Conference agenda, 26th of October

As if compliancy has not been complex enough, let's add privacy vs security and don't forgeth moving to cloud and serverless architectures. Do you still think you are in control? Let me lift the smoke screen of cyber security obscurity and show you how to do security right! Getting in control buttom up and top down (is there really a choice), by building alliances, sharing knowledge and deligate responsibilities. Not the least by setting the right examples! Let me show you an holistic but practical aproach adding security to your business responsibilityies and development metrics. Get control by let go and enable scalable security for your software factories. How to manage security in traditional waterfall and project centric envirnoments and how to scale in the agile worlds of DevOps and CD/CI!

REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective.
Access to REST APIs is incumbent on the presentation of a valid security token. Typically, this is an access token issued by an OAuth authorization server. The authZ server maintains a session with the user agent so that the user does not need to re-authenticate each time a new access token is needed. This is not entirely unproblematic, as will be illustrated through a discussion of logout and the tenuous implementation of silent authentication in client libraries. Conversely, I will argue for leveraging authorization server sessions to raise the consent game to a level where it truly serves the interests of the user.
In summary, while REST APIs are stateless and do not maintain a session, access control architectures *do* rely on sessions trying to provide a good user experience while enforcing authorization policies.

This talk lays it out for you. We dive into the technicalities of cookies, JWT tokens and Authorization headers. You will learn how to assess your past choices, and how to substantiate future decisions.

The study and analysis of these tools fall within the general purview of the broad disciplines of Digital Forensics, PSIRT, Cyber Security Operations and general principles of Reverse Engineering. In this paper, we explore and discuss the current state of anti-virus evasion, malware analysis and fast incident response, . Based on author research, he conclude that the domain of malware analysis, A.V Evasion and Fast Incident Response has effectively been relegated from the academic realm to the domain of the practitioner's skill set. For the final presentation, author will show how you can respond to an incident and how to protect your environment for new attacks.

As web applications are important pieces of the operational environment - at least to the fact that these may be entry points into internal networks, one of the CTI's goals is to keep the defenders (e.g. application security architects, application developers, etc) and stakeholders ahead threats and adversaries by feeding them with the missing piece from their knowledge. The presentation provides details on how this goal could be achieved.

Conference agenda, 26th of October

In order to automatize the setup of the test environment and the common processes during a mobile pentest, the author has developed the "Mobile Pentest Toolkit" (PMT). This toolkit takes over recurring and time consuming tasks for the tester. It has a standardized user interface for the usage of locally installed security tools (and installs them on demand). An example of use is: After the tester has modified the Smali code, the generation of a valid and signed APK file only takes a few moments. Aside from that, this talk illustrates techniques for dynamic analysis and tracking of changes within the app. The goal is to present the Mobile Pentest Toolkit to an interested audience and to publish it as an open source tool.

In this talk, I will highlight the way iOS sandboxing works and steps we undertook in reversing binary blobs. We then analyzed reversed human-readable sandbox profiles and found misconfigurations in the profiles that allowed crippling the system from a valid app. We let Apple know of our findings, now published as CVEs.

This presentation is meant to be an introduction into a number of ex-filtration techniques that are out there, used by malicious attackers. It should be a view into the attackers toolset for developers and how they can counteract the issues attackers use to get data out of their applications, or how system administrators can guard their network against egress data leakage.

The solution that I am going to present brings the tools available in a SOC to the user level, at the endpoint. It combines some of the best practices in security (like backup and DLP) with SOAR solutions and LRA in order to prevent loss of data and ensure rapid automated reaction to cybersecurity incidents.

In our use case we studied the possible benefits and challenges of integrating SAST and DAST tools into the existing toolchain (application lifecycle manager, IDE, source code management tool and continuous integration pipeline) for developing, deploying and testing a Java web application.
Implementing DevSecOps brings a lot of value to organizations, it also comes with some challenges, like integrating more agile security methods and properly training users for using these advanced tools. Last but not least, we also need to take into consideration that any security functionality not automated in the available tools will result in creating friction in the cycle.

Workshop

Moreover we will write an example ZAP orchestration script to better test specific parts of the example application.
Last, we will create Docker containers of two static code analysis scripts so that we can easily integrate them into the CI pipeline.
We will go through:

• Configuring Concourse CI to work with ZAP.
• Configuring the testing harness to work with ZAP
• Writing orchestration scripts to better test specific part of the application.
• Package extra tooling so that we better test the committed codebase

At the end of the workshop the attendees will have example configuration files, orchestration scripts, rules and Dockerfiles for all tools used.
Intended audience: security engineers, developers, pentesters
Skill level: beginner - intermediate
Requirements: a laptop with Virtual Box installed
Seats available: 20 (first-come, first served)
Price: free
Register here

In this workshop, we discuss some of the design patterns that have come to the fore and reflect on the road ahead. What standard updates can we expect? Should we be compiling best practices? If so, what do they contain?
Here are some candidate topics for an in-depth discussion:

• a format for OAuth access tokens
• principle of least privilege: what does this mean for security tokens?
• how are permissions represented?
• how are users granted permissions?
• how are permissions communicated to resource servers?
• security token Time To Live
• access token claims

Intended audience: developers, security professionals
Skill level: intermediate
Requirements: for optimal benefit, participants should have a good knowledge of the OAuth and OIDC frameworks
Seats available: 20 (first-come, first served)
Price: free
Register here

Training

This hands-on training covers both offensive and defensive approaches to web applications. You’ll learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future. This training closes that gap between web application attack and defense. Because as they say - if you want to stop attacker from stealing you data then you must think like one.
This training starts with the basic web app hacking and then moves into more advanced stuff such as bypassing Filters, bypassing Web Application Firewalls(WAF), HTML5 attacks and recent vulnerabilities such as Shellshock, Heartbleed, POODLE, Serialization, SSL Strip etc. You’ll learn how to get shell on the box using web application vulnerabilities as well as how to write secure code so you can avoid that attack.
This training covers both offensive and defensive approach towards web applications. Firstly, the training would cover how to use certain attack on a web application and then how does this attack happened. So it covers where the developer went wrong and how to write secure code, so that the attack would not have happened. It covers various mistakes made by developers who wrote vulnerable code. This training covers how to write secure code in multiple languages such as PHP, Java, C# etc. Lab contains multiple CMS such as Wordpress, Drupal, Joomla and multiple databases such as MySql, SQL Server, MongoDB etc. Also, the training contains various client side attacks as well as server side attacks such as XSS, CSRF, SQL Injections etc.
Training will teach attendees how to gain shell on the box and how to chain multiple attacks to pwn the entire infrastructure. Training follows Capture The Flag (CTF) approach to attack web applications and compromise the machines.
After this training, attendees will be able to successfully identify and avoid insecure code and test their web applications for vulnerabilities. Attendees will get to know the difference between vulnerable code and secure code.
This training contains over 50 labs and 30+ challenges which are inspired by real world vulnerabilities and case studies.
Day 1:

• Introduction
• Spidering Web Applications and analyzing results
• Fuzzing
• Input Validation
• User Enumeration
• Bypassing Password Verification
• Information Leakage
• HTTP Verb Tampering
• Injection - HTML, iFrame, LDAP, CSS, JSON
• Advanced Cross Site Scripting (XSS) - XSS to system compromise
• Advanced client side exploitation with BeEF
• Extending Burp Proxy
• Clickjacking
• Insecure direct object reference (IDOR) and Open Redirects
• Server Side Request Forgery (SSRF)
• Server Side Includes Injection (SSI Injection)
• JavaScript Validation Bypass
• Advanced SQL Injection - SQL Injection to system compromise
• JSON Hijacking
• Session Management and Cookie Stealing
• HTML5

Day 2:

• Advanced XML Attacks
• JSON Web Token
• API Attacks
• Insecure System/Service configuration - FTP, NTP, VNC, SNMP, WebDav, Samba etc.
• Database Security - MySql, SQL Server, MongoDB etc.
• Remote Command Injection
• Local File Inclusion (LFI) and Remote File Inclusion (RFI)
• RCE via serialization/deserialization
• Serialization Attacks
• HTTP Response Splitting
• SSL Strip attack
• CMS Attacks and Defenses - Wordpress, Drupal, Joomla
• Recent Vulnerabilities Case Study - Shellshock, Heartbleed, POODLE, Struts, PHPMailer RCE, SSL Strip attack
• Logical Flaws
• Detection of Web Application Firewall and Load Balancers
• Filter Evasion and Bypassing Web Application Firewalls (WAF) - Tricks to Penetrate Firewall
• OWASP Top 10 Attacks
• OWASP Secure Coding Practices
• and more ...

Intended audience: software developers, security people with some programming experience
This course requires following pre-requisites:

• Basic knowledge on HTTP, HTML
• Basic Web Application Penetration Skills
• Reading and understanding of PHP

Seats available: 20 (first-come, first served)
Price: 650 Euro / person
Register here