

NoSQL, no security?

Serving as a scalable alternative to traditional relational databases (RDBs), NoSQL databases have exploded in popularity. NoSQL databases offer more efficient ways to work with large datasets, but serious security issues need to be addressed.
NoSQL databases can suffer from a variety of injection attacks. Most NoSQL databases can’t authenticate and authorize clients, and can’t provide role-based access controls or encryption. Because these controls do not exist, developers and administrators are forced to implement their own controls to compensate for these shortcomings. These compensating controls could become a problem for organizations that have compliance considerations and could make maintaining NoSQL more complex than simply deploying an enterprise relational database that features built-in security.
Because many NoSQL architectures lack encryption and authentication, an attacker could eavesdrop on the client-server communication and obtain private data. Additionally, NoSQL databases can suffer from a variety of injection attacks via Javascript and JSON. Traditional SQL injection countermeasures are not effective against these attacks, so developers must be aware of these threats and write code that attackers can’t penetrate.
In this presentation we’ll talk about how RDB security features and threats apply to NoSQL databases. We’ll also explore the security controls that are present in NoSQL architectures, and cover administrative, compliance and regulatory concerns associated with operating NoSQL architectures in environments that contain sensitive data.


Speakers
avatar for Will Urbanski

Will Urbanski

Will Urbanski is a security researcher who tracks vulnerability and malware trends. He has experience in both research and security operations in enterprise and higher education environments. Will is the co-author of a patent for an IPv6 moving target defense. He has more than eight years of experience in Information Security and has written articles for numerous journals, including IEEE Security & Privacy. Will holds a Bachelor of Science in... Read More →


Friday October 26, 2012 1:00pm - 1:45pm
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

1:00pm

SQL Server Exploitation, Escalation, and Pilfering

During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks.


Speakers
avatar for Antti Rantasaari

Antti Rantasaari

Security Consultant, NetSPI
Antti Rantasaari is currently a security consultant at NetSPI. He is responsible for performing security assessments and contributing to the development of the methodologies, techniques, and tools used during network and application penetration testing.
avatar for Scott Sutherland

Scott Sutherland

NetSPI
Scott Sutherland is a Principal Security Consultant at NetSPI. Scott is responsible for the development and execution of penetration testing for the firm. He has developed a number of the proprietary tools and techniques that the company uses and also plays a major role in the skills development and training of the NetSPI network and application penetration testing team. Scott is an active participant in the information security community... Read More →


Friday October 26, 2012 1:00pm - 1:45pm
Gemalto Room - Hill Country C Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

1:00pm

Iran's real life cyberwar

The recent Stuxnet, Flame and CA compromises involving Comodo and DigiNotar had three common elements, each was government sponsored, each involved Iran and all three involved a PKI compromise. The presenter will share experience of dealing with the Iranian attack, highlighting the ways in which government sponsored attacks are very different from both 'ordinary' criminal attacks and the Hollywood view of 'cyberwarfare'.


Speakers
avatar for Phillip Hallam-Baker

Phillip Hallam-Baker

Vice President and Principal Scientist, Comodo Inc.
Dr Hallam-Baker is an internationally recognized computer security specialist credited with 'significant contributions' to the design of HTTP 1.0, the core protocol of the World Wide Web. | | His book 'dotCrime Manifesto: How to Stop Internet Crime' sets out the first technical blueprint for how to make the Web and the Internet a less crime permissive environment by introducing accountability controls for transactions that require... Read More →


Friday October 26, 2012 1:00pm - 1:45pm
Gluu Room - Foothills II (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

1:00pm

Real World Cloud Application Security

This presentation will provide the audience with a case study of how real world organizations using the public cloud are approaching application security. Netflix, one of the largest AWS and public cloud users in the world, will serve as the subject of the case study.

I will cover a variety of topics of interest to application security personnel, including:

-Automating and integrating security into CI/CD environments
-Large scale vulnerability management
-Continuous security testing and monitoring, including Netflix's Security Monkey framework
-Cultural integration of security in DevOps/agile organizations


Speakers
avatar for Jason Chan

Jason Chan

Cloud Security Architect, Netflix
I work in Netflix’s Cloud and Platform Engineering team as the Cloud Security Architect. In my current role, I work with Netflix engineering, IT, legal, and business teams to ensure the secure design, implementation, and operation of the company’s cloud deployment and overall application environment. | | | | Prior to joining Netflix, I led the information security team at VMware and spent most of my earlier career as a security... Read More →


Friday October 26, 2012 1:00pm - 1:45pm
Adobe Room - Texas Ballroom I Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

1:00pm

Builders Vs. Breakers

Builders vs. Breakers is a fast paced highly interactive game show debate style talk. Each topic starts with a short introduction pitting the Builder vs. the Breaker. It is then opened up for audience participation. After taking views from the audience, the audience votes on a winner. Whichever side wins the debate is rewarded and the contest moves on to the next topic.

Our builder is a veteran software developer building security tools for developers. Our breaker is a seasoned pen tester with product management and research experience. Our game show host keeps the discussion moving smoothly ... and has been known to occasionally express the business perspective.

Questions for debate will be posted/gathered on google docs for preview and participation. Building on our fun experiences at DC20 SkyTalks and BSidesChicago 2011/2012 this talk is aimed at getting the audience involved and ultimately thinking about contributing to the broader community.


Speakers
avatar for Brett Hardin

Brett Hardin

CEO, SourceNinja
Brett Hardin is a developer, author, advisor, and speaker on information security and entrepreneurship. Brett began programming at the age of 8 and began his professional career getting paid to find and exploit vulnerabilities within Fortune 500 organizations. Brett has been focused on helping developers secure code. Brett also co-authored the book Hacking: The Next Generation.
avatar for Matt Konda

Matt Konda

Founder, Jemurai
Matt Konda is a developer and application security expert. He founded Jemurai to focus on working with teams to deliver secure software. Jemurai works with clients on security automation, training, strategy, building AppSec teams and more. Matt is on the global board of OWASP, active in developer and devops focused OWASP open source projects and regularly gives industry talks.
avatar for Jon Rose

Jon Rose

Agile Security, Dun & Bradstreet
Jon has a unique combination of an innovative entrepreneur with the proven ability to lead Fortune 500 companies. With over 16 years of experience launching products, securing environments, training and educating technology teams, and building agile security organizations, Jon has a deep and wide understanding of organizational capabilities for both start-ups and large scale organizations.


Friday October 26, 2012 1:00pm - 1:45pm
NTObjectives Room - Texas Ballroom II Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

2:00pm

Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs

In the last year, 2011, major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. as seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF Web Security working group meetings: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July 2011, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services.

The presented technologies are cutting edge and although the specification is not final yet, they are in their final stages and currently in roll-out and ready to be used. Other models that compete or complement this approach shall also be discussed (DNSSEC, etc. ).


Speakers
avatar for Tobias Gondrom

Tobias Gondrom

Managing Director, Thames Stanley: Information Security and Risk Management Advisory
Tobias Gondrom is Managing Director of Thames Stanley, a CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has fifteen years of experience in software development, application security, cryptography, electronic signatures and global standardisation organisations working for independent software vendors and large global corporations in the financial, technology and government sector, in... Read More →


Friday October 26, 2012 2:00pm - 2:45pm
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

2:00pm

XSS & CSRF with HTML5 - Attack, Exploit and Defense

HTML5 has empowered browser with a number of new features and functionalities. Browsers with this new architecture include features like XMLHttpRequest Object (L2), Local Storage, File System APIs, WebSQL, WebSocket, File APIs and many more. The browser is emerging as a platform like a little operating system and expanded its attack surface significantly. Applications developed in this new architecture are exposed to an interesting set of vulnerabilities and exploits. Both traditional vulnerabilities like CSRF and XSS can be exploited in this new HTML5 architecture. In this talk we will cover following new attack vectors and variants of XSS and CSRF.

HTML5 driven CSRF with XMLHttpRequest (Level 2)
CSRF with two way attack stream
Cross Site Response Extraction attacks using CSRF
Cross Origing Resource Sharing (CORS) policy hacking and CSRF injections
DOM based XSS with HTML5 applications
Exploiting HTML5 tags, attributes and events
DOM variable extraction with XSS
Exploiting Storage, File System and WebSQL with HTML5 XSS
Layered XSS and making it sticky with HTML5 based iframe sandbox
Jacking with HTML5 tags and features

In this session we will cover new methodology and tools along with some real life cases and demonstration. At the end we will cover some interesting defense methodologies to secure your HTML5 applications.


Speakers
avatar for Shreeraj Shah

Shreeraj Shah

Founder & Director, Blueinfy Solutions
Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy and iAppSecure Solution. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security, Hacking Web Services and Web Hacking: Attacks and Defense. In addition, he has published several advisories, tools, and whitepapers, and has... Read More →


Friday October 26, 2012 2:00pm - 2:45pm
Gemalto Room - Hill Country C Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

2:00pm

The Application Security Ponzi Scheme: Stop paying for security failure

Consider the major classes of threats that have been significantly mitigated in the past. For OS vulnerabilities, DEP and ASLR have greatly improved the security of every supporting OS. For applications, ORMs have greatly reduced SQL Injection and auto-encoding has greatly reduced XSS. Common to both of these are fundamental changes in the underlying OS or framework, which produces hardened applications without any extra work for developers. Has the scan, fix, rescan cycle finally lost its allure? Matt and Jarret provide their incites into how to revolutionize the app security industry. Come participate in the discussion or just poke holes in Matt and Jarret’s grandiose dream. Maybe you’ll want to passionately defend your corner of the app sec world. Whichever you choose, it will be fun.


Speakers
avatar for Jarret Raim

Jarret Raim

Rackspace
Jarret Raim is the Security Product Manager at Rackspace Hosting. Since joining Rackspace, he has built a software assurance program for Rackspace?s internal software teams as well as defined strategy for building secure systems on Rackspace?s OpenStack Cloud implementation. Through his experience at Rackspace, and as a consultant for Denim Group, Jarret has assessed and remediated applications in all industries and has experience width a wide... Read More →
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Friday October 26, 2012 2:00pm - 2:45pm
Gluu Room - Foothills II (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

2:00pm

Get off your AMF and don’t REST on JSON

HTTP is being used to transport new request formats such as those from mobile apps, REST, JSON, AMF and GWTk, but few security teams have updated their testing procedures. All of these new formats are potential new playgrounds for attackers and pen testers. You just need to know how to play. In this talk, Dan Kuykendall will demonstrate the process of breaking down these new formats and where to attack them on various vulnerable applications. Most of the attacks are the familiar classics like SQL and Command injection applied in modern applications. Attendees will learn to leverage their existing pen testing skills and techniques and apply them to these new formats.

Dan Kuykendall, Co-CEO & CTO of NT OBJECTives, discusses emerging application security threats in the latest technologies.


Speakers
avatar for Dan Kuykendall

Dan Kuykendall

co-CEO and CTO, NT OBJECTives
Dan has been with NTO for more than 10 years and is responsible for the strategic direction and development of products and services. He also works closely with technology partners to make sure our integrations are both deep and valuable. As a result of Dan’s dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most accurate because of its sophisticated... Read More →


Friday October 26, 2012 2:00pm - 2:45pm
NTObjectives Room - Texas Ballroom II Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

2:00pm

Unraveling Some of the Mysteries around DOM-Based XSS

DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it’s poorly understood.

This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review.


Speakers
avatar for Dave Wichers

Dave Wichers

COO, Aspect Security
Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a consulting company that specializes in application security services. He is also a long time contributor to OWASP, helping to establish the OWASP Foundation in 2004, serving on the OWASP Board since it was formed from 2004 through 2013, served as OWASP Conferences Chair from 2005 through 2008, is a coauthor of the OWASP Top 10 and has led the project since... Read More →


Friday October 26, 2012 2:00pm - 2:45pm
Adobe Room - Texas Ballroom I Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

2:00pm

Open Source Showcase, Capture The Flag, Lockpick Villiage and OWASP Store
Open Source Showcase, Capture The Flag, Lockpick Villiage and OWASP Store

Friday October 26, 2012 2:00pm - 5:00pm
Foothills I (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

3:00pm

The 7 Qualities of Highly Secure Software

The applications on the web, mobile, and the cloud, all have one thing in common: They are all insecure. And in this world that is rife with software vulnerabilities, if there were just seven things you are allowed to place in the bag entitled "software development" and the condition that is imposed on you is that the output from that bag must be secure, what would they be?

In this talk, the seven qualities that will enable your organization to develop reliable and hacker resilient software will be covered. Coverage in scope will be from the builder to the boardroom.

Take aways from the session will include strategies to consider and implement within your organization as you develop software, whether it is for the cloud, mobile devices, or the web.


Speakers
avatar for Mano 'dash4rk' Paul

Mano 'dash4rk' Paul

Christian, CyberSecurity Advisor and Strategist, Author, Shark Biologist, Entrepreneur, Security Trainer, Speaker, HackFormer, yada yada yada ... | Ask a resident of Hawaii what Mano means and they would say that it is one of the above. Do you know which one?


Friday October 26, 2012 3:00pm - 3:45pm
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

3:00pm

Web Framework Vulnerabilities
This talk will give participants an opportunity to practically code review Web Application Framework based applications for security vulnerabilities. The material in this talk covers the common vulnerability anti-patterns which show up in applications built on the most popular enterprise web application frameworks (Struts 2, Spring MVC, Ruby on Rails, and .NET MVC). Sample applications are provided with guided tasks to ease participants into understanding the vulnerabilities in each framework and the overall steps a code reviewer should follow to identify these vulnerabilities. This talk is trimmed down version of the 3 hour workshop given at Blackhat. This is an advanced talk and an understand of the application frameworks is a prerequisite to get the most out of this talk.

Speakers
AK

Abraham Kang

Principal Security Researcher, HP Fortify
Abraham Kang is fascinated with the nuanced details associated with programming languages and their associated APIs in terms of how they affect security. Abraham has a Bachelor of Science from Cornell University. Abraham currently works for HP Fortify as a Principal Security Researcher. Prior to joining Fortify, Abraham worked with application security for over 10 years with the most recent 4 years being a security code reviewer at Wells Fargo... Read More →


Friday October 26, 2012 3:00pm - 3:45pm
Gemalto Room - Hill Country C Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

3:00pm

Web App Crypto - A Study in Failure

Seldom in cryptography do we have any unconditional proofs of the difficulty of defeating our cryptosystems. Furthermore, we are often defeated not by the attacks we anticipated, but the vectors we did not know about. Like fire and safety engineers, we learn from the mistakes of the past in order to avoid similar mistakes in the future. This presentation is a summary of the mistakes that web app developers have made in implementing crypytosystems, so that we do not repeat them.


Speakers
avatar for Travis H

Travis H

Secure Software Development Life Cycle Specialist, Well-Known Financial Institution
Travis has been employed doing security or cryptography for financial institutions, top 50 web sites, e-commerce hosting companies, web software companies, and other organizations. He has been part of the largest security monitoring operation in the world, part of the security team for the most widely used piece of software in the world, and helped design an intrusion detection system. He occasionally teaches classical cryptology at Stanford.


Friday October 26, 2012 3:00pm - 3:45pm
Gluu Room - Foothills II (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

3:00pm

Origin(al) Sins

The web has a Confused Deputy problem at the heart of many of our hardest security challenges. Tricking a browser or site into using latent credentials and authentication information for other parties and sites is the game and XSS is how it's played. With CSP, sandboxed iframes, and the next version of Chrome Apps, Google is tackling these the challenges for app authors head-on, making it easier than not to build secure apps and removing the potential for confusion by removing ambient authority itself. This talk explores why, how, and when we might finally improve the baseline security level of new apps.


Speakers
AR

Alex Russell

Google
Alex Russell is a software engineer on the Chrome team at Google where he serves on the standards body for JavaScript (ECMA TC39), helps shape new web platform APIs and features, contributes to Chrome for Android and Chrome Frame, and agitates for a better app platform.


Friday October 26, 2012 3:00pm - 3:45pm
Adobe Room - Texas Ballroom I Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

3:00pm

Using Interactive Static Analysis for Early Detection of Software Vulnerabilities

We present our work of using interactive static analysis to improve upon static analysis techniques by introducing a new mixed-initiative paradigm for interacting with developers to aid in the detection and prevention of security vulnerabilities. The key difference between our approach and standard static analysis is interaction with the developers. Specifically, our approach is predicated on the following principles:
• Secure programming support should be targeted towards general developers who understand the application logic, but may have limited knowledge of secure programming;
• Secure programming support should be provided while the code is being developed, integrated into the development tools;
• Secure programming support should reduce the workload in detecting and resolving vulnerabilities; and
• Developers should be able to provide feedback about the application context that can drive customized security analysis.

We have performed evaluations of our approach using an active open source project, Apache Roller. Our results shows that interactive data flow analysis can potential reduce the effort of finding and fixing vulnerabilities by as much as 50%. Using interactive control flow analysis, we found cross request forgery vulnerabilities in current Roller release. The Roller team issued patches based on our report (CVE-2012-2380). We have also performed user studies, both for students and for professional developers with promising results. For example, preliminary data suggests that using ASIDE students, who do not have secure programming training, can write much more secure code.


Speakers
avatar for Bill Chu

Bill Chu

Professor, University of North Carolina at Charlotte
I received my Ph.D. in Computer Science from University of Maryland at College Park. My current research is focused on building interactive tools to support developers writing more secure code. Part of this effort is the OWASP ASIDE project(https://www.owasp.org/index.php/OWASP_ASIDE_Project). Outside work I enjoy readings in philosophy and history.


Friday October 26, 2012 3:00pm - 3:45pm
NTObjectives Room - Texas Ballroom II Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

4:00pm

Pining For the Fjords: The Role of RBAC in Today's Applications

Is role-based access control (RBAC) really dead? It has a few snipers lined up to take it out, but it's still a fixture in legacy applications, and the need to abstract and organize permissions isn't going away. The move to third-party application services is both creating a topological crisis for the enterprise and driving its further abstraction as an organization: when there is no more "central control" of an application infrastructure, how are roles supposed to maintain security? This talk describes current issues with RBAC and explores options for the future, including multi-contextual roles and identities, provider-centric roles, and role risk assessment. We promise not to call it RBAC 2.0.


Speakers
avatar for Wendy Nather

Wendy Nather

Research Director, Enterprise Security Practice, 451 Research
Wendy Nather is Research Director, Security, within 451 Research's Enterprise Security Program, providing analysis on the current state of security from the perspective of a veteran CISO. Wendy's primary areas of coverage are on application security and security services. Wendy joined 451 Research after five years building and managing all aspects of the IT security program at the Texas Education Agency, which serves 4.6 million Texas students... Read More →


Friday October 26, 2012 4:00pm - 4:45pm
Checkmarx Room - Hill Country A Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

4:00pm

Counterintelligence Attack Theory

This presentation is centered on a new theory of attack prevention known as the Counterintelligence Attack Theory. The NSA has developed and published an approach to cyber security known as Defense In Depth. It is a practical strategy for achieving Information Assurance in today’s highly networked environments, yet it is used as more of a catch phase than a realistic approach. Best practices and defense simply cannot prevent the attacks which have not been predefined or previously observed.

The Defense In Depth stratagem will be reviewed and the procedure of Counterintelligence Attack Theory is presented as the missing element. The presentation concludes that Cyber Intelligence Analysts are missing from corporate organizations and are needed to develop the ability to understand cyber-attacks through a more holistic approach.

Further Info:
Public entities and private corporations incur considerable expenditures to prevent, mitigate, or remediate cyber-attacks. The current strategy employed is known as Defense In Depth. This is a practical strategy for achieving Information Assurance in today’s highly networked environments. It is a “best practices” strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy recommends a balance between the protection capability and cost, performance, and operational considerations. Unfortunately, the techniques that are used today are mostly based on deploying software and hardware technologies that provide an ability to restrict known attacks (or the proverbial low-hanging-fruit) and are at best reactive in nature.

Best practices simply cannot prevent the attacks which have not been predefined or previously observed. This talk will present a new theory on attack prevention known as the Counterintelligence Attack Theory. It is not from a military perspective and is meant to address those with corporate responsibility for cyber security. Without addressing the legal framework or possible complications of a covert cyber action, this theory is designed to be an additional method of collection for the cyber intelligence analyst.


Speakers
avatar for Fred Donovan

Fred Donovan

Fred is a Professor and an application security researcher.


Friday October 26, 2012 4:00pm - 4:45pm
Gemalto Room - Hill Country C Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

4:00pm

Top Strategies to Capture Security Intelligence for Applications

Security professionals have years of experience logging and tracking network security events to identify unauthorized or malicious activity on a corporate network. Unfortunately, many of today's attacks are focused on the application layer, where the fidelity of logging for security events is less robust. Most application logs are typically used to see errors and failures and the internal state of the system, not events that might be interesting from a security perspective. Security practitioners are concerned with understanding patterns of user behavior and, in the event of an attack, being able to see an entire user’s session. How are application events different from network events? What type of information should security practitioners ensure software developers log for event analysis? What are the types of technologies that enable application-level logging and analysis? In this presentation, John Dickson will discuss what should be present in application logs to help understand threats and attacks, and better guard against them.


Speakers
avatar for John Dickson

John Dickson

Principal, Denim Group
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. Dickson is a popular speaker on security at industry venues including the RSA Security Conference, the SANS Institute, the Open Web Application Security Project (OWASP) and at... Read More →


Friday October 26, 2012 4:00pm - 4:45pm
Gluu Room - Foothills II (17th Floor) Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

4:00pm

Four Axes of Evil

Abstract: This presentation focuses on large-scale internet vulnerability research from four unique perspectives, identifying patterns and exposing security issues that are difficult to identify using traditional approaches.


Speakers
HM

HD Moore

CSO, Rapid7
HD is Chief Security Officer at Rapid7 and Chief Architect of Metasploit, the leading open-source penetration testing platform. HD founded the Metasploit Project in the summer of 2003 with the goal of becoming a public resource for exploit code research and development.


Friday October 26, 2012 4:00pm - 4:45pm
Adobe Room - Texas Ballroom I Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

4:00pm

Security at Scale

Application Security is a tough challenge in any organization, but working in open source projects has some distinct challenges. Working on AppSec in an open source project that has several hundred employees, thousands of contributors, and hundreds of millions of users has a whole other set of challenges.

In this session I will cover off how the Mozilla Security Assurance team addresses application security for client applications, web applications and services, and introduce two tools that we have developed to help scale our security program.


Speakers
YB

Yvan Boily Minion

Application Security Manager, Mozilla
Yvan Boily is an Application Security Manager with Mozilla Corporation, and prior to that has a background in security with Finance and Government.  Yvan Boily has previously launched an OWASP chapter in Winnipeg and currently leads the OWASP Vancouver chapter.


Friday October 26, 2012 4:00pm - 4:45pm
NTObjectives Room - Texas Ballroom II Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

5:00pm

Closing Remarks and Prizes

Closing remarks about the conference and announcing AppSecUSA 2013.  This will be done in an unconference style where there is an open mic to talk about what we have learned.


Friday October 26, 2012 5:00pm - 5:45pm
Texas Ballroom Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704