Behavioral Security Modeling (BSM), first presented at AppSec USA 2011 in Minneapolis, was conceived as a way of modeling interactions between information and people in terms of socially defined roles and the expected behaviors of the system being designed. By reducing the difference between the expected system behaviors and the actual system behaviors, we can manage the vulnerabilities that are inevitably introduced when the expected and actual system behaviors are out of alignment. BSM asserts that robust, secure information systems are best achieved through carefully modeling human/information interactions in social terms.
Modeling human/information interactions starts with requirements gathering. While traditional security requirements describe how to "keep the bad guys from messing with our stuff," BSM functional requirements seek to define "what the good guys are allowed to do." To address this gap, we have developed a practical, SDLC agnostic method for gathering functional security requirements by defining limits on interactions through a series of questions to identify and clarify constraints, as well as uncover hidden constraints. We will discuss the development of the methodology and demonstrate its use, as described in our white paper, including early experiences implementing the approach.
We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications.
The best security is contextual to each organization, application and feature. Real-world tradeoffs will be discussed in detail for each "control" and "control category" discussed.
Secure Code Review: Magic or Art? A Simplified Approach to Secure Code Review. Secure code review is one of the best ways to uncover vulnerabilities and reduce risk of online web applications being breached. However, secure code review has always been challenged as being skill and tools intensive. But what if this could be simplified so developers on your team could perform it? What if this could be achieved with minimal impact on deadlines? This presentation will delve into the science and process behind secure code review and will continue to discuss a simplified approach to secure code review: a simplified process to follow, free tools to use and some of the pitfalls to avoid.
One of the most vital pieces of a secure SDLC is security training – not only for developers, but for Architects, QA and anyone else involved in the creation of software. Too frequently, this is minimized, overlooked or completely absent within an organization. In some cases, the very idea of application security is dismissed as unnecessary.
This talk starts by making a strong argument for developer education, and how it fits into any organization’s SDLC. Training will be put into the context of NIST’s “Security considerations in System Development Life Cycle” Document, Microsoft’s Simplified SDL, BSIMM3 and OWASP Open SAMM.
From there, we discuss other OWASP resources and projects dedicated to developer education, and an in-depth discussion of OWASP WebGoat.NET – an ASP.NET specific re-design of OWASP which meets the needs and addresses the challenges of modern application security training programs.
Lecture will be delivered by Jerry Hoff, VP of Static Code Analysis Division at WhiteHat Security. Jerry is the leader of the OWASP Appsec Tutorial Series, WebGoat.NET and AntiSamy.NET. Jerry is a former developer, author, and has over 10,000 hours delivering technical training. Jerry holds a Masters degree in Computer Science from Washington University in St. Louis.
Key Points:
- Developers need a better way to be education in AppSec
- Equip participants with the tools and evidence they need make an irrefutable case for developer security training
- Analysis of tools/docuemnts/videos that OWASP provides for training
- Introduction of WebGoat.NET: OWASP’s latest tool to help education developers
- Interactive demonstration of WebGoat.NET with full audience participation
Moderator: Jeremiah Grossman
Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a completely new approach - analyzing code execution, memory and data in runtime, allowing for accurate inspection of the application. We will discuss IAST technology (introduced into the 2011 Hype Cycle) compared with DAST/SAST, and the benefits it provides.
The goal of the talk is to examine and discuss technological concepts rather than specific products or solutions, and includes a technical drill-down into the technology specifics. The talk will begin by presenting the standard IAST building blocks and their benefits, and continue by showing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more…
Information disclosure has always been a boon to hackers.
The Crown Jewel of information disclosure, source code disclosure, is arguably the most significant information an attacker can obtain, and can be used to expose potential code-level vulnerabilities, logic, and hard coded information.
Since vulnerabilities that disclose source code are not always available, we were lead to believe that the concept of security by obscurity can provide some level of protection, as fragile as it may be… but not anymore.
Divination Attacks, a new breed of information gathering attacks, provide the means to identify the memory structure and source code of application components, using black box techniques with unparalleled accuracy.
What is that useful for?
Consider the methods that are required to detect the following complex exposures:
SQL Injection attacks that affects different pages in the application via database values or session attributes, and require the vulnerable page to be accessed through abnormal combinations of authentication, deliberate exceptions, and missing information.
Sounds confusing?
Talented or lucky testers might be able to detect these complex exposures in a limited scope, but have you ever heard of an automated vulnerability scanner, a passive security scanner, or any other black-box tool that can detect these "indirect" attacks with minimal user interference?
"Diviner" - a new OWASP ZAP extension, can be used to locate leads for direct and indirect attacks scenarios on a consistent basis, and can also enable testers to fingerprint server-side source code fragments and visualize the structure of the server memory and inter-page processes, thus, enhancing the tester's decision making process and enabling him to properly invest his time and efforts.
In this talk jOHN takes apart password protection scheme analyzing the attack resistance of hashes, hmacs, adaptive hashes (such as script), and encryption schemes. First, we present a threat model for password storage. Then audience members will learn the construction, performance, and protective properties of these primitives. Discussion of the primitives will be from a critical perspective modeled as an iterative secure design session.
Ultimately, this session presents the solution and code donated as part of the on-going OWASP PSM (password storage module) project. Discussion of this solution will include key techniques for hardening PSM learned through years of delivering production JavaEE code to customers.
This presentation will focus on new and interesting approaches to web application security problems posed by a continuous deployment environment. Specifically, this presentation will cover useful security systems such as automatic vulnerability and application fault detection, effective platform defenses for XSS/SQLi, practical security alerting mechanisms, and visualizations of security related data. This talk demonstrates how to create these systems using free tools that improve security posture without commercial security products.
Most people are disturbed when they witness just how much of their personal information is accessible the very moment they visit a website. Then, if you give that [malicious] website just one mouse-click --- out goes even more personally identifiable data. We’re talking about full names, where you live, the town where you grew up and went to school, martial status, list of friends, sites you are logged-in to, the software you use complete with version numbers, and in some cases, your browser’s auto-complete data and history of other sites you’ve visited. All of this is performed using nothing but HTML and JavaScript. No need for memory corrupting exploits that escape the confines of the browser walls.
Through a demo-driven presentation, the audience will see first-hand how and why all these attacks are possible, even in the presence of browser silent updates and the latest security improvements such as sandboxes, anti-phishing protections, and the availability of Content Security Policy, X-Frame-Options, Origin, Strict Transport Security, SSL, etc. And just so everyone is crystal clear, firewalls don’t help and neither does anti-virus software. The reason why none of this works is that these web attacks take advantage of flaws in the way the Web was designed to work! Adding insult to injury most of the techniques on display are NOT technically “new,” and this talk will cleverly wire these issues together to make a point, and tell a story. It is the story of Why Web Security Is Fundamentally Broken.
Here’s the punchline: The only known ways to fix these issues adequately is to “break the Web” -- i.e. negatively impact the usability of a significant percentage of websites. Doing so directly conflicts with business interests of the current browser vendors who are looking to grow market share and advertising revenue. Their choice is simple, be less secure and more adopted, rather than secure and obscure. This is the Web security trade-off that’s being made for us.
I created what became known as the browser "Same-Origin Policy" (SOP) under duress for Netscape 2, 3, and 4 in the mid-nineties.SOP was intended to preserve the integrity of a user/website session against interference from untrusted other sites. As the web evolved, SOP split from a single precise policy into several variations on a theme, but it remains the default browser content security policy framework. I will review SOP's vulnerabilities and its "patches" that were intended to mitigate those avenues of attack. I will close by suggesting an extension to SOP that labels scripts loaded cross-site with origins that are distinguishable from (yet related to) the origin of the including web page or application.
Builders vs. Breakers is a fast paced highly interactive game show debate style talk. Each topic starts with a short introduction pitting the Builder vs. the Breaker. It is then opened up for audience participation. After taking views from the audience, the audience votes on a winner. Whichever side wins the debate is rewarded and the contest moves on to the next topic.
Our builder is a veteran software developer building security tools for developers. Our breaker is a seasoned pen tester with product management and research experience. Our game show host keeps the discussion moving smoothly ... and has been known to occasionally express the business perspective.
Questions for debate will be posted/gathered on google docs for preview and participation. Building on our fun experiences at DC20 SkyTalks and BSidesChicago 2011/2012 this talk is aimed at getting the audience involved and ultimately thinking about contributing to the broader community.
HTTP is being used to transport new request formats such as those from mobile apps, REST, JSON, AMF and GWTk, but few security teams have updated their testing procedures. All of these new formats are potential new playgrounds for attackers and pen testers. You just need to know how to play. In this talk, Dan Kuykendall will demonstrate the process of breaking down these new formats and where to attack them on various vulnerable applications. Most of the attacks are the familiar classics like SQL and Command injection applied in modern applications. Attendees will learn to leverage their existing pen testing skills and techniques and apply them to these new formats.
Dan Kuykendall, Co-CEO & CTO of NT OBJECTives, discusses emerging application security threats in the latest technologies.
DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it’s poorly understood.
This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review.
The web has a Confused Deputy problem at the heart of many of our hardest security challenges. Tricking a browser or site into using latent credentials and authentication information for other parties and sites is the game and XSS is how it's played. With CSP, sandboxed iframes, and the next version of Chrome Apps, Google is tackling these the challenges for app authors head-on, making it easier than not to build secure apps and removing the potential for confusion by removing ambient authority itself. This talk explores why, how, and when we might finally improve the baseline security level of new apps.
We present our work of using interactive static analysis to improve upon static analysis techniques by introducing a new mixed-initiative paradigm for interacting with developers to aid in the detection and prevention of security vulnerabilities. The key difference between our approach and standard static analysis is interaction with the developers. Specifically, our approach is predicated on the following principles:
• Secure programming support should be targeted towards general developers who understand the application logic, but may have limited knowledge of secure programming;
• Secure programming support should be provided while the code is being developed, integrated into the development tools;
• Secure programming support should reduce the workload in detecting and resolving vulnerabilities; and
• Developers should be able to provide feedback about the application context that can drive customized security analysis.
We have performed evaluations of our approach using an active open source project, Apache Roller. Our results shows that interactive data flow analysis can potential reduce the effort of finding and fixing vulnerabilities by as much as 50%. Using interactive control flow analysis, we found cross request forgery vulnerabilities in current Roller release. The Roller team issued patches based on our report (CVE-2012-2380). We have also performed user studies, both for students and for professional developers with promising results. For example, preliminary data suggests that using ASIDE students, who do not have secure programming training, can write much more secure code.
Abstract: This presentation focuses on large-scale internet vulnerability research from four unique perspectives, identifying patterns and exposing security issues that are difficult to identify using traditional approaches.
Application Security is a tough challenge in any organization, but working in open source projects has some distinct challenges. Working on AppSec in an open source project that has several hundred employees, thousands of contributors, and hundreds of millions of users has a whole other set of challenges.
In this session I will cover off how the Mozilla Security Assurance team addresses application security for client applications, web applications and services, and introduce two tools that we have developed to help scale our security program.