Difference between revisions of "AppSecUSA 2017 Developer Summit"

From OWASP
Jump to: navigation, search
 
(25 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[File:Owasp logoWiki.jpg]]
+
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">[[File:USA 2017 Header.jpg]]
 +
</div>
 +
<br>
 +
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">We are excited to announce that OWASP will once again be holding a two day Developer Summit at [https://2017.appsecusa.org/ AppSecUSA 2017] on September 19 & 20, 2017 in Room Coronado N&P.  OWASP is providing a structured platform for Developers two days prior to the AppSec USA 2017 conference.  The Developer Summit will consist of sessions geared toward learning about security vulnerabilities.<br>
 +
<br>
 +
There is '''no charge''' to attend the Developer Summit, so come join us! You do not need an AppSec USA 2017 conference ticket to attend the Developer Summit, however,
  
We are excited announce that OWASP will once again be holding a two day Developer Summit at [https://2017.appsecusa.org/ AppSecUSA 2017] on September 19 & 20, 2017.  OWASP is providing a structured platform for Developers two days prior to the AppSec USA 2017 conference.  The Developer Summit will consist of sessions geared toward learning about security vulnerabilities.There is no charge to attend the Developer Summit, so come join us!  We do ask that you sign up so we have an estimated headcount to be sure we have enough space and food.
+
we do ask that you [https://docs.google.com/spreadsheets/d/13Bcus3CXcBbBmnbFlbZN0i08tXpCJJBre026s7c1vWQ/edit#gid=0 SIGN UP] so we have an estimated headcount to be sure we have enough space and food.
 +
</div>
 +
<br>
 +
=AGENDA=
  
More details are coming soon!
+
[[File:Computer_coding_image.jpeg|link=https://www.owasp.org/index.php/File:Computer_coding_image.jpeg]]
 +
 
 +
'''Day 1: Half Day Morning Session'''
 +
 
 +
Date: Tuesday, September 19, 2017
 +
 
 +
Time: 10am-1pm
 +
 
 +
Location: [https://2017.appsecusa.org/ AppSec USA 2017 Room: Coronado N&P]
 +
 
 +
Presenter: Robert Hurlbut
 +
 
 +
About Robert: Robert Hurlbut is an independent software security consultant and trainer based in Enfield, CT. Robert is a Microsoft MVP for Developer Technologies and Security and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in software security, software architecture, and software development. You can follow Robert on his blog at https://roberthurlbut.com/blog and on Twitter at https://twitter.com/roberthurlbut.com and each week as a co-host of the Application Security Podcast at https://www.appsecpodcast.org.
 +
 
 +
'''Using OWASP Threat Dragon for Threat Modeling'''
 +
 
 +
OWASP Threat Dragon is a new OWASP project that introduces a threat modeling tool that is portable (able to be used on the web in various platforms), integrates well with build process, and is a great tool to introduce to developers and teams. This developer hands-on session will focus on introducing the Threat Dragon tool, best ways to use the tool in a day-to-day developer environment, and making it part of the CI implementation (including integration with Jenkins, etc.).
 +
 
 +
'''What will be discussed?'''
 +
* OWASP Threat Dragon, Threat Modeling
 +
'''What will attendees learn from attending this session?'''
 +
* Using the the OWASP Threat Dragon tool to help with Threat Modeling diagrams and maintenance.
 +
'''Items attendees are required to bring with them'''
 +
* Laptop, GitHub profile
 +
 
 +
[[File:Computer_coding_image.jpeg|link=https://www.owasp.org/index.php/File:Computer_coding_image.jpeg]]
 +
 
 +
'''Day 1: Half Day Afternoon Session'''
 +
 
 +
Date: Tuesday, September 19, 2017
 +
 
 +
Time: 2pm-5pm
 +
 
 +
Location: [https://2017.appsecusa.org/ AppSec USA 2017 Room: Coronado N&P]
 +
 
 +
Presenters: Nicole Becher and Tanya Janca
 +
 
 +
'''Hacking APIs and Web Services with OWASP DevSlop & PIXI!'''
 +
 
 +
Modern applications often use APIs and other micro services to deliver faster and better products and services.  However, there are currently few training grounds for security testing in such areas.  In comes DevSlop, OWASP's newest project, a collection of DevOps security disasters made as a vulnerable testing and proving ground for developers and security testers alike.  DevSlop's Pixi, the first of many entries to come for this OWASP project, will be demonstrated and presenting for participant's hacking and learning pleasure.  Pixi consists of vulnerable web services, and participants will be walked through how to exploit several of it's vulnerabilities so they can learn how to do better when they create their own web services and other types of APIs from now on.
 +
 
 +
'''What will be discussed?'''
 +
* API and Web Service Hacking & OWASP Project DevSlop
 +
'''What will attendees learn from attending this session?'''
 +
* How to hack APIs and web services
 +
'''Items attendees are required to bring with them'''
 +
* A laptop with a web proxy and modern web browser.  Admin Priv on your machine.
 +
[[File:Computer_image.jpeg|link=https://www.owasp.org/index.php/File:Computer_image.jpeg]]
 +
 
 +
'''Day 2: Full Day Session'''
 +
 
 +
Date: Wednesday, September 20, 2017
 +
 
 +
Time: 9am-5pm
 +
 
 +
Location: [https://2017.appsecusa.org/ AppSec USA 2017 Room: Coronado N&P]
 +
 
 +
Presenter: Swaroop Yermalkar
 +
 
 +
'''Extreme iOS App Exploitation, Defense and ARM Exploitation'''
 +
 
 +
Detailed training contents: <nowiki>https://goo.gl/swp7F8</nowiki> iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This training will show you how to conduct a wide range of penetration tests on iOS applications to uncover vulnerabilities and strengthen the system from attacks. Extreme iOS App Exploitation, Defense and ARM Exploitation is a 14 hrs session which will help you conduct end to end pentesting of iOS Applications and will also help you to understand the security measures which needs to be taken. This training will also have CTF challenge where attendees will use their skills learnt in session.  To attend this hands-on session, all you have to do is bring your macbook with xcode installed on it.
 +
 
 +
'''What will be discussed?'''
 +
 
 +
Module 1: Introducing iOS App Security
 +
* iOS security model
 +
* App Signing
 +
* App Sandboxing
 +
* App Provisioning
 +
* Changes in iOS 8/9/10
 +
Module 2: Setting up lab
 +
* Setting up iOS Simulators
 +
* Jailbreaking basics
 +
* App signing
 +
* Setting up jailbroken iDevices (we will provide you)
 +
Module 3: Exploiting iOS Application
 +
* Exploiting Local Data Storage Flaws
 +
** Keychain Storage
 +
** Data Storage in SQLite
 +
** Data Storage in Core Data
 +
** Data Storage in Realm database
 +
** Data Storage in YAP database
 +
** Data Storage in NSUserDefaults
 +
* Attacking URL Schemes
 +
* Broken Cryptography attacks and challenges
 +
* Exploiting SQL Injection
 +
* Exploiting XSS Attacks
 +
* Sealing up side channel data leakage
 +
Module 4: Exploiting Broken Cryptography
 +
* Exploiting flaws in payment gateways
 +
* Crypto challenges
 +
Module 5: Exploiting Key Management
 +
* Hardcoded keys
 +
* Storing keys server side
 +
* Generating random keys
 +
* CTF challenge
 +
Module 6: Runtime Analysis of iOS Application
 +
* Runtime analysis using cycript
 +
* Runtime analysis using gdb with ARM Basics
 +
* Runtime analysis using lldb
 +
* Runtime analysis using Snoop-it
 +
* Runtime analysis using Frida
 +
* Bypassing jailbreak detection
 +
* Bypassing piracy detection
 +
* CTF Challenge
 +
Module 7: Reverse Engineering and binary analysis
 +
* Reversing encrypted binaries
 +
* Checking for PIE, ARC
 +
* Reversing un-encrypted binaries
 +
* Disassembling using Hopper
 +
* Disassembling using IDA
 +
* iOS App binary patching
 +
* String analysis
 +
* CTF Challenge
 +
Module 8: Analyzing iOS Network traffic
 +
* Intercepting HTTP traffic
 +
* Intercepting HTTPS traffic
 +
* Bypassing SSL Pinning
 +
* Attacking Weak Server Side Controls
 +
* CTF Challenge
 +
Module 9: Exploring iOS Pentest automation frameworks
 +
* Needle Framework
 +
* IDB
 +
Module 10: iOS Secure Coding
 +
* 1. iOS Static Code review
 +
 
 +
* 2. Understanding best practices for
 +
** a. Defending local data storage flaws
 +
** b. Preventing runtime protection
 +
** c. Key management 
 +
** d.Defending crypto attacks
 +
** e. Defending side channel data leaks attacks
 +
Module 11: iOS ARM Exploitation
 +
* ARM Assembly
 +
* Executing first ARM program on iDevice
 +
* ROP (Return Oriented Programming) Basics
 +
* Simple stack overflow on iDevices
 +
* Exploiting Heap Overflow exploit
 +
* Case studies of recent jailbreaks
 +
 
 +
'''What will attendees learn from attending this presentation?'''
 +
* End to end iOS App Pentesting
 +
* iOS Secure Coding
 +
* iOS reverse engineering, runtime analysis
 +
* Encryption key management, Defending crypto attacks
 +
* ARM Exploitation (basics)
 +
* Designing secure iOS applications
 +
 
 +
'''Items attendees will be required to bring with them'''
 +
* Macbook with root permission and Xcode (8.2 or above) Installed
 +
<div class="center" style="width: auto; margin-left: auto; margin-right: auto;">More details and the agenda are coming soon!
 +
 
 +
Questions? Please submit them [https://www.tfaforms.com/308703 here].
 +
</div>

Latest revision as of 21:52, 18 September 2017

USA 2017 Header.jpg


We are excited to announce that OWASP will once again be holding a two day Developer Summit at AppSecUSA 2017 on September 19 & 20, 2017 in Room Coronado N&P. OWASP is providing a structured platform for Developers two days prior to the AppSec USA 2017 conference. The Developer Summit will consist of sessions geared toward learning about security vulnerabilities.


There is no charge to attend the Developer Summit, so come join us! You do not need an AppSec USA 2017 conference ticket to attend the Developer Summit, however,

we do ask that you SIGN UP so we have an estimated headcount to be sure we have enough space and food.


AGENDA

Computer coding image.jpeg

Day 1: Half Day Morning Session

Date: Tuesday, September 19, 2017

Time: 10am-1pm

Location: AppSec USA 2017 Room: Coronado N&P

Presenter: Robert Hurlbut

About Robert: Robert Hurlbut is an independent software security consultant and trainer based in Enfield, CT. Robert is a Microsoft MVP for Developer Technologies and Security and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in software security, software architecture, and software development. You can follow Robert on his blog at https://roberthurlbut.com/blog and on Twitter at https://twitter.com/roberthurlbut.com and each week as a co-host of the Application Security Podcast at https://www.appsecpodcast.org.

Using OWASP Threat Dragon for Threat Modeling

OWASP Threat Dragon is a new OWASP project that introduces a threat modeling tool that is portable (able to be used on the web in various platforms), integrates well with build process, and is a great tool to introduce to developers and teams. This developer hands-on session will focus on introducing the Threat Dragon tool, best ways to use the tool in a day-to-day developer environment, and making it part of the CI implementation (including integration with Jenkins, etc.).

What will be discussed?

  • OWASP Threat Dragon, Threat Modeling

What will attendees learn from attending this session?

  • Using the the OWASP Threat Dragon tool to help with Threat Modeling diagrams and maintenance.

Items attendees are required to bring with them

  • Laptop, GitHub profile

Computer coding image.jpeg

Day 1: Half Day Afternoon Session

Date: Tuesday, September 19, 2017

Time: 2pm-5pm

Location: AppSec USA 2017 Room: Coronado N&P

Presenters: Nicole Becher and Tanya Janca

Hacking APIs and Web Services with OWASP DevSlop & PIXI!

Modern applications often use APIs and other micro services to deliver faster and better products and services. However, there are currently few training grounds for security testing in such areas. In comes DevSlop, OWASP's newest project, a collection of DevOps security disasters made as a vulnerable testing and proving ground for developers and security testers alike. DevSlop's Pixi, the first of many entries to come for this OWASP project, will be demonstrated and presenting for participant's hacking and learning pleasure. Pixi consists of vulnerable web services, and participants will be walked through how to exploit several of it's vulnerabilities so they can learn how to do better when they create their own web services and other types of APIs from now on.

What will be discussed?

  • API and Web Service Hacking & OWASP Project DevSlop

What will attendees learn from attending this session?

  • How to hack APIs and web services

Items attendees are required to bring with them

  • A laptop with a web proxy and modern web browser. Admin Priv on your machine.

Computer image.jpeg

Day 2: Full Day Session

Date: Wednesday, September 20, 2017

Time: 9am-5pm

Location: AppSec USA 2017 Room: Coronado N&P

Presenter: Swaroop Yermalkar

Extreme iOS App Exploitation, Defense and ARM Exploitation

Detailed training contents: https://goo.gl/swp7F8 iOS has become one of the most popular mobile operating systems with more than 1.4 million apps available in the iOS App Store. Some security weaknesses in any of these applications or on the system could mean that an attacker can get access to the device and retrieve sensitive information. This training will show you how to conduct a wide range of penetration tests on iOS applications to uncover vulnerabilities and strengthen the system from attacks. Extreme iOS App Exploitation, Defense and ARM Exploitation is a 14 hrs session which will help you conduct end to end pentesting of iOS Applications and will also help you to understand the security measures which needs to be taken. This training will also have CTF challenge where attendees will use their skills learnt in session. To attend this hands-on session, all you have to do is bring your macbook with xcode installed on it.

What will be discussed?

Module 1: Introducing iOS App Security

  • iOS security model
  • App Signing
  • App Sandboxing
  • App Provisioning
  • Changes in iOS 8/9/10

Module 2: Setting up lab

  • Setting up iOS Simulators
  • Jailbreaking basics
  • App signing
  • Setting up jailbroken iDevices (we will provide you)

Module 3: Exploiting iOS Application

  • Exploiting Local Data Storage Flaws
    • Keychain Storage
    • Data Storage in SQLite
    • Data Storage in Core Data
    • Data Storage in Realm database
    • Data Storage in YAP database
    • Data Storage in NSUserDefaults
  • Attacking URL Schemes
  • Broken Cryptography attacks and challenges
  • Exploiting SQL Injection
  • Exploiting XSS Attacks
  • Sealing up side channel data leakage

Module 4: Exploiting Broken Cryptography

  • Exploiting flaws in payment gateways
  • Crypto challenges

Module 5: Exploiting Key Management

  • Hardcoded keys
  • Storing keys server side
  • Generating random keys
  • CTF challenge

Module 6: Runtime Analysis of iOS Application

  • Runtime analysis using cycript
  • Runtime analysis using gdb with ARM Basics
  • Runtime analysis using lldb
  • Runtime analysis using Snoop-it
  • Runtime analysis using Frida
  • Bypassing jailbreak detection
  • Bypassing piracy detection
  • CTF Challenge

Module 7: Reverse Engineering and binary analysis

  • Reversing encrypted binaries
  • Checking for PIE, ARC
  • Reversing un-encrypted binaries
  • Disassembling using Hopper
  • Disassembling using IDA
  • iOS App binary patching
  • String analysis
  • CTF Challenge

Module 8: Analyzing iOS Network traffic

  • Intercepting HTTP traffic
  • Intercepting HTTPS traffic
  • Bypassing SSL Pinning
  • Attacking Weak Server Side Controls
  • CTF Challenge

Module 9: Exploring iOS Pentest automation frameworks

  • Needle Framework
  • IDB

Module 10: iOS Secure Coding

  • 1. iOS Static Code review
  • 2. Understanding best practices for
    • a. Defending local data storage flaws
    • b. Preventing runtime protection
    • c. Key management
    • d.Defending crypto attacks
    • e. Defending side channel data leaks attacks

Module 11: iOS ARM Exploitation

  • ARM Assembly
  • Executing first ARM program on iDevice
  • ROP (Return Oriented Programming) Basics
  • Simple stack overflow on iDevices
  • Exploiting Heap Overflow exploit
  • Case studies of recent jailbreaks

What will attendees learn from attending this presentation?

  • End to end iOS App Pentesting
  • iOS Secure Coding
  • iOS reverse engineering, runtime analysis
  • Encryption key management, Defending crypto attacks
  • ARM Exploitation (basics)
  • Designing secure iOS applications

Items attendees will be required to bring with them

  • Macbook with root permission and Xcode (8.2 or above) Installed
More details and the agenda are coming soon!

Questions? Please submit them here.