This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "2016 BASC Presentations"
Tom Conner (talk | contribs) |
Tom Conner (talk | contribs) |
||
Line 73: | Line 73: | ||
The presentation would cover the basic threat model for android applications and would provide a quick guide to perform penetration tests on android applications detailing how we can intercept android traffic and decompile the application package. | The presentation would cover the basic threat model for android applications and would provide a quick guide to perform penetration tests on android applications detailing how we can intercept android traffic and decompile the application package. | ||
− | {{2016_BASC:Presentaton_Info_Template| | + | {{2016_BASC:Presentaton_Info_Template|Software Product Security: A Way Forward|Bill Campbell| | | }} |
Bill's presentation will discuss the state of software product security: where we've been, why we're still struggling after over 30 years of trying, and what we must do, strategically, to improve. | Bill's presentation will discuss the state of software product security: where we've been, why we're still struggling after over 30 years of trying, and what we must do, strategically, to improve. | ||
Revision as of 14:23, 29 September 2016
Sponsorships are available: See Sponsorship Kit
Please help us keep BASC free by viewing and visiting all of our sponsors.
We would like to thank our speakers for donating their time and effort to help make this conference successful.
- 1 AppSec Awareness: A Blue Print for Security Culture Change
- 2 The Code You Never See - Vulnerabilities From 3rd party Marketing Javascript
- 3 Continuous Application Security at Scale with IAST and RASP
- 4 Docker Anti-Patterns, from Confusion to Enlightenment
- 5 From the Trenches - XML Injection
- 6 Hacking with the Gibson, A Hacker Musical
- 7 Handle With Care: You Have My VA Report!
- 8 Mental Wellness in the Workplace
- 9 Penetrating Android Applications
- 10 Software Product Security: A Way Forward
- 11 Vulnerability Management – Turning Chaos into Order
AppSec Awareness: A Blue Print for Security Culture Change
How does an individual change the application security culture of an organization? By designing and deploying an application security awareness program that contains engaging content, humor, and recognition. Application security awareness is part security knowledge, part lessons learned from history, and action to improve security into the future.
Each company has an application security culture, but most of them need a boost. Come and experience a successful blue print for how you can build an application security awareness program of your own. The content is based on five years of real life experience implementing application security awareness in a large enterprise reaching 30,000 people.
Go beyond traditional security awareness, and dive deep into changing the DNA of those who code, test, and deploy applications within their organization. The session uses the illustration of building a house, with six points used to show the ideal way to construct a successful application security awareness program. We move from answering what is application security awareness, to providing the details for how anyone can build a program of their own. This advice is from real life experience; this is how we did it, and how anyone in the audience can use this blue print to deploy their own program.
The six blueprints are:
Mission: how to define and build a team to support
Program architecture: design a program that covers all roles and recognizes achievements, on a budget
Curriculum: what to teach, and how to decide what to include
Humor: how to use humor to engage the audience
Content Creation: how to build application security learning that people want to enjoy
Tools: things you can add to enhance the program's organizational visibility
The Code You Never See - Vulnerabilities From 3rd party Marketing Javascript
Virtually every site has some marketing javascript (aka tags) running on it to allow the analysis of user actions or to present the user with a customized page. Most commonly this javascript is delivered to the users browser directly from the 3rd party. What that means is the javascript never goes thru any of your security controls; no design review, no code review, no web application firewall. We will explain the tools and ecosystem used to create and deliver this javascript, show how they have caused actual Cross Site Scripting vulnerabilities in various well known sites, discuss some possible technical controls and present a simple page javascript architecture that prevents this XSS and is actually faster and is recommended by tag management services.
Continuous Application Security at Scale with IAST and RASP
SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
Docker Anti-Patterns, from Confusion to Enlightenment
Follow me through my discovery of Docker anti-patterns, stemming from a core misunderstanding of containerization. Understand my mistakes as they could be your own and figure out what the right and true solutions are.
We’ll explore anti-patterns such as the multiple-concerns container, latest is greatest and SSH for beginners, each of them a security concern. We’ll explore anti-anti-patterns, a.k.a. best practices with a slant towards the practical and realistic.
From the Trenches - XML Injection
Everyone has the read the OWASP guides and understand the common security vulnerabilities that affect web applications. However, often what OWASP presents is very high level, basic, and don’t usually capture some of the advanced forms that vulnerabilities manifest in.
In this talk I look at XML Injection, what it is and cover a few basic examples. I then move onto a few real life examples of this vulnerability that I have exploited in the wild on real life Application Security assessments. I also will cover remediation and code review strategies to prevent the issues.
Hacking with the Gibson, A Hacker Musical
Musical equipment has begun to be able to connect to the internet, to set-up ad-hoc mesh networks, and to be updated over the air. We have seen similar capabilities in other IoT devices and there has been little to no security associated with these capabilities, which also the case here. What is different is that we have the opportunity to hack devices in unusual ways, one of which is by use of sound to overwrite the signal processing software on some guitar pedals. In this talk we will show how the software on a guitar pedal can be overwritten just using sound and how to reverse engineer this update process to create and upload arbitrary software of our own design onto the guitar pedal.
Handle With Care: You Have My VA Report!
Does your organization rely heavily on vendor products/applications for streamlining your processes? Do you wonder what threats your data is being exposed to while handled by these applications? Are you a product company trying to assure your clients on the security of your application without divulging too much information? Have you faced situations where your client demands to run their own security assessment? This talk aims to help the audience understand:
- What data you should be looking for in the assessment report
- How to send or share information with people outside the organization
- What you should be worried about in the assessment report and plans for remediation
- Current practices among vendors
Mental Wellness in the Workplace
Involved Agencies: IWG, a behavioral health service organization, located in New Haven, Connecticut, is dedicated to collaborating and providing solutions for our clients. Primarily, IWG has done this by providing therapeutic interventions to individuals and families. Integrated Wellness Group EAP serves all employees, their spouses/partners and dependents. Further, we provide counseling by phone /telehealth for up to 5 sessions per year by experienced mental health professionals and self-assessments for common problems with written feedback. All of our services are based on trauma-informed approaches to treatment.
Statement of Need: It has been reported that approximately 5% of the U.S. population suffers from trauma and it is suggested that this number is three to four times higher for software developers (15 – 20%). Tech companies have been known to thrive on high expectations, frequent deadlines and a fast paced work environment which can produce stress-induced workers. The high demand to deliver top quality product often leads to stress, high anxiety and eventually burnout. However few are willing to admit they are overwhelmed and struggle in silence until it is too late. This stressful work environment can lead to PTSD like symptoms in individuals such as: depression, anxiety, isolation, sleep interruption among other things. All of which can negatively impact workplace productivity and satisfaction. For those companies that offer mental health resources, only 26% of individuals are aware of the company’s resource and how to seek assistance. Unfortunately, the majority choose to suffer in silence. Despite these statistics, mental health is a topic avoided widely in the tech community. Fear of stigma, social taboos, and lack of resources all impede our ability to have important conversations. Only 1.8% of total IT operating budgets contribute to behavioral health organizations which is far below the recommended 7-10% for safety net organizations.
Conference Proposal: The purpose of this proposal is to offer breakout sessions focused on reducing trauma and increasing wellness during conferences for employees that are facing a variety of emotional and mental health issues that can cause a lack of productivity in the workplace. In order to reduce the number of professionals reaching burnout and feeling stuck in stress induced environment, Integrated Wellness Group is offering to meet the client on site during the conference, provide a psychoeducational workshop, or meet in the office. Additional EAP Services for the Workplace: Integrated Wellness Group is dedicated to improving professional well-being by providing Employee Assistance Program (EAP) services to those in need. Services include wellness assessments, counseling, coaching, and referrals for additional services and follow-up visits. IWG will conduct interactive assessments that cover information from personal stress to substance abuse. Through the EAP, employers will see improved productivity, reduced workplace absenteeism, as well as reduced healthcare costs associated with stress, depression, and other mental health issues. Our proposed services are integrated in a way that ensures coherent and comprehensive solutions to problems assessed at first point of contact.
Penetrating Android Applications
Being the Operating System with the largest user-base, the threat landscape for Android applications cannot often be ignored. While Android OS is being used in a wide variety of devices from smart watches to TVs, a large chunk of its user-base is concentrated to mobile phones. Popular services which were offered over web are also trying constantly to adapt themselves for the mobile environment. This raises a few important questions to Information Security enthusiasts.
- How similar or how different are the threats related to Android applications?
- How can we perform penetration tests on an Android application?
The presentation would cover the basic threat model for android applications and would provide a quick guide to perform penetration tests on android applications detailing how we can intercept android traffic and decompile the application package.
Software Product Security: A Way Forward
Bill's presentation will discuss the state of software product security: where we've been, why we're still struggling after over 30 years of trying, and what we must do, strategically, to improve.
Vulnerability Management – Turning Chaos into Order
EMC handles vulnerability management for over 70+ products. As volume of intake increases year by year, EMC Product Security Response Center had to take a systematic, proactive approach to guide the product units at all levels to work seamlessly in managing and responding to these vulnerabilities. We will share the chaos that we faced and discuss how order was restored to our command center.