This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "2018 BASC Presentations"

Jump to: navigation, search
(5 intermediate revisions by one other user not shown)
Line 1: Line 1:
{{2018_BASC:Header_Template | Workshops}}
Line 10: Line 10:
ModSecurity Evader (MSeVader) is a tool that assists offensive security testers in crafting payloads that evade ModSecurity WAF rules. A Burp Suite extension providing visual feedback in real time to rule violations, the attacker can tweak payloads before submitting them to the web server, ensuring they are not blocked. The demonstration of the tool will include techniques of fingerprinting the WAF, to determine specific threshold settings of the WAF rules, allowing the attacker to know whether the payload will be blocked without sending packets. This tool has been used to successfully discover WAF evading payloads to execute SQL injection, XSS, and inject web shells to a site behind a popular commercial cloud-based WAF solution, at maximum paranoia settings.
ModSecurity Evader (MSeVader) is a tool that assists offensive security testers in crafting payloads that evade ModSecurity WAF rules. A Burp Suite extension providing visual feedback in real time to rule violations, the attacker can tweak payloads before submitting them to the web server, ensuring they are not blocked. The demonstration of the tool will include techniques of fingerprinting the WAF, to determine specific threshold settings of the WAF rules, allowing the attacker to know whether the payload will be blocked without sending packets. This tool has been used to successfully discover WAF evading payloads to execute SQL injection, XSS, and inject web shells to a site behind a popular commercial cloud-based WAF solution, at maximum paranoia settings.
{{2018_BASC:Presentaton_Info_Template|Painless Threat Modeling|Andrew Gronosky| | | }}
According to OWASP, threat modeling is one of the most valuable activities to ensure secure web application design. Yet leading resources on threat modeling make it look like a massive and complex up-front effort. This presentation will outline a practical approach to threat modeling that can be started in just a few working days and can produce productive collaboration between development and security teams.
{{2018_BASC:Presentaton_Info_Template|It Depends On....|Tania Ward and Kristen Pascale| | | }}
From the time we choose to rise each morning, to the time we finally rest our heads, almost every decision made in our daily lives, depends on something. When we understand these dependencies we can better control our responses. How a PSIRT manages its response is not black and white either, in fact the quality of a response correlates to the degree in which dependences are known and understood within the products which get released. As developers incorporate more open source and commercial third party components into their products, the complexity of these dependencies continue to increase which causes a downstream ripple effect on PSIRTs who are tasked with managing the responses for vulnerabilities reported in these dependencies. A framework for managing dependences is important so developers can understand the downstream impact of their decisions on PSIRTs while opening the door for PSIRTs to potentially shape those decisions. Further enforcing this dialogue through dedicated PSIRT controls, lays the foundation for a PSIRT response that truly shifts from reactive to proactive.
{{2018_BASC:Presentaton_Info_Template|Navigating the Bug Bounty Marketplace|Bryan Brannigan| | | }}
Bug bounties are a marketplace and like all marketplaces, there are good sellers (researchers) and buyers (programs), and there bad sellers and buyers. There are resources everywhere to help researchers get going in this exciting world of bug hunting, but there are few resources available to help those running programs. But it is far worse to be a bad program than it is to be a bad researcher. Let's have a conversation about how Upserve went from no bounty program to launching a public program (and beyond!). We'll talk about the speedbumps and the lessons learned along the way. And you'll learn about how managing a successful bug bounty program is more about managing expectations and clear communication then it is about fixing security bugs.
{{2018_BASC:Presentaton_Info_Template|API Security Challenges|Angelo Castigliola| | | }}
APIs present enterprises with new risks and challenges to security. In this presentation, I will discuss a methodology to secure your enterprise's APIs. This methodology will include: Discovery (Breaking down your APIs into basic groups, The difference between Web App Discovery and API Discovery); Risk and Prioritization (Rapid Risk Assessment); Testing (Tools, Vulnerabilities); Gateways, Serverless, Microservices (Gateway vs. Service, Unique Requirements of API Services Require Specialized Testing); Key Take-Aways on Securing your API Environment (Have an API discovery and risk plan, Tools that worked on Web Apps need more help with APIs,
Newer technologies benefit from full stack testing techniques).
{{2018_BASC:Presentaton_Info_Template|Acquiring and Retaining Cybersecurity Talent: A Proven Model|Deidre Diamond| | | }}
Workforce development is reliant on the combination of a subject-matter common language framework of projects and tasks. Job descriptions are then derived from this same framework of subject-matter project and tasks definition. A career development plan based on standardized projects and tasks; along with a culture that allows for psychological safety; will allow you to acquire and retain talent. When we combine daily processes of business operations derived from a subject-matter common language, in which all teammates know their role and the roles of others on the team (along with a culture that allows humans to think, feel and perceive without negative consequences) we can truly experience workforce development in any subject-matter profession. Come hear how in to achieve this success in cybersecurity. Between our technology and our theories we are showing that organizations can obtain cybersecurity talent in less than 60 days and retain them.
{{2018_BASC:Presentaton_Info_Template|Modern Security Architecture with OpenID Connect|Brock Allen| | | }}
Modern applications require modern security and the OpenID Connect and OAuth2 security protocols are designed to meet this need. To achieve a modern security architecture you must then use something called a “security token service” that implements these protocols. In this session we will look at how applications are now architected to incorporate and use a token service for authentication thus providing single sign-on. We will also see how this same token service also provides tokens for securing Web APIs.  We will be using ASP.NET Core and the popular open source framework IdentityServer to illustrate these concepts.
{{2018_BASC:Presentaton_Info_Template|How Not to Fail Your DevSecOps Transformation|Eitan Worcel| | | }}
There is no silver bullet for a successful DevSecOps. Each organization has its own way of doing things and no two development groups are the same. The good news is you can learn from mistakes made by others, and avoid repeating those. In this session you will hear about their AppSec programs, their journey to shift their security to the left, their missteps, and the lessons learned.
{{2018_BASC:Presentaton_Info_Template|Website Security – AppSec’s Partial Solution to a Complex Problem |Chris Olson| | | }}
Websites and mobile apps are the primary channel for how businesses communicate with customers and consumers. However, the significant risk they harbor continue to confound information security professionals for three reasons. First, a majority of website code is provided by unknown parties that execute outside the enterprise infrastructure. Second, these shadow IT resources are not addressed by app scanning services. Third, appsec teams don’t understand the composition of these digital assets and the risks posed to the enterprise. There’s a fundamental philosophy that these shadow IT resources are not part of websites and mobile apps, and therefore not appsec’s responsibility. And it shows. Digital-driven breaches occur with increasing regularity via compromised third-party vendors such as tag management systems, chat bots, content management systems, data management platforms, marketing analytics, video platforms, advertisements, and more. Making matters worse, bad actors leverage sophisticated targeting and obfuscation techniques to continuously evade security researchers and technologies. Considering that 50-95% of executing website code is typically delivered by third-parties, enterprises need to rethink website security. How can you secure code that application security tools—let alone, operations teams—don’t even see executing on the user’s device?
A real-time review of five popular websites will demonstrate the complexity of the digital environment and why breaches will continue to dominate headlines.
{{2018_BASC:Presentaton_Info_Template|From Tears to Tiers; using DAST and Tiering to Make Pentesting Great Again|Joshua Piotrowski and Jessica Boy| | | }}
The struggle is real before the pentest even starts; you have hundreds of web applications to test, dozens of managers looking for redacted pentest reports, and that one person who keeps coming to your desk for updates (daily). It’s a mad world. We’ve been there, so you don’t have to be! Join us as we present how we leveraged the power of Dynamic Application Security Testing (DAST), the concept of Tiering, and the power of automation to test what matters (and yes, everything matters – even internal applications). And how to use all that to make Pentesting Great Again! This is the one retrospective you won’t want to miss – key take-aways from working on AppSecurity for over 3 years. If you’ve been managing your issues in Excel, writing reports in Word, and are excited to spend your time actually testing applications, this talk is for you! We’re anticipating for a highly collaborative session and hope you’ll join - feedback, criticism and praise are all welcome!
{{2018_BASC:Presentaton_Info_Template|Voyages of the Security-Driven Enterprise|Katie Knowles| | | }}
You may have heard it said that security should work to enable the business. Easier said than done... how can a defensive practice provide growth through risk management? In this talk, we'll review three valuable roles security can play to fully integrate with the business it supports. Expect simple, quick-win strategies from our experience working with fellow defenders to translate between business needs, negotiate prioritization, and energize collaborative initiatives for new growth. Along the way, we'll cover realistic techniques to engage common obstacles and set course towards a security-driven enterprise.
{{2018_BASC:Presentaton_Info_Template|Introduction to Android Security|Dzung Pham| | | }}
This presentation is an overview of Android security. The topics of Android framework, common application vulnerabilities, as well as penetration testing methods will be discussed. This presentation caters to people who are interested in learning about the fundamentals of Android security.

Latest revision as of 20:50, 1 November 2018

Home | Agenda | Code of Conduct | Presentations | Workshops | Speakers | Twitter 32.png

Platinum Sponsors

HackerOne Black Duck Software Optiv Veracode

Gold Sponsors

Checkmarx Dell Qualys nVisium GoSecure


Silver Sponsor


Please help us keep BASC free by viewing and visiting all of our sponsors.

We would like to thank our speakers for donating their time and effort to help make this conference successful.

MSeVader: Outsmarting the WAF

Presented by: Brent Dukes

ModSecurity Evader (MSeVader) is a tool that assists offensive security testers in crafting payloads that evade ModSecurity WAF rules. A Burp Suite extension providing visual feedback in real time to rule violations, the attacker can tweak payloads before submitting them to the web server, ensuring they are not blocked. The demonstration of the tool will include techniques of fingerprinting the WAF, to determine specific threshold settings of the WAF rules, allowing the attacker to know whether the payload will be blocked without sending packets. This tool has been used to successfully discover WAF evading payloads to execute SQL injection, XSS, and inject web shells to a site behind a popular commercial cloud-based WAF solution, at maximum paranoia settings.

Painless Threat Modeling

Presented by: Andrew Gronosky

Slides According to OWASP, threat modeling is one of the most valuable activities to ensure secure web application design. Yet leading resources on threat modeling make it look like a massive and complex up-front effort. This presentation will outline a practical approach to threat modeling that can be started in just a few working days and can produce productive collaboration between development and security teams.

It Depends On....

Presented by: Tania Ward and Kristen Pascale

From the time we choose to rise each morning, to the time we finally rest our heads, almost every decision made in our daily lives, depends on something. When we understand these dependencies we can better control our responses. How a PSIRT manages its response is not black and white either, in fact the quality of a response correlates to the degree in which dependences are known and understood within the products which get released. As developers incorporate more open source and commercial third party components into their products, the complexity of these dependencies continue to increase which causes a downstream ripple effect on PSIRTs who are tasked with managing the responses for vulnerabilities reported in these dependencies. A framework for managing dependences is important so developers can understand the downstream impact of their decisions on PSIRTs while opening the door for PSIRTs to potentially shape those decisions. Further enforcing this dialogue through dedicated PSIRT controls, lays the foundation for a PSIRT response that truly shifts from reactive to proactive.

Navigating the Bug Bounty Marketplace

Presented by: Bryan Brannigan

Bug bounties are a marketplace and like all marketplaces, there are good sellers (researchers) and buyers (programs), and there bad sellers and buyers. There are resources everywhere to help researchers get going in this exciting world of bug hunting, but there are few resources available to help those running programs. But it is far worse to be a bad program than it is to be a bad researcher. Let's have a conversation about how Upserve went from no bounty program to launching a public program (and beyond!). We'll talk about the speedbumps and the lessons learned along the way. And you'll learn about how managing a successful bug bounty program is more about managing expectations and clear communication then it is about fixing security bugs.

API Security Challenges

Presented by: Angelo Castigliola

APIs present enterprises with new risks and challenges to security. In this presentation, I will discuss a methodology to secure your enterprise's APIs. This methodology will include: Discovery (Breaking down your APIs into basic groups, The difference between Web App Discovery and API Discovery); Risk and Prioritization (Rapid Risk Assessment); Testing (Tools, Vulnerabilities); Gateways, Serverless, Microservices (Gateway vs. Service, Unique Requirements of API Services Require Specialized Testing); Key Take-Aways on Securing your API Environment (Have an API discovery and risk plan, Tools that worked on Web Apps need more help with APIs, Newer technologies benefit from full stack testing techniques).

Acquiring and Retaining Cybersecurity Talent: A Proven Model

Presented by: Deidre Diamond

Workforce development is reliant on the combination of a subject-matter common language framework of projects and tasks. Job descriptions are then derived from this same framework of subject-matter project and tasks definition. A career development plan based on standardized projects and tasks; along with a culture that allows for psychological safety; will allow you to acquire and retain talent. When we combine daily processes of business operations derived from a subject-matter common language, in which all teammates know their role and the roles of others on the team (along with a culture that allows humans to think, feel and perceive without negative consequences) we can truly experience workforce development in any subject-matter profession. Come hear how in to achieve this success in cybersecurity. Between our technology and our theories we are showing that organizations can obtain cybersecurity talent in less than 60 days and retain them.

Modern Security Architecture with OpenID Connect

Presented by: Brock Allen

Modern applications require modern security and the OpenID Connect and OAuth2 security protocols are designed to meet this need. To achieve a modern security architecture you must then use something called a “security token service” that implements these protocols. In this session we will look at how applications are now architected to incorporate and use a token service for authentication thus providing single sign-on. We will also see how this same token service also provides tokens for securing Web APIs. We will be using ASP.NET Core and the popular open source framework IdentityServer to illustrate these concepts.

How Not to Fail Your DevSecOps Transformation

Presented by: Eitan Worcel

There is no silver bullet for a successful DevSecOps. Each organization has its own way of doing things and no two development groups are the same. The good news is you can learn from mistakes made by others, and avoid repeating those. In this session you will hear about their AppSec programs, their journey to shift their security to the left, their missteps, and the lessons learned.

Website Security – AppSec’s Partial Solution to a Complex Problem

Presented by: Chris Olson

Websites and mobile apps are the primary channel for how businesses communicate with customers and consumers. However, the significant risk they harbor continue to confound information security professionals for three reasons. First, a majority of website code is provided by unknown parties that execute outside the enterprise infrastructure. Second, these shadow IT resources are not addressed by app scanning services. Third, appsec teams don’t understand the composition of these digital assets and the risks posed to the enterprise. There’s a fundamental philosophy that these shadow IT resources are not part of websites and mobile apps, and therefore not appsec’s responsibility. And it shows. Digital-driven breaches occur with increasing regularity via compromised third-party vendors such as tag management systems, chat bots, content management systems, data management platforms, marketing analytics, video platforms, advertisements, and more. Making matters worse, bad actors leverage sophisticated targeting and obfuscation techniques to continuously evade security researchers and technologies. Considering that 50-95% of executing website code is typically delivered by third-parties, enterprises need to rethink website security. How can you secure code that application security tools—let alone, operations teams—don’t even see executing on the user’s device? A real-time review of five popular websites will demonstrate the complexity of the digital environment and why breaches will continue to dominate headlines.

From Tears to Tiers; using DAST and Tiering to Make Pentesting Great Again

Presented by: Joshua Piotrowski and Jessica Boy

The struggle is real before the pentest even starts; you have hundreds of web applications to test, dozens of managers looking for redacted pentest reports, and that one person who keeps coming to your desk for updates (daily). It’s a mad world. We’ve been there, so you don’t have to be! Join us as we present how we leveraged the power of Dynamic Application Security Testing (DAST), the concept of Tiering, and the power of automation to test what matters (and yes, everything matters – even internal applications). And how to use all that to make Pentesting Great Again! This is the one retrospective you won’t want to miss – key take-aways from working on AppSecurity for over 3 years. If you’ve been managing your issues in Excel, writing reports in Word, and are excited to spend your time actually testing applications, this talk is for you! We’re anticipating for a highly collaborative session and hope you’ll join - feedback, criticism and praise are all welcome!

Voyages of the Security-Driven Enterprise

Presented by: Katie Knowles

You may have heard it said that security should work to enable the business. Easier said than done... how can a defensive practice provide growth through risk management? In this talk, we'll review three valuable roles security can play to fully integrate with the business it supports. Expect simple, quick-win strategies from our experience working with fellow defenders to translate between business needs, negotiate prioritization, and energize collaborative initiatives for new growth. Along the way, we'll cover realistic techniques to engage common obstacles and set course towards a security-driven enterprise.

Introduction to Android Security

Presented by: Dzung Pham

This presentation is an overview of Android security. The topics of Android framework, common application vulnerabilities, as well as penetration testing methods will be discussed. This presentation caters to people who are interested in learning about the fundamentals of Android security.

You can find out more about this conference at the 2018 BASC Homepage
or by emailing
Twitter 32.png