2016 BASC Presentations - Revision history

Tom Conner at 02:51, 30 September 2016

2016-09-30T02:51:17Z

Tom Conner at 02:50, 30 September 2016

2016-09-30T02:50:19Z

Tom Conner at 14:23, 29 September 2016

2016-09-29T14:23:59Z

Tom Conner at 03:53, 29 September 2016

2016-09-29T03:53:17Z

Tom Conner at 17:53, 16 September 2016

2016-09-16T17:53:17Z

Tom Conner at 17:49, 16 September 2016

2016-09-16T17:49:35Z

Tom Conner at 17:48, 16 September 2016

2016-09-16T17:48:35Z

Tom Conner at 03:27, 15 September 2016

2016-09-15T03:27:50Z

Tom Conner at 02:56, 15 September 2016

2016-09-15T02:56:00Z

Tom Conner at 02:53, 15 September 2016

2016-09-15T02:53:48Z

@@ Line 42: / Line 42: @@
 In this talk I look at XML Injection, what it is and cover a few basic examples. I then move onto a few real life examples of this vulnerability that I have exploited in the wild on real life Application Security assessments. I also will cover remediation and code review strategies to prevent the issues.
-{{2016_BASC:Presentaton_Info_Template|Future of Information Security and IoT Panel|Matt Morency|Mark Arnold, Rob Cheyne, Roy Wattanasin, Guest| | }}
+{{2016_BASC:Presentaton_Info_Template|Future of Information Security and IoT Panel|Mark Arnold, Rob Cheyne, Roy Wattanasin, Guest| | | }}
 Join these panelists and bring your questions and get different perspectives as they talk about the future of information security and the Internet Of Things (IoT).

@@ Line 41: / Line 41: @@
 In this talk I look at XML Injection, what it is and cover a few basic examples. I then move onto a few real life examples of this vulnerability that I have exploited in the wild on real life Application Security assessments. I also will cover remediation and code review strategies to prevent the issues.
 {{2016_BASC:Presentaton_Info_Template|Hacking with the Gibson, A Hacker Musical|Matt Morency| | | }}
@@ Line 51: / Line 54: @@
 * What you should be worried about in the assessment report and plans for remediation
 * Current practices among vendors
 {{2016_BASC:Presentaton_Info_Template|Penetrating Android Applications|Roshan Thomas and Anurag Dwivedy| | | }}

@@ Line 73: / Line 73: @@
 The presentation would cover the basic threat model for android applications and would provide a quick guide to perform penetration tests on android applications detailing how we can intercept android traffic and decompile the application package.
-{{2016_BASC:Presentaton_Info_Template|State of Software Product Security|Bill Campbell| | | }}
+{{2016_BASC:Presentaton_Info_Template|Software Product Security: A Way Forward|Bill Campbell| | | }}
 Bill's presentation will discuss the state of software product security: where we've been, why we're still struggling after over 30 years of trying, and what we must do, strategically, to improve.

← Older revision		Revision as of 03:53, 29 September 2016
Line 72:		Line 72:

	The presentation would cover the basic threat model for android applications and would provide a quick guide to perform penetration tests on android applications detailing how we can intercept android traffic and decompile the application package.		The presentation would cover the basic threat model for android applications and would provide a quick guide to perform penetration tests on android applications detailing how we can intercept android traffic and decompile the application package.
		+
		+	{{2016_BASC:Presentaton_Info_Template\|State of Software Product Security\|Bill Campbell\| \| \| }}
		+	Bill's presentation will discuss the state of software product security: where we've been, why we're still struggling after over 30 years of trying, and what we must do, strategically, to improve.

	{{2016_BASC:Presentaton_Info_Template\|Vulnerability Management – Turning Chaos into Order\|Tania Ward and Kristen Pascale\| \| \| }}		{{2016_BASC:Presentaton_Info_Template\|Vulnerability Management – Turning Chaos into Order\|Tania Ward and Kristen Pascale\| \| \| }}

@@ Line 32: / Line 32: @@
 SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives.  To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).”  In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
-{{2016_BASC:Presentaton_Info_Template|Docker anti-pasterns, from confusion to enlightenment|Erik Dasque| | | }}
+{{2016_BASC:Presentaton_Info_Template|Docker Anti-Patterns, from Confusion to Enlightenment|Erik Dasque| | | }}
 Follow me through my discovery of Docker anti-patterns, stemming from a core misunderstanding of containerization. Understand my mistakes as they could be your own and figure out what the right and true solutions are.

@@ Line 26: / Line 26: @@
 Tools: things you can add to enhance the program's organizational visibility
-{{2016_BASC:Presentaton_Info_Template|The Code You Never See- Vulnerabilities From 3rd party Marketing Javascript|Jim Weiler| | | }}
+{{2016_BASC:Presentaton_Info_Template|The Code You Never See - Vulnerabilities From 3rd party Marketing Javascript|Jim Weiler| | | }}
 Virtually every site has some marketing javascript (aka tags) running on it to allow the analysis of user actions or to present the user with a customized page. Most commonly this javascript is delivered to the users browser directly from the 3rd party. What that means is the javascript never goes thru any of your security controls; no design review, no code review, no web application firewall. We will explain the tools and ecosystem used to create and deliver this javascript, show how they have caused actual Cross Site Scripting vulnerabilities in various well known sites, discuss some possible technical controls and present a simple page javascript architecture that prevents this XSS and is actually faster and is recommended by tag management services.

@@ Line 73: / Line 73: @@
 The presentation would cover the basic threat model for android applications and would provide a quick guide to perform penetration tests on android applications detailing how we can intercept android traffic and decompile the application package.
-{{2016_BASC:Presentaton_Info_Template|Vulnerability Management – Turning chaos into order|Tania Ward and Kristen Pascale| | | }}
+{{2016_BASC:Presentaton_Info_Template|Vulnerability Management – Turning Chaos into Order|Tania Ward and Kristen Pascale| | | }}
 EMC handles vulnerability management for over 70+ products. As volume of intake increases year by year, EMC Product Security Response Center had to take a systematic, proactive approach to guide the product units at all levels to work seamlessly in managing and responding to these vulnerabilities. We will share the chaos that we faced and discuss how order was restored to our command center.
 {{2016_BASC:Footer_Template | Presentations}}

@@ Line 69: / Line 69: @@
 Integrated Wellness Group is dedicated to improving professional well-being by providing Employee Assistance Program (EAP) services to those in need. Services include wellness assessments, counseling, coaching, and referrals for additional services and follow-up visits.  IWG will conduct interactive assessments that cover information from personal stress to substance abuse. Through the EAP, employers will see improved productivity, reduced workplace absenteeism, as well as reduced healthcare costs associated with stress, depression, and other mental health issues. Our proposed services are integrated in a way that ensures coherent and comprehensive solutions to problems assessed at first point of contact.
-{{2016_BASC:Presentaton_Info_Template|Penetrating Android Applications|Roshan Thomas| | | }}
+{{2016_BASC:Presentaton_Info_Template|Penetrating Android Applications|Roshan Thomas and Anurag Dwivedy| | | }}
 Being the Operating System with the largest user-base, the threat landscape for Android applications cannot often be ignored. While Android OS is being used in a wide variety of devices from smart watches to TVs, a large chunk of its user-base is concentrated to mobile phones. Popular services which were offered over web are also trying constantly to adapt themselves for the mobile environment. This raises a few important questions to Information Security enthusiasts.