This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "AppSecUSA 2012.com"
From OWASP
(→Get off your AMF and don’t REST on JSON) |
(→Building Predictable Systems using Behavioral Security Modeling: Functional Security Requirements) |
||
| (48 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
*AppSecUSA Presentations and Talks | *AppSecUSA Presentations and Talks | ||
| + | |||
| + | |||
== Thursday 25th Oct == | == Thursday 25th Oct == | ||
| − | === 10:00 am - 10:45 am | + | === <span style="color:#006699;">10:00 am - 10:45 am (Thursday) </span>=== |
| − | ---- | + | ---- |
| − | + | {| cellpadding="5" cellspacing="0" style="background:#F2F5F7; border:1px solid #CCCCCC;" width="100%" | |
| − | ==== Building Predictable Systems using Behavioral Security Modeling: | + | ! scope="col" align="left" width="100%" | |
| − | + | ==== Building Predictable Systems using Behavioral Security Modeling: Functional Security Requirements ==== | |
| + | |||
| + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px; width:100%;" >'''John Benninghoff''' | Developer | [https://www.owasp.org/images/7/7f/Building_Predictable_Systems.pdf Building Predictable Systems using Behavioral Security Modeling - PDF] </span> | ||
| + | |- | ||
| + | ! scope="col" align="left" width="100%" | | ||
==== Top Ten Web Defenses ==== | ==== Top Ten Web Defenses ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Jim Manico''' | Mobile | [https://www.owasp.org/images/0/08/Top_10_Defenses_for_Website_Security.pdf Top 10 Defenses for Website Security - PDF] </span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Mobile Applications & Proxy Shenanigans ==== | ==== Mobile Applications & Proxy Shenanigans ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Dan Amodio''' | Mobile | Presentation not available </span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Reverse Engineering “Secure” HTTP APIs With An SSL Proxy ==== | ==== Reverse Engineering “Secure” HTTP APIs With An SSL Proxy ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Alejandro Caceres''' | Reverse Engineering | Presentation not available </span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Gauntlt: Rugged by Example ==== | ==== Gauntlt: Rugged by Example ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Jeremiah Shirk''' | Rugged devops | Presentation not available </span> | |
| + | |} | ||
| − | === 11:00 am - 11:45 am | + | === <span style="color:#006699;">11:00 am - 11:45 am (Thursday)</span> === |
---- | ---- | ||
| + | {| cellpadding="5" cellspacing="0" style="background:#F2F5F7; border:1px solid #CCCCCC;" width="100%" | ||
| + | ! scope="col" align="left" width="100%" | | ||
==== Building a Web Attacker Dashboard with ModSecurity and BeEF ==== | ==== Building a Web Attacker Dashboard with ModSecurity and BeEF ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Ryan Barnett''' | Attack | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Secure Code Reviews Magic or Art? A Simplified Approach to Secure Code Reviews ==== | ==== Secure Code Reviews Magic or Art? A Simplified Approach to Secure Code Reviews ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Sherif Koussa''' | Developer | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Cracking the Code of Mobile Application ==== | ==== Cracking the Code of Mobile Application ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Sreenarayan Ashokkumar''' | Mobile | [https://www.owasp.org/images/c/cd/Cracking_the_Mobile_Application_Code.pdf Cracking the Mobile Application Code - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Hacking .NET Application: Reverse Engineering 101 ==== | ==== Hacking .NET Application: Reverse Engineering 101 ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Jon Mccoy''' | Reverse Engineering | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Doing the unstuck: How Rugged cultures drive Biz & AppSec Value ==== | ==== Doing the unstuck: How Rugged cultures drive Biz & AppSec Value ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Josh Corman''' | Rugged devops | [https://www.owasp.org/images/d/d5/Doing_the_Unstuck.pdf Doing the unstuck: How Rugged cultures drive Biz & AppSec Value - PDF]</span> | |
| + | |} | ||
| − | === 2:00 pm - 2:45 pm | + | === <span style="color:#006699;">2:00 pm - 2:45 pm (Thursday)</span> === |
---- | ---- | ||
| + | {| cellpadding="5" cellspacing="0" style="background:#F2F5F7; border:1px solid #CCCCCC;" width="100%" | ||
| + | ! scope="col" align="left" width="100%" | | ||
==== Hacking with WebSockets ==== | ==== Hacking with WebSockets ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Vaagn Toukharian''' | Attack | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Bug Bounty Programs ==== | ==== Bug Bounty Programs ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Michael Coates, Chris Evans, Jeremiah Grossman, Adam Mein, Alex Rice''' | Developer | Presentation Not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== How we tear into that little green man ==== | ==== How we tear into that little green man ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Mathew Rowley''' | Mobile | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== AppSec Training, Securing the SDLC, WebGoat.NET and the Meaning of Life ==== | ==== AppSec Training, Securing the SDLC, WebGoat.NET and the Meaning of Life ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Jerry Hoff''' | Developer | Presentation not available</span> | |
| + | |- | ||
| + | ! scope="col" align="left" width="100%" | | ||
| + | ==== Put your robots to work: security automation at Twitter ==== | ||
| + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Justin Collins, Neil Matatall, Alex Smolen''' | Rugged devops | Presentation Not available </span> | ||
| + | |} | ||
| − | ==== | + | === <span style="color:#006699;">3:00 pm - 3:45 pm (Thursday)</span> === |
| − | |||
| − | |||
| − | |||
---- | ---- | ||
| − | + | {| cellpadding="5" cellspacing="0" style="background:#F2F5F7; border:1px solid #CCCCCC;" width="100%" | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Exploiting Internal Network Vulns via the Browser using BeEF Bind ==== | ==== Exploiting Internal Network Vulns via the Browser using BeEF Bind ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Michele Orru''' | Attack | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== The Diviner - Digital Clairvoyance Breakthrough - Gaining Access to the Source Code & Server Side Memory Structure of ANY Application (OWASP ZAP extension) ==== | ==== The Diviner - Digital Clairvoyance Breakthrough - Gaining Access to the Source Code & Server Side Memory Structure of ANY Application (OWASP ZAP extension) ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Shay Chen''' | Developer | [https://www.owasp.org/images/f/f5/The_Diviner_-_Digital_Clairvoyance_Breakthrough_-_Gaining_Access_to_the_Source_Code_%26_Server_Side_Memory_Structure_of_ANY_Application.pdf Gaining Access to the Source Code & Server Side Memory Structure of ANY Application - PDF]</span> | |
| + | |- | ||
| + | ! scope="col" align="left" width="100%" | | ||
==== Demystifying Security in the Cloud: AWS Scout ==== | ==== Demystifying Security in the Cloud: AWS Scout ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Jonathan Chittenden''' | Cloud | [https://www.owasp.org/images/0/0f/Demystifying_Security_in_the_Cloud.pdf Demystifying Security in the Cloud - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== I>S+D! - Interactive Application Security Testing (IAST), Beyond SAST/DAST ==== | ==== I>S+D! - Interactive Application Security Testing (IAST), Beyond SAST/DAST ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Ofer Maor''' | Developer | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Rebooting (secure) software development with continuous deployment ==== | ==== Rebooting (secure) software development with continuous deployment ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Nick Galbreath''' | Rugged devops | Presentation not available</span> | |
| + | |} | ||
| − | === 4:00 pm - 4:45 pm | + | === <span style="color:#006699;">4:00 pm - 4:45 pm (Thursday)</span> === |
---- | ---- | ||
| − | + | {| cellpadding="5" cellspacing="0" style="background:#F2F5F7; border:1px solid #CCCCCC;" width="100%" | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Cross Site Port Scanning ==== | ==== Cross Site Port Scanning ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Riyaz Walikar''' | Attack | [https://www.owasp.org/images/8/89/Poking_Servers_with_Facebook-Cross_Site_Port_Scanning.pdf Cross Site Port Scanning - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Analyzing and Fixing Password Protection Schemes ==== | ==== Analyzing and Fixing Password Protection Schemes ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''John Steven''' | Developer | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Static Analysis of Java Class Files for Quickly and Accurately Detecting Web-Language Encoding Methods ==== | ==== Static Analysis of Java Class Files for Quickly and Accurately Detecting Web-Language Encoding Methods ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Arshan Dabirsiaghi, Alex Emsellem, Matthew Paisner''' | Attack | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== WTF - WAF Testing Framework ==== | ==== WTF - WAF Testing Framework ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Yaniv Azaria, Amichai Shulman''' | Architecture | [https://www.owasp.org/images/0/00/OWASP-2012-WTF.pdf WAF Testing Framework - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== DevOps Distilled: The DevOps Panel at AppSec USA ==== | ==== DevOps Distilled: The DevOps Panel at AppSec USA ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Josh Corman, Nick Galbreath, Gene Kim, David Mortman, James Wickett''' | Rugged devops | [https://www.owasp.org/images/9/90/Corman_AppSecUSA_2012_DevOpsPanel.pdf DevOps Distilled - PDF]</span> | |
| + | |} | ||
== Friday 26th Oct == | == Friday 26th Oct == | ||
| − | === 10:00 am - 10:45 am | + | === <span style="color:#006699;">10:00 am - 10:45 am (Friday)</span> === |
---- | ---- | ||
| − | + | {| cellpadding="5" cellspacing="0" style="background:#F2F5F7; border:1px solid #CCCCCC;" width="100%" | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Effective approaches to web application security ==== | ==== Effective approaches to web application security ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Zane Lackey''' | Developer | [https://www.owasp.org/images/b/b4/Effective_approaches_to_web_application_security.pdf Effective approaches to web application security - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Why Web Security Is Fundamentally Broken ==== | ==== Why Web Security Is Fundamentally Broken ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Jeremiah Grossman''' | Developer | [https://www.owasp.org/images/9/90/Web_Security_Fundamentally_Broken.pdf Why Web Security Is Fundamentally Broken - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Payback on Web Attackers: Web Honeypots ==== | ==== Payback on Web Attackers: Web Honeypots ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Simon Roses Femerling''' | Architecture | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Spin the bottle: Coupling technology and SE for one awesome hack ==== | ==== Spin the bottle: Coupling technology and SE for one awesome hack ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''David Kennedy''' | Attack | Presentation not available </span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Incident Response: Security After Compromise ==== | ==== Incident Response: Security After Compromise ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Richard Bejtlich''' | Case Studies | Presentation not available</span> | |
| + | |} | ||
| − | === 11:00 am - 11:45 am | + | === <span style="color:#006699;">11:00 am - 11:45 am (Friday)</span> === |
---- | ---- | ||
| − | + | {| cellpadding="5" cellspacing="0" style="background:#F2F5F7; border:1px solid #CCCCCC;" width="100%" | |
| + | ! scope="col" align="left" width="100%" | | ||
==== The Same-Origin Saga ==== | ==== The Same-Origin Saga ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Brendan Eich''' | Developer | [https://www.owasp.org/images/a/a2/The_Same-Origin_Saga.pdf The Same-Origin Saga - PDF]</span> | |
| + | |- | ||
| + | ! scope="col" align="left" width="100%" | | ||
| + | ==== Hack your way to a degree: a new direction in teaching application security at universities ==== | ||
| + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Konstantinos Papapanagiotou''' | Developer | [https://www.owasp.org/images/9/9a/OWASP_Hackademic_AppSecUS2012_v1.pdf Hack your way to a degree - PDF]</span> | ||
| + | |- | ||
| + | ! scope="col" align="left" width="100%" | | ||
| − | |||
| − | |||
| − | |||
==== The Magic of Symbiotic Security: Creating an Ecosystem of Security Systems ==== | ==== The Magic of Symbiotic Security: Creating an Ecosystem of Security Systems ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Dan Cornell, Josh Sokol''' | Architecture | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Blended Threats and JavaScript: A Plan for Permanent Network Compromise ==== | ==== Blended Threats and JavaScript: A Plan for Permanent Network Compromise ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Phil Purviance''' | Attack | Presentation not available </span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Unbreakable Oracle ERPs? Attacks on Siebel & JD Edwards ==== | ==== Unbreakable Oracle ERPs? Attacks on Siebel & JD Edwards ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Juan Perez-Etchegoyen, Jordan Santarsieri''' | Case Studies | Presentation not available</span> | |
| + | |} | ||
| − | === 1:00 pm - 1:45 pm | + | === <span style="color:#006699;">1:00 pm - 1:45 pm (Friday)</span> === |
---- | ---- | ||
| − | + | {| cellpadding="5" cellspacing="0" style="background:#F2F5F7; border:1px solid #CCCCCC;" width="100%" | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Builders Vs. Breakers ==== | ==== Builders Vs. Breakers ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Brett Hardin, Matt Konda, Jon Rose''' | Developer | [https://www.owasp.org/images/8/83/OWASP_AppSec_2012-Builders-vs-Breakers.pdf Builders-vs-Breakers - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Real World Cloud Application Security ==== | ==== Real World Cloud Application Security ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Jason Chan''' | Cloud | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== NoSQL, no security? ==== | ==== NoSQL, no security? ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Will Urbanski''' | Architecture | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== SQL Server Exploitation, Escalation, and Pilfering ==== | ==== SQL Server Exploitation, Escalation, and Pilfering ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Antti Rantasaari, Scott Sutherland''' | Attack | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Iran's real life cyberwar ==== | ==== Iran's real life cyberwar ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Phillip Hallam-Baker''' | Case Studies | [https://www.owasp.org/images/5/59/Iran%E2%80%99s_Real_Life_Cyberwar.pdf Iran’s Real Life Cyberwar - PDF]</span> | |
| + | |} | ||
| − | === 2:00 pm - 2:45 pm | + | === <span style="color:#006699;">2:00 pm - 2:45 pm (Friday)</span> === |
---- | ---- | ||
| − | + | {| cellpadding="5" cellspacing="0" style="background:#F2F5F7; border:1px solid #CCCCCC;" width="100%" | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Get off your AMF and don’t REST on JSON ==== | ==== Get off your AMF and don’t REST on JSON ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Dan Kuykendall''' | Developer | [https://www.owasp.org/images/2/20/Get_off_your_AMF_and_dont_REST_on_JSON-AppSecUSA2012.pdf Get off your AMF and don’t REST on JSON - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Unraveling Some of the Mysteries around DOM-Based XSS ==== | ==== Unraveling Some of the Mysteries around DOM-Based XSS ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Dave Wichers''' | Developer | [https://www.owasp.org/images/c/c5/Unraveling_some_Mysteries_around_DOM-based_XSS.pdf Unraveling some Mysteries around DOM-based XSS - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs ==== | ==== Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Tobias Gondrom''' | Architecture | [https://www.owasp.org/images/f/fe/OWASP_defending-MITMA_US_2012.pdf Securing the SSL channel against man-in-the-middle attacks - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== XSS & CSRF with HTML5 - Attack, Exploit and Defense ==== | ==== XSS & CSRF with HTML5 - Attack, Exploit and Defense ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Shreeraj Shah''' | Attack | Presentation not available </span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== The Application Security Ponzi Scheme: Stop paying for security failure ==== | ==== The Application Security Ponzi Scheme: Stop paying for security failure ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Jarret Raim, Matt Tesauro''' | Case Studies | Presentation not available</span> | |
| + | |} | ||
| − | === 3:00 pm - 3:45 pm | + | === <span style="color:#006699;">3:00 pm - 3:45 pm (Friday)</span> === |
---- | ---- | ||
| − | + | {| cellpadding="5" cellspacing="0" style="background:#F2F5F7; border:1px solid #CCCCCC;" width="100%" | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Using Interactive Static Analysis for Early Detection of Software Vulnerabilities ==== | ==== Using Interactive Static Analysis for Early Detection of Software Vulnerabilities ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Bill Chu''' | Developer | [https://www.owasp.org/images/4/46/Interactive_Static_Analysis.pdfInteractive Static Analysis for Early Detection of Software Vulnerabilities - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Origin(al) Sins ==== | ==== Origin(al) Sins ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Alex Russell''' | Developer | Presentation not available </span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== The 7 Qualities of Highly Secure Software ==== | ==== The 7 Qualities of Highly Secure Software ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Mano 'dash4rk' Paul''' | Architecture | [https://www.owasp.org/index.php/File:7_Qualities_of_Highly_Secure_Software.pdf 7 Qualities of Highly Secure Software - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Web Framework Vulnerabilities ==== | ==== Web Framework Vulnerabilities ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Abraham Kang''' | Attack | [https://www.owasp.org/images/d/db/WebFrameworkVulnerablilitiesAppSecUSA.pdf Web App Framework Based Vulnerabilies - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Web App Crypto - A Study in Failure ==== | ==== Web App Crypto - A Study in Failure ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Travis H''' | Case Studies | [https://www.owasp.org/images/2/2f/Web_app_crypto_20121026.pdf Web App Cryptology A Study in Failure - PDF]</span> | |
| + | |} | ||
| − | === 4:00 pm - 4:45 pm | + | === <span style="color:#006699;">4:00 pm - 4:45 pm (Friday)</span> === |
---- | ---- | ||
| − | + | {| cellpadding="5" cellspacing="0" style="background:#F2F5F7; border:1px solid #CCCCCC;" width="100%" | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Security at Scale ==== | ==== Security at Scale ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Yvan Boily''' | Developer | Presentation not available</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Four Axes of Evil ==== | ==== Four Axes of Evil ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''HD Moore''' | Developer | [https://www.owasp.org/images/6/6f/Four_Axes_of_Evil.pdf Four Axes of Evil - PDF]</span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Pining For the Fjords: The Role of RBAC in Today's Applications ==== | ==== Pining For the Fjords: The Role of RBAC in Today's Applications ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Wendy Nather''' | Architecture | Presentation not available </span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Counterintelligence Attack Theory ==== | ==== Counterintelligence Attack Theory ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''Fred Donovan''' | Attack | Presentation not available </span> | |
| − | + | |- | |
| + | ! scope="col" align="left" width="100%" | | ||
==== Top Strategies to Capture Security Intelligence for Applications ==== | ==== Top Strategies to Capture Security Intelligence for Applications ==== | ||
| − | + | <span style="background:#FFFFFF; border:1px solid #CCCCCC; padding:5px" >'''John Dickson''' | Case Studies | [https://www.owasp.org/images/8/8c/Top_Strategies_to_Capture_Security_Intelligence_for_Applications_OWASP.pdf Top Strategies to Capture Security Intelligence for Applications - PDF]</span> | |
| + | |} | ||
<br> | <br> | ||
Latest revision as of 23:39, 18 November 2012
- AppSecUSA Presentations and Talks
- 1 Thursday 25th Oct
- 1.1 10:00 am - 10:45 am (Thursday)
- 1.2 11:00 am - 11:45 am (Thursday)
- 1.2.1 Building a Web Attacker Dashboard with ModSecurity and BeEF
- 1.2.2 Secure Code Reviews Magic or Art? A Simplified Approach to Secure Code Reviews
- 1.2.3 Cracking the Code of Mobile Application
- 1.2.4 Hacking .NET Application: Reverse Engineering 101
- 1.2.5 Doing the unstuck: How Rugged cultures drive Biz & AppSec Value
- 1.3 2:00 pm - 2:45 pm (Thursday)
- 1.4 3:00 pm - 3:45 pm (Thursday)
- 1.4.1 Exploiting Internal Network Vulns via the Browser using BeEF Bind
- 1.4.2 The Diviner - Digital Clairvoyance Breakthrough - Gaining Access to the Source Code & Server Side Memory Structure of ANY Application (OWASP ZAP extension)
- 1.4.3 Demystifying Security in the Cloud: AWS Scout
- 1.4.4 I>S+D! - Interactive Application Security Testing (IAST), Beyond SAST/DAST
- 1.4.5 Rebooting (secure) software development with continuous deployment
- 1.5 4:00 pm - 4:45 pm (Thursday)
- 2 Friday 26th Oct
- 2.1 10:00 am - 10:45 am (Friday)
- 2.2 11:00 am - 11:45 am (Friday)
- 2.2.1 The Same-Origin Saga
- 2.2.2 Hack your way to a degree: a new direction in teaching application security at universities
- 2.2.3 The Magic of Symbiotic Security: Creating an Ecosystem of Security Systems
- 2.2.4 Blended Threats and JavaScript: A Plan for Permanent Network Compromise
- 2.2.5 Unbreakable Oracle ERPs? Attacks on Siebel & JD Edwards
- 2.3 1:00 pm - 1:45 pm (Friday)
- 2.4 2:00 pm - 2:45 pm (Friday)
- 2.4.1 Get off your AMF and don’t REST on JSON
- 2.4.2 Unraveling Some of the Mysteries around DOM-Based XSS
- 2.4.3 Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs
- 2.4.4 XSS & CSRF with HTML5 - Attack, Exploit and Defense
- 2.4.5 The Application Security Ponzi Scheme: Stop paying for security failure
- 2.5 3:00 pm - 3:45 pm (Friday)
- 2.6 4:00 pm - 4:45 pm (Friday)
Thursday 25th Oct
10:00 am - 10:45 am (Thursday)
Building Predictable Systems using Behavioral Security Modeling: Functional Security RequirementsJohn Benninghoff | Developer | Building Predictable Systems using Behavioral Security Modeling - PDF |
|---|
Top Ten Web DefensesJim Manico | Mobile | Top 10 Defenses for Website Security - PDF |
Mobile Applications & Proxy ShenanigansDan Amodio | Mobile | Presentation not available |
Reverse Engineering “Secure” HTTP APIs With An SSL ProxyAlejandro Caceres | Reverse Engineering | Presentation not available |
Gauntlt: Rugged by ExampleJeremiah Shirk | Rugged devops | Presentation not available |
11:00 am - 11:45 am (Thursday)
Building a Web Attacker Dashboard with ModSecurity and BeEFRyan Barnett | Attack | Presentation not available |
|---|
Secure Code Reviews Magic or Art? A Simplified Approach to Secure Code ReviewsSherif Koussa | Developer | Presentation not available |
Cracking the Code of Mobile ApplicationSreenarayan Ashokkumar | Mobile | Cracking the Mobile Application Code - PDF |
Hacking .NET Application: Reverse Engineering 101Jon Mccoy | Reverse Engineering | Presentation not available |
Doing the unstuck: How Rugged cultures drive Biz & AppSec ValueJosh Corman | Rugged devops | Doing the unstuck: How Rugged cultures drive Biz & AppSec Value - PDF |
2:00 pm - 2:45 pm (Thursday)
Hacking with WebSocketsVaagn Toukharian | Attack | Presentation not available |
|---|
Bug Bounty ProgramsMichael Coates, Chris Evans, Jeremiah Grossman, Adam Mein, Alex Rice | Developer | Presentation Not available |
How we tear into that little green manMathew Rowley | Mobile | Presentation not available |
AppSec Training, Securing the SDLC, WebGoat.NET and the Meaning of LifeJerry Hoff | Developer | Presentation not available |
Put your robots to work: security automation at TwitterJustin Collins, Neil Matatall, Alex Smolen | Rugged devops | Presentation Not available |
3:00 pm - 3:45 pm (Thursday)
Exploiting Internal Network Vulns via the Browser using BeEF BindMichele Orru | Attack | Presentation not available |
|---|
The Diviner - Digital Clairvoyance Breakthrough - Gaining Access to the Source Code & Server Side Memory Structure of ANY Application (OWASP ZAP extension)Shay Chen | Developer | Gaining Access to the Source Code & Server Side Memory Structure of ANY Application - PDF |
Demystifying Security in the Cloud: AWS ScoutJonathan Chittenden | Cloud | Demystifying Security in the Cloud - PDF |
I>S+D! - Interactive Application Security Testing (IAST), Beyond SAST/DASTOfer Maor | Developer | Presentation not available |
Rebooting (secure) software development with continuous deploymentNick Galbreath | Rugged devops | Presentation not available |
4:00 pm - 4:45 pm (Thursday)
Cross Site Port ScanningRiyaz Walikar | Attack | Cross Site Port Scanning - PDF |
|---|
Analyzing and Fixing Password Protection SchemesJohn Steven | Developer | Presentation not available |
Static Analysis of Java Class Files for Quickly and Accurately Detecting Web-Language Encoding MethodsArshan Dabirsiaghi, Alex Emsellem, Matthew Paisner | Attack | Presentation not available |
WTF - WAF Testing FrameworkYaniv Azaria, Amichai Shulman | Architecture | WAF Testing Framework - PDF |
DevOps Distilled: The DevOps Panel at AppSec USAJosh Corman, Nick Galbreath, Gene Kim, David Mortman, James Wickett | Rugged devops | DevOps Distilled - PDF |
Friday 26th Oct
10:00 am - 10:45 am (Friday)
Effective approaches to web application securityZane Lackey | Developer | Effective approaches to web application security - PDF |
|---|
Why Web Security Is Fundamentally BrokenJeremiah Grossman | Developer | Why Web Security Is Fundamentally Broken - PDF |
Payback on Web Attackers: Web HoneypotsSimon Roses Femerling | Architecture | Presentation not available |
Spin the bottle: Coupling technology and SE for one awesome hackDavid Kennedy | Attack | Presentation not available |
Incident Response: Security After CompromiseRichard Bejtlich | Case Studies | Presentation not available |
11:00 am - 11:45 am (Friday)
The Same-Origin SagaBrendan Eich | Developer | The Same-Origin Saga - PDF |
|---|
Hack your way to a degree: a new direction in teaching application security at universitiesKonstantinos Papapanagiotou | Developer | Hack your way to a degree - PDF |
The Magic of Symbiotic Security: Creating an Ecosystem of Security SystemsDan Cornell, Josh Sokol | Architecture | Presentation not available |
Blended Threats and JavaScript: A Plan for Permanent Network CompromisePhil Purviance | Attack | Presentation not available |
Unbreakable Oracle ERPs? Attacks on Siebel & JD EdwardsJuan Perez-Etchegoyen, Jordan Santarsieri | Case Studies | Presentation not available |
1:00 pm - 1:45 pm (Friday)
Builders Vs. BreakersBrett Hardin, Matt Konda, Jon Rose | Developer | Builders-vs-Breakers - PDF |
|---|
Real World Cloud Application SecurityJason Chan | Cloud | Presentation not available |
NoSQL, no security?Will Urbanski | Architecture | Presentation not available |
SQL Server Exploitation, Escalation, and PilferingAntti Rantasaari, Scott Sutherland | Attack | Presentation not available |
Iran's real life cyberwarPhillip Hallam-Baker | Case Studies | Iran’s Real Life Cyberwar - PDF |
2:00 pm - 2:45 pm (Friday)
Get off your AMF and don’t REST on JSONDan Kuykendall | Developer | Get off your AMF and don’t REST on JSON - PDF |
|---|
Unraveling Some of the Mysteries around DOM-Based XSSDave Wichers | Developer | Unraveling some Mysteries around DOM-based XSS - PDF |
Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of CertsTobias Gondrom | Architecture | Securing the SSL channel against man-in-the-middle attacks - PDF |
XSS & CSRF with HTML5 - Attack, Exploit and DefenseShreeraj Shah | Attack | Presentation not available |
The Application Security Ponzi Scheme: Stop paying for security failureJarret Raim, Matt Tesauro | Case Studies | Presentation not available |
3:00 pm - 3:45 pm (Friday)
Using Interactive Static Analysis for Early Detection of Software VulnerabilitiesBill Chu | Developer | Static Analysis for Early Detection of Software Vulnerabilities - PDF |
|---|
Origin(al) SinsAlex Russell | Developer | Presentation not available |
The 7 Qualities of Highly Secure SoftwareMano 'dash4rk' Paul | Architecture | 7 Qualities of Highly Secure Software - PDF |
Web Framework VulnerabilitiesAbraham Kang | Attack | Web App Framework Based Vulnerabilies - PDF |
Web App Crypto - A Study in FailureTravis H | Case Studies | Web App Cryptology A Study in Failure - PDF |
4:00 pm - 4:45 pm (Friday)
Security at ScaleYvan Boily | Developer | Presentation not available |
|---|
Four Axes of EvilHD Moore | Developer | Four Axes of Evil - PDF |
Pining For the Fjords: The Role of RBAC in Today's ApplicationsWendy Nather | Architecture | Presentation not available |
Counterintelligence Attack TheoryFred Donovan | Attack | Presentation not available |
Top Strategies to Capture Security Intelligence for ApplicationsJohn Dickson | Case Studies | Top Strategies to Capture Security Intelligence for Applications - PDF |
