This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

2015 BASC Presentations

From OWASP
Revision as of 02:28, 18 September 2015 by Tom Conner (talk | contribs)

Jump to: navigation, search

Boston-Banner-468x60.gif 2015 BASC: Home | Agenda | Presentations | Speakers

Platinum Sponsors

Rapid7

Silver Sponsors

bugcrowd


Sponsorships are available: See Sponsorship Kit
Please help us keep BASC free by viewing and visiting all of our sponsors.


We would like to thank our speakers for donating their time and effort to help make this conference successful.


Account Checking and User Credential Fraud

Presented by: Kellen Kleinfelter

A discussion of current trend of account checking attacks and the tools used to execute them. Data breaches have given attackers a large list of usernames and passwords that are often valid on many other unrelated sites. Cybercriminals use botnets in an attempt to gain access to rewards points and financial information in automated fashion. Attackers span from professionals running custom tools hosted worldwide to advanced penetration testers who can quickly find and access an open back door. In this talk, we will look at the attack signatures and show some keys for detection and mitigation of the attacks.


Assessing the Security of Web Applications, It is like Penetration Testing

Presented by: Matt Morency

Assessing the security of web applications is similar to penetration testing but also has certain key differences. In this presentation we will discuss what some of those similarities and differences are based on both academic research and real-world experience. Based on these similarities and differences, we will present the penetration testing practices we have found can be leveraged, the practices that need to be modified, and the practices that should be discard when conducting web application security assessments.


Can Buffer Overflow Attacks Be Stopped?

Presented by: Satya Gupta

Buffer Overflow attacks are one of the most insidious and difficult to thwart exploits that exist in today’s modern IT security infrastructure. Most enterprise IT professionals have little understanding of how they work and why existing options generally fail in stopping them. While user input-based attacks are well understood and solutions exist and are emerging for them, buffer overflow attacks remain the bane of application security professionals everywhere.

This presentation will focus on dissecting how buffer overflow attacks work, why they succeed through existing types of security products and an entirely new way of thinking regarding how to stop them. Using examples from Virsec hacking labs, we will discuss this critical area of the security and new advancements, as well as demonstrate a buffer overflow attack that is thwarted using this new approach.


Cryptography: The Devil is in the Details

Presented by: Matt Cheung

Cryptography is often seen as a security panacea, but the devil is in the details. While the standard algorithms are thought to be secure, how they are used or implemented can greatly affect their security. In this talk, I will start with the basic vocabulary of cryptography and then move on to some of the most common mistakes made in cryptography in recent years.


Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks

Presented by: Amin Kharraz

In this talk, we present the results of a long-term study of ransomware attacks that have been observed in the wild. We also provide a holistic view on how ransomware attacks have evolved during this period by analysing thousands of samples that belong to different ransomware families. Our results show that, despite a continuous improvement in the encryption, deletion, and communication techniques in the main ransomware families, the number of families with sophisticated destructive capabilities remains quite small. In fact, our analysis reveals that in a large number of samples, the malware simply locks the victim's computer desktop or attempts to encrypt or delete the victim's files using only superficial techniques. Our analysis also suggests that defending against ransomware attacks is not as complex as it has been previously reported. For example, we show that by monitoring abnormal file system activity, it is possible to design a practical defense system that could stop a large number of ransomware attacks, even those using sophisticated encryption capabilities. A close examination on the file system activities of multiple ransomware samples suggests that by looking at I/O requests and protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks. Our findings contradict some security community discussions that suggest the impossibility of detecting or stopping these types of attacks due to the use of sophisticated, destructive techniques.

{

How To Make Threat Modeling Work For You

Presented by: Robert Hurlbut

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. In this session, you will learn practical strategies in using threat modeling in secure software design and how to apply risk management in dealing with the threats.

{2015_BASC:Presentaton_Info_Template|Known Vulnerabilities - What Security Testing Tools Miss|Mike Pittenger| | | }}

Static analysis, dynamic analysis, and other testing tools are all essential weapons against adversaries. But for the 78% of companies worldwide that use open source software in their application development these tools are ineffective in identifying and mitigating open source security risks across their application portfolios. This presentation will cover:

  • The value of static and dynamic tools, and where they best fit in the Secure Development Lifecycle
  • Why these tools are not useful in identifying known vulnerabilities in open source components
  • Controls development and security professionals can deploy to select, detect, manage and monitor open source for existing and newly disclosed vulnerabilities.


NeonTool: From XSS to root on your NAS

Presented by: Tony Martin

Home Network Attached Storage devices (NAS) are gaining in popularity because of the simplicity they offer to manage ever-growing amounts of personal data. The device’s functionality is extending beyond a data store, adding functionality to become the central content management system, multimedia center, network management point and even automation hub for the home and small business. The devices offer accessibility to local and remote users as well as to untrusted users via data shares. These capabilities expose all stored data and the device itself to outside/remote attackers. This talk will demonstrate an attack named NEON TOOL; by leveraging multiple vulnerabilities, it allows a remote attacker to gain root access on a popular home NAS device. It examines the problems that XSS, in conjunction with other weaknesses, can create, addresses how these vulnerabilities were uncovered, possible mitigations and how to work responsibly with the vendor to ensure a timely resolution.


Scaling Appsec for the Enterprise

Presented by: Brian Heemsoth

There are no shortage of products on the market today that promise a "golden ticket" solution to software/mobile security across the enterprise. However, the reality is that while the market is quite saturated, a certain level of finesse is required to effectively scale a proper application security program across large architecture & development organizations, and empower development teams to integrate the correct app sec resources into their existing development lifecycle to assure the timely identification and remediation of flaws.

Topics to be covered:

  • Scaling Threat Modeling / reducing Threat Modeling Overhead
  • Application Risk Classification
  • Security Training/Developer Empowerment/Satellite Development
  • Effective Static Analysis
  • Scaling Automated Application Assessment
  • Open Source Component Management
  • Penetration Testing
  • Effective use of WAF's and other Production Controls
  • Financial & Productivity Gains of Efficient AppSec Program Implementation


Securing Hadoop Application Ecosystem

Presented by: Biju Nair

With more enterprises embracing Hadoop ecosystem to store, manage and process large volumes data, securing it is vital. In this talk we will go over the fundamentals of Hadoop ecosystem and how it can be secured as it stands today.


Threat Modeling Global Catastrophic Risks

Presented by: Luke Donoho

This presentation explores the connections between threat modeling the Future of Humanity Institute’s (FHI) “Global Catastrophic Risks” and software threat modeling concepts, including the OWASP guide to Threat Risk Modeling. The impact to civilization from a technology perspective hinges on ensuring that proper risk is considered when developing technologies that the FHI has identified as catastrophic risks. While several risks are identified in by this institute, technological areas of focus are artificial intelligence and nanotechnology. An overview of each of these technology areas will be provided, as well as a deep dive into their associated risk. As these technologies continue to gain momentum, a risk assessment of their activities and impacts require a closer level of review and scrutiny as each implementation is evaluated. The most consistent finding in reviewing the various technologies is that an open framework of technological guidelines and threat models must be reviewed, applied, and revised by many professional security practitioners to assist in securing the long term fruition of our society and its inevitable technological reliance.


Towards Effective Developer Training

Presented by: Casey Dunham

As a security consultant I do a lot of developer training sessions where I am routinely asked to go in front of a group of developers I have never met before, and teach them how to write more secure code. My approach to training is constantly evolving. After every training I do, self reflection occurs and materials are updated in preparation for the next session. Throughout the past year as I have performed trainings, I have learned a few techniques and topics that resonate, and a few that do not. In this talk I discuss what makes an effective program and offer my guidance on building it out.


Using OSINT to Attack Web Applications

Presented by: Casey Dunham

Web applications often sit on the open internet for a long time before flaws are fixed. This presents an opportunity for crawlers to index the site, sometimes including exceptions , and other information that should not be exposed. When conducting an application assessment, it is often worthwhile to dig into what the search engines have already indexed. Looking at the history of the site at various dates can also lead to hidden or forgotten pages that may aid in an attack.

In this talk, I present a few tools and techniques I use to search out this forgotten information and how it can be used to aid in an application assessment.

You can find out more about this conference at the 2015 BASC Homepage
Conference Organizer: Jim Weiler