This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "2016 BASC Presentations"
Tom Conner (talk | contribs) |
Tom Conner (talk | contribs) |
||
Line 41: | Line 41: | ||
In this talk I look at XML Injection, what it is and cover a few basic examples. I then move onto a few real life examples of this vulnerability that I have exploited in the wild on real life Application Security assessments. I also will cover remediation and code review strategies to prevent the issues. | In this talk I look at XML Injection, what it is and cover a few basic examples. I then move onto a few real life examples of this vulnerability that I have exploited in the wild on real life Application Security assessments. I also will cover remediation and code review strategies to prevent the issues. | ||
+ | |||
+ | {{2016_BASC:Presentaton_Info_Template|Future of Information Security and IoT Panel|Matt Morency|Mark Arnold, Rob Cheyne, Roy Wattanasin, Guest| | }} | ||
+ | Join these panelists and bring your questions and get different perspectives as they talk about the future of information security and the Internet Of Things (IoT). | ||
{{2016_BASC:Presentaton_Info_Template|Hacking with the Gibson, A Hacker Musical|Matt Morency| | | }} | {{2016_BASC:Presentaton_Info_Template|Hacking with the Gibson, A Hacker Musical|Matt Morency| | | }} | ||
Line 51: | Line 54: | ||
* What you should be worried about in the assessment report and plans for remediation | * What you should be worried about in the assessment report and plans for remediation | ||
* Current practices among vendors | * Current practices among vendors | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
{{2016_BASC:Presentaton_Info_Template|Penetrating Android Applications|Roshan Thomas and Anurag Dwivedy| | | }} | {{2016_BASC:Presentaton_Info_Template|Penetrating Android Applications|Roshan Thomas and Anurag Dwivedy| | | }} |
Revision as of 02:50, 30 September 2016
Sponsorships are available: See Sponsorship Kit
Please help us keep BASC free by viewing and visiting all of our sponsors.
We would like to thank our speakers for donating their time and effort to help make this conference successful.
- 1 AppSec Awareness: A Blue Print for Security Culture Change
- 2 The Code You Never See - Vulnerabilities From 3rd party Marketing Javascript
- 3 Continuous Application Security at Scale with IAST and RASP
- 4 Docker Anti-Patterns, from Confusion to Enlightenment
- 5 From the Trenches - XML Injection
- 6 Future of Information Security and IoT Panel
- 7 Hacking with the Gibson, A Hacker Musical
- 8 Handle With Care: You Have My VA Report!
- 9 Penetrating Android Applications
- 10 Software Product Security: A Way Forward
- 11 Vulnerability Management – Turning Chaos into Order
AppSec Awareness: A Blue Print for Security Culture Change
How does an individual change the application security culture of an organization? By designing and deploying an application security awareness program that contains engaging content, humor, and recognition. Application security awareness is part security knowledge, part lessons learned from history, and action to improve security into the future.
Each company has an application security culture, but most of them need a boost. Come and experience a successful blue print for how you can build an application security awareness program of your own. The content is based on five years of real life experience implementing application security awareness in a large enterprise reaching 30,000 people.
Go beyond traditional security awareness, and dive deep into changing the DNA of those who code, test, and deploy applications within their organization. The session uses the illustration of building a house, with six points used to show the ideal way to construct a successful application security awareness program. We move from answering what is application security awareness, to providing the details for how anyone can build a program of their own. This advice is from real life experience; this is how we did it, and how anyone in the audience can use this blue print to deploy their own program.
The six blueprints are:
Mission: how to define and build a team to support
Program architecture: design a program that covers all roles and recognizes achievements, on a budget
Curriculum: what to teach, and how to decide what to include
Humor: how to use humor to engage the audience
Content Creation: how to build application security learning that people want to enjoy
Tools: things you can add to enhance the program's organizational visibility
The Code You Never See - Vulnerabilities From 3rd party Marketing Javascript
Virtually every site has some marketing javascript (aka tags) running on it to allow the analysis of user actions or to present the user with a customized page. Most commonly this javascript is delivered to the users browser directly from the 3rd party. What that means is the javascript never goes thru any of your security controls; no design review, no code review, no web application firewall. We will explain the tools and ecosystem used to create and deliver this javascript, show how they have caused actual Cross Site Scripting vulnerabilities in various well known sites, discuss some possible technical controls and present a simple page javascript architecture that prevents this XSS and is actually faster and is recommended by tag management services.
Continuous Application Security at Scale with IAST and RASP
SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way.
Docker Anti-Patterns, from Confusion to Enlightenment
Follow me through my discovery of Docker anti-patterns, stemming from a core misunderstanding of containerization. Understand my mistakes as they could be your own and figure out what the right and true solutions are.
We’ll explore anti-patterns such as the multiple-concerns container, latest is greatest and SSH for beginners, each of them a security concern. We’ll explore anti-anti-patterns, a.k.a. best practices with a slant towards the practical and realistic.
From the Trenches - XML Injection
Everyone has the read the OWASP guides and understand the common security vulnerabilities that affect web applications. However, often what OWASP presents is very high level, basic, and don’t usually capture some of the advanced forms that vulnerabilities manifest in.
In this talk I look at XML Injection, what it is and cover a few basic examples. I then move onto a few real life examples of this vulnerability that I have exploited in the wild on real life Application Security assessments. I also will cover remediation and code review strategies to prevent the issues.
Future of Information Security and IoT Panel
Join these panelists and bring your questions and get different perspectives as they talk about the future of information security and the Internet Of Things (IoT).
Hacking with the Gibson, A Hacker Musical
Musical equipment has begun to be able to connect to the internet, to set-up ad-hoc mesh networks, and to be updated over the air. We have seen similar capabilities in other IoT devices and there has been little to no security associated with these capabilities, which also the case here. What is different is that we have the opportunity to hack devices in unusual ways, one of which is by use of sound to overwrite the signal processing software on some guitar pedals. In this talk we will show how the software on a guitar pedal can be overwritten just using sound and how to reverse engineer this update process to create and upload arbitrary software of our own design onto the guitar pedal.
Handle With Care: You Have My VA Report!
Does your organization rely heavily on vendor products/applications for streamlining your processes? Do you wonder what threats your data is being exposed to while handled by these applications? Are you a product company trying to assure your clients on the security of your application without divulging too much information? Have you faced situations where your client demands to run their own security assessment? This talk aims to help the audience understand:
- What data you should be looking for in the assessment report
- How to send or share information with people outside the organization
- What you should be worried about in the assessment report and plans for remediation
- Current practices among vendors
Penetrating Android Applications
Being the Operating System with the largest user-base, the threat landscape for Android applications cannot often be ignored. While Android OS is being used in a wide variety of devices from smart watches to TVs, a large chunk of its user-base is concentrated to mobile phones. Popular services which were offered over web are also trying constantly to adapt themselves for the mobile environment. This raises a few important questions to Information Security enthusiasts.
- How similar or how different are the threats related to Android applications?
- How can we perform penetration tests on an Android application?
The presentation would cover the basic threat model for android applications and would provide a quick guide to perform penetration tests on android applications detailing how we can intercept android traffic and decompile the application package.
Software Product Security: A Way Forward
Bill's presentation will discuss the state of software product security: where we've been, why we're still struggling after over 30 years of trying, and what we must do, strategically, to improve.
Vulnerability Management – Turning Chaos into Order
EMC handles vulnerability management for over 70+ products. As volume of intake increases year by year, EMC Product Security Response Center had to take a systematic, proactive approach to guide the product units at all levels to work seamlessly in managing and responding to these vulnerabilities. We will share the chaos that we faced and discuss how order was restored to our command center.