2012 BASC Presentations - Revision history

Tom Conner at 17:50, 15 October 2012

2012-10-15T17:50:32Z

Tom Conner at 17:41, 15 October 2012

2012-10-15T17:41:21Z

Tom Conner at 22:19, 11 October 2012

2012-10-11T22:19:16Z

Tom Conner at 21:20, 9 October 2012

2012-10-09T21:20:31Z

Tom Conner at 11:00, 9 October 2012

2012-10-09T11:00:41Z

Tom Conner at 14:53, 8 October 2012

2012-10-08T14:53:50Z

Tom Conner at 19:54, 6 October 2012

2012-10-06T19:54:10Z

Tom Conner at 14:07, 5 October 2012

2012-10-05T14:07:45Z

Tom Conner at 14:07, 5 October 2012

2012-10-05T14:07:09Z

Tom Conner at 13:29, 5 October 2012

2012-10-05T13:29:08Z

@@ Line 119: / Line 119: @@
 ## Blackbox server issues
-{{2012_BASC:Presentaton_Info_Template|Streamlining Application Vulnerability Management: Communication Between Development and Security Teams|Brian Mather| | | }}
+{{2012_BASC:Presentaton_Info_3|Streamlining Application Vulnerability Management: Communication Between Development and Security Teams|Brian Mather|DenimGroup_Streamlining_Application_Vulnerability_Management.pdf}}
 Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.

@@ Line 89: / Line 89: @@
 According to my research, I coined the term "offensive mobile forensics". By definition, this activity is the preemptive analysis of mobile devices and applications to quantitatively measure your organization's level of risk caused by the proliferation and use of today's mobile technology. Anyone that has performed research in this area knows mobile devices are potential trojan horses for virtually every organization. This talk arms attendees with the information and tools required to conductoffensive mobile forensics in their own environments.
-{{2012_BASC:Presentaton_Info_Template|Pitfalls of Secure SDLC and How to Succeed With Automation|Rohit Sethi & Ehsan Foroughi| | | }}
+{{2012_BASC:Presentaton_Info_3|Pitfalls of Secure SDLC and How to Succeed With Automation|Rohit Sethi & Ehsan Foroughi|2012_BASC_Succeeding_with_Automation.pptx}}
 People have been talking about secure Software Development Life Cycles (SDLCs) for years, but there has been little traction in scaling secure SDLC activities outside of a few very security-conscious companies. We assert that a key reason for this is that to scale, these processes require automation. Static analysis, web application firewalls, and dynamic testing are the primary methods many organizations use to secure their applications because these tools can scale effectively. However, there is widespread acknowledgement that relying solely on verification activities for security is neither cost effective nor holistic. In fact, a 2012 study by SD Elements (to be published) indicates that on average 42% of security requirements are NOT covered by automated static and/or dynamic testing tools. To efficiently scale secure SDLC, we emphasize on process automation via criteria-based requirement generation, contextual on-the-job training for developers, and smart checklists. Our data indicates a significant savings for the organization on remediation costs. This talk discusses the process automation in detail and demonstrates how it effectively scales to large development teams.
@@ Line 96: / Line 96: @@
 This talk discusses the pros and cons of the current practices such as salted-hashes, adaptive hashes and proposes an alternative solution for strengthening these existing practices.  The talk will discuss the cryptographic properties of the current practices, but does not require a PhD in mathematics to understand the details.
 {{2012_BASC:Presentaton_Info_Template|Securing Mobile Apps - Threat Modeling, Whitebox, Blackbox testing|Greg Wolford| | | }}

@@ Line 122: / Line 122: @@
 ## Blackbox server issues
-{{2012_BASC:Presentaton_Info_Template|Streamlining Application Vulnerability Management: Communication Between Development and Security Teams|John Dickson| | | }}
+{{2012_BASC:Presentaton_Info_Template|Streamlining Application Vulnerability Management: Communication Between Development and Security Teams|Brian Mather| | | }}
 Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.

@@ Line 9: / Line 9: @@
 {{2012_BASC:Presentaton_Info_Template|CTF|Ming Chow| | | }}
-Attendees will be able to play Capture the Flag during the conference. No sign-up necessary. Information about the game will be available at the registration desk. If you are interested in playing, please bring your own laptop. It is recommended that your laptop has either Chrome or Firefox web browsers installed. Please note that you will not be attacking other attendees; the CTF game will be on a remote server.
+Attendees will be able to play Capture the Flag during the conference. No sign-up necessary. Information about the game will be available at the registration desk. If you are interested in playing, please bring your own laptop. It is recommended that your laptop have either Chrome or Firefox web browsers installed. Please note that you will not be attacking other attendees; the CTF game will be on a remote server.  You will use a NERD wireless connection to the internet, then to the server to be attacked. There are 10 flags on the server.
 {{2012_BASC:Presentaton_Info_Template|Fuzzing and You:  How to Automate Whitebox Testing|Michael Anderson| | | }}

@@ Line 7: / Line 7: @@
 {{2012_BASC:Presentaton_Info_Template|An Insider's Look: WAF and Identity and Access Management Integration|Barracuda Networks| | | }}
 Data center security teams are being challenged to rapidly deploy and secure new applications while controlling costs and improving efficiency. In this presentation, we will provide an inside look at some of the problems with traditional access management implementations and how enterprises can sucessfully overcome these challenges by integrating web application firewall technologies with Identity and Access Management. Learn about best practices, specific use cases and how this new integration translates into operational simplicity for the enterprise.
 {{2012_BASC:Presentaton_Info_Template|Fuzzing and You:  How to Automate Whitebox Testing|Michael Anderson| | | }}

@@ Line 12: / Line 12: @@
 {{2012_BASC:Presentaton_Info_Template|Hiding Inside the "Real-Time Web" (to Take-Over the DMZ)|Matt Wood| | | }}
-"Increasingly ""real-time"" web applications require new hacks on-top of
+Increasingly "real-time" web applications require new hacks on-top of
 HTTP that requires server support (e.g. WebSockets, SPDY); this
 presentation will demonstrate how this new functionality permits
@@ Line 24: / Line 24: @@
 bidirectional TCP connections given vulnerabilities in web
 applications, even in the presence of restrictive DMZ firewalls; this
-is a ""well-known"" attacker methodology. Attackers have for many years
+is a "well-known" attacker methodology. Attackers have for many years
 known to abuse the trusted relationship between web servers (or any
 exposed service!) and perimeter firewalls (inbound ports). Generally
@@ Line 33: / Line 33: @@
 rules, the history of these methodologies, and common defensive
 techniques combating this threat. Furthermore, new techniques will be
-described that utilize ""real-time"" protocols; specifically, how can
+described that utilize "real-time" protocols; specifically, how can
 these new techniques create back-channels and simultaneously hide from
 those vigilant security teams, increase the throughput and reliability
-of an attacker’s ""VPN"", and arbitrarily direct traffic from the
+of an attacker’s "VPN", and arbitrarily direct traffic from the
-internet into a DMZ environment."
+internet into a DMZ environment.
 {{2012_BASC:Presentaton_Info_Template|Metasploit Fundamental Elements - Course 1|Roy Wattanasin| | | }}

← Older revision		Revision as of 19:54, 6 October 2012
Line 120:		Line 120:
	Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.		Identifying application-level vulnerabilities via scanning, penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams. The process also means that security managers need to get time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities. This presentation will illustrate the communication difficulties between security and development teams, and how this usually results in unactionable reports and fewer vulnerabilities remediated. In addition, the presentation will walk through an example workflow of addressing application vulnerabilities as software defects. This will be based on freely-available tools and show specific examples of how vulnerabilities can be grouped together, false positives can be culled out, and vulnerabilities transitioned to software defects, as well as how security managers can monitor and verify progress.

		+	{{2012_BASC:Presentaton_Info_Template\|Top Ten Web Defenses\|Jim Manico\| \| \| }}
		+	We cannot “firewall” or “patch” our way to secure websites. In the
		+	past, security professionals thought firewalls, Secure Sockets Layer
		+	(SSL), patching, and privacy policies were enough. Today, however,
		+	these methods are outdated and ineffective, as attacks on prominent,
		+	well-protected websites are occurring every day. Organizations around
		+	the world rely on highly accurate, scalable and continuous Web
		+	security services to maintain the safety of their websites in today’s
		+	hostile online environment. Website developers must also learn to code
		+	in a secure fashion to have any chance of providing organizations with
		+	proper defenses in the current threat-scape. The session will provide
		+	specific tips and guidelines to make website code both low risk and
		+	less vulnerable.

	{{2012_BASC:Presentaton_Info_Template\|Worst practices: How to waste 100% of your security budget\|Rob Cheyne\| \| \| }}		{{2012_BASC:Presentaton_Info_Template\|Worst practices: How to waste 100% of your security budget\|Rob Cheyne\| \| \| }}

@@ Line 70: / Line 70: @@
 E. VMWare Workstation<br/>
 F. Windows XP (unpatched) virtual machine
 {{2012_BASC:Presentaton_Info_Template|Offensive Mobile Forensics|Joey Peloquin| | | }}