This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "2014 BASC Presentations"

From OWASP
Jump to: navigation, search
(Created page with "{{2014_BASC:Header_Template | Speakers/Panelists}} === Jack Mannino === '''nVisium'''<br/> Jack is the CEO at nVisium and loves solving problems in the field of application...")
 
Line 1: Line 1:
{{2014_BASC:Header_Template | Speakers/Panelists}}
+
{{2014_BASC:Header_Template | Presentations}}
  
  
=== Jack Mannino ===
+
__FORCETOC__
'''nVisium'''<br/>
+
We would like to thank our speakers for donating their time and effort to help make this conference successful.
Jack is the CEO at nVisium and loves solving problems in the field of application security. With experience building, breaking, and securing software, he founded nVisium to invent new and more efficient ways of protecting software. Jack is a huge fan of contributing to open source projects, and leads the OWASP Northern Virginia chapter. In his spare time, he loves to kick around new frameworks and technologies, especially things that run Android and code written in Scala. He’s also an optimistic New York Mets fan, although that optimism slowly fades away every summer.
 
  
=== Geller Bedoya ===
 
'''nVisium'''<br/>
 
Geller Bedoya is a senior application security at nVisium. Geller graduated from Georgia Tech with a degree in Electrical Engineering. As a undergraduate student Geller tackled a range of security challenges from memory forensics to botnet research. After graduation, he promptly put his security knowledge to work at a financial brokerage where he aided in design and implementation of security throughout the SDLC. He performs security code reviews and application security testing of products. Outside the office, he finds peace of mind by cycling and running.
 
  
=== Collin Mulliner ===
 
'''Northeastern University'''<br/>
 
Collin Mulliner is a postdoc researcher at SECLAB at Northeastern University. Collin's main interest is in the area of security and privacy of mobile and embedded devices with an emphasis on mobile and smart phones. Since 1997, Collin has developed software and did security work for Palm OS, J2ME, Linux, Symbian OS, Windows Mobile, Android, and the iPhone. In 2006, he published the first remote code execution exploit based on the multimedia messaging service (MMS). Collin's most recent projects are in the area of vulnerability analysis and offensive security.
 
  
=== Michael Weissbacher ===
 
'''Northeastern University'''<br/>
 
  
=== Jeff Williams ===
 
'''Contrast Security'''<br/>
 
Jeff Williams is the founder and CTO of [http://contrastsecurity.com Contrast Security], bringing the power of instrumentation and real time analytics to secure your application portfolio. Previously, Jeff was a founder and CEO of [http://aspectsecurity.com Aspect Security]. He also served as Global Chairman of the OWASP Foundation where he created many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten, WebGoat, ESAPI, XSS CheatSheet, ASVS and more. Jeff welcomes hearing from you and may be reached directly at [mailto:[email protected] [email protected]].
 
  
+
{{2014_BASC:Presentaton_Info_Template|Securing The Android Apps On Your Wrist and Face|Jack Mannino and Geller Bedoya| | | }}
=== Walt Williams ===
 
'''Lattice Engines'''<br/>
 
Walt Williams, CISSP®, SSCP®, CEH, CPT has served as an infrastructure and security
 
architect at firms as diverse as GTE Internetworking, State Street Corp, Teradyne, The  
 
Commerce Group, and EMC. He has since moved to security management, where he now
 
manages security at Lattice Engines. He is an outspoken proponent of design before build, an
 
advocate of frameworks and standards, and has spoken at Security B-Sides on risk management
 
as the cornerstone of a security architecture.
 
  
Mr. Williams' articles on security and service oriented architecture have appeared in the  
+
Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.
Information Security Management Handbook, and is the author of Security for Service Oriented
 
Architecture by CRC press, 2014. He sits on the board of directors for the New England ISSA
 
chapter and is a member of the program committee for Metricon. He has a master’s degree in
 
Anthropology from Hunter College.
 
  
=== George Ehrhorn ===
+
Many of the same issues we’re familiar with from past Android experiences are still relevant, while some issues are less impactful or not (currently) possible within existing wearables. At the same time, extending the app’s trust boundaries introduces new points of exposure for developers to be aware of in order to proactively defend against attacks. We want to highlight these areas, which developers may not be aware of when adding a wearable component to an existing app.
'''MathWorks'''<br/>
 
This talk is about how MathWorks uses the OCTAVE Allegro Framework to model application risks and countermeasures.
 
  
 +
In this presentation, we will explore how Android Wear and Glass work underneath the hood. We will examine their methods of communication, data replication, and persistence options. We will examine how they fit into the Android development ecosystem and the new risks to privacy and security that need to be considered. Our goal isn’t to deter developers from building wearable apps, but to enable them to make strong security decisions throughout development.
  
=== Dinesh Shetty ===
 
''''''<br/>
 
  
=== Jonathan Chittenden ===
+
{{2014_BASC:Presentaton_Info_Template|Finding and Exploiting Access Control Vulnerabilities in Graphical User Interfaces|Collin Mulliner| | | }}
''''''<br/>
 
  
=== Sagar Dongre ===
+
Graphical user interfaces (GUIs) contain a number of common visual
''''''<br/>
+
elements or widgets such as labels, text fields, buttons, and lists.
 +
GUIs typically provide the ability to set attributes on these widgets to
 +
control their visibility, enabled status, and whether they are writable.
 +
While these attributes are extremely useful to provide visual cues to
 +
users to guide them through an application's GUI, they can also be
 +
misused for purposes they were not intended. In particular, in the
 +
context of GUI-based applications that include multiple privilege levels
 +
within the application, GUI element attributes are often misused as a
 +
mechanism for enforcing access control policies.
  
=== Patrick Laverty ===
+
In this session, we introduce GEMs, or instances of GUI element misuse,
''''''<br/>
+
as a novel class of access control vulnerabilities in GUI-based
 +
applications. We present a classification of different GEMs that can
 +
arise through misuse of widget attributes, and describe a general
 +
algorithm for identifying and confirming the presence of GEMs in
 +
vulnerable applications. We then present GEM Miner, an implementation of
 +
our GEM analysis for the Windows platform. We evaluate GEM Miner using
 +
real-world GUI-based applications that target the small business and
 +
enterprise markets, and demonstrate the efficacy of our analysis by
 +
finding numerous previously unknown access control vulnerabilities in
 +
these applications.
  
=== Steve Markey ===
 
''''''<br/>
 
  
 +
{{2014_BASC:Presentaton_Info_Template|Why Your AppSec Experts Are Killing You|Jeff Williams| | | }}
  
 +
Software development has been transformed by practices like Continuous Integration and Continuous Integration, while application security has remained trapped in expert-based waterfall mode. In this talk, Jeff will show you how you can evolve into a “Continuous Application Security” organization that generates assurance automatically across an entire application security portfolio. Jeff will show you how to bootstrap the “sensor-model-dashboard” feedback loop that makes real time, continuous application security possible. He will demonstrate the approach with a new *free* tool called Contrast for Eclipse that brings the power of instrumentation-based application security testing directly into the popular IDE.  Check out [https://www.youtube.com/watch?v=4B-HgsT_J_M “Application Security at DevOps Speed and Portfolio Scale”] for some background.
  
{{2014_BASC:Footer_Template | Speakers}}
+
 
 +
{{2014_BASC:Presentaton_Info_Template|Why is CSP Failing? Trends and
 +
Challenges in CSP Adoption|Michael Weissbacher| | | }}
 +
 
 +
Content Security Policy (CSP) has been proposed as a principled and
 +
robust browser security mechanism against content injection attacks such
 +
as XSS. When configured correctly, CSP renders malicious code injection
 +
and data exfiltration exceedingly difficult for attackers.  However,
 +
despite the promise of these security benefits and being implemented in
 +
almost all major browsers, CSP adoption is minuscule-our measurements
 +
show that CSP is deployed in enforcement mode on only 1% of the Alexa
 +
Top 100.
 +
 
 +
In this paper, we present the results of a long-term study to determine
 +
challenges in CSP deployments that can prevent wide adoption. We
 +
performed weekly crawls of the Alexa Top 1M to measure adoption of web
 +
security headers, and find that CSP both significantly lags other
 +
security headers, and that the policies in use are often ineffective at
 +
actually preventing content injection. In addition, we evaluate the
 +
feasibility of deploying CSP from the perspective of a
 +
security-conscious website operator. We used an incremental deployment
 +
approach through CSP's report-only mode on four websites, collecting
 +
over 10M reports. Furthermore, we used semi-automated policy generation
 +
through web application crawling on a set of popular websites. We found
 +
both that automated methods do not suffice and that significant barriers
 +
exist to producing accurate results.
 +
 
 +
Finally, based on our observations, we suggest several improvements to
 +
CSP that could help to ease its adoption by the web community.
 +
 
 +
{{2014_BASC:Presentaton_Info_Template|The Intersection of Application Architecture and Security Architecture|Walt Williams| | | }}
 +
 
 +
This presentation will look at the relationship between security architecture and application architecture, specifically on the impact on application security from recent proposed changes to the Clark-Wilson integrity model.  I'll explore those changes in depth, discuss the implications for application design.  I'll also discuss the implications of these changes to distributed application architectures such as service oriented architectures and other distributed models. 
 +
 
 +
This presentation will be based upon my recent book: Security for Service Oriented Architectures, CRC press, and 10 years of experience working with application security architecture in various corporations.
 +
 
 +
 
 +
{{2014_BASC:Footer_Template | Presentations}}

Revision as of 03:33, 30 September 2014

Boston-Banner-468x60.gif 2014 BASC: Home Agenda Presentations Speakers

Platinum Sponsors

Akamai Cigital EMC Rapid7 Sonatype


Gold Sponsors

Accuvant bugcrowdContrast Security   NetSPI nVisium Veracode

Silver Sponsor

SWAMP - Software Assurance Marketplace


We kindly thank our sponsors for their support. All slots are full.
Please help us keep BASC free by viewing and visiting all of our sponsors.


We would like to thank our speakers for donating their time and effort to help make this conference successful.




Securing The Android Apps On Your Wrist and Face

Presented by: Jack Mannino and Geller Bedoya

Android Wear and Google Glass introduce new ways of interacting with our apps and receiving timely, contextual information from the world around us. Smartphones and tablets are becoming the central point for sending and receiving data from wearables and sensors. Building apps for a wearable world introduces new risks as well as shifts the responsibilities for implementing security controls to other layers.

Many of the same issues we’re familiar with from past Android experiences are still relevant, while some issues are less impactful or not (currently) possible within existing wearables. At the same time, extending the app’s trust boundaries introduces new points of exposure for developers to be aware of in order to proactively defend against attacks. We want to highlight these areas, which developers may not be aware of when adding a wearable component to an existing app.

In this presentation, we will explore how Android Wear and Glass work underneath the hood. We will examine their methods of communication, data replication, and persistence options. We will examine how they fit into the Android development ecosystem and the new risks to privacy and security that need to be considered. Our goal isn’t to deter developers from building wearable apps, but to enable them to make strong security decisions throughout development.


Finding and Exploiting Access Control Vulnerabilities in Graphical User Interfaces

Presented by: Collin Mulliner

Graphical user interfaces (GUIs) contain a number of common visual elements or widgets such as labels, text fields, buttons, and lists. GUIs typically provide the ability to set attributes on these widgets to control their visibility, enabled status, and whether they are writable. While these attributes are extremely useful to provide visual cues to users to guide them through an application's GUI, they can also be misused for purposes they were not intended. In particular, in the context of GUI-based applications that include multiple privilege levels within the application, GUI element attributes are often misused as a mechanism for enforcing access control policies.

In this session, we introduce GEMs, or instances of GUI element misuse, as a novel class of access control vulnerabilities in GUI-based applications. We present a classification of different GEMs that can arise through misuse of widget attributes, and describe a general algorithm for identifying and confirming the presence of GEMs in vulnerable applications. We then present GEM Miner, an implementation of our GEM analysis for the Windows platform. We evaluate GEM Miner using real-world GUI-based applications that target the small business and enterprise markets, and demonstrate the efficacy of our analysis by finding numerous previously unknown access control vulnerabilities in these applications.


Why Your AppSec Experts Are Killing You

Presented by: Jeff Williams

Software development has been transformed by practices like Continuous Integration and Continuous Integration, while application security has remained trapped in expert-based waterfall mode. In this talk, Jeff will show you how you can evolve into a “Continuous Application Security” organization that generates assurance automatically across an entire application security portfolio. Jeff will show you how to bootstrap the “sensor-model-dashboard” feedback loop that makes real time, continuous application security possible. He will demonstrate the approach with a new *free* tool called Contrast for Eclipse that brings the power of instrumentation-based application security testing directly into the popular IDE. Check out “Application Security at DevOps Speed and Portfolio Scale” for some background.


===Why is CSP Failing? Trends and Challenges in CSP Adoption===

Presented by: Michael Weissbacher

Content Security Policy (CSP) has been proposed as a principled and robust browser security mechanism against content injection attacks such as XSS. When configured correctly, CSP renders malicious code injection and data exfiltration exceedingly difficult for attackers. However, despite the promise of these security benefits and being implemented in almost all major browsers, CSP adoption is minuscule-our measurements show that CSP is deployed in enforcement mode on only 1% of the Alexa Top 100.

In this paper, we present the results of a long-term study to determine challenges in CSP deployments that can prevent wide adoption. We performed weekly crawls of the Alexa Top 1M to measure adoption of web security headers, and find that CSP both significantly lags other security headers, and that the policies in use are often ineffective at actually preventing content injection. In addition, we evaluate the feasibility of deploying CSP from the perspective of a security-conscious website operator. We used an incremental deployment approach through CSP's report-only mode on four websites, collecting over 10M reports. Furthermore, we used semi-automated policy generation through web application crawling on a set of popular websites. We found both that automated methods do not suffice and that significant barriers exist to producing accurate results.

Finally, based on our observations, we suggest several improvements to CSP that could help to ease its adoption by the web community.


The Intersection of Application Architecture and Security Architecture

Presented by: Walt Williams

This presentation will look at the relationship between security architecture and application architecture, specifically on the impact on application security from recent proposed changes to the Clark-Wilson integrity model. I'll explore those changes in depth, discuss the implications for application design. I'll also discuss the implications of these changes to distributed application architectures such as service oriented architectures and other distributed models.

This presentation will be based upon my recent book: Security for Service Oriented Architectures, CRC press, and 10 years of experience working with application security architecture in various corporations.


You can find out more about this conference at basc2014.org
Conference Organizer: Jim Weiler
Retrieved from "https://wiki.owasp.org/index.php?title=2014_BASC_Presentations&oldid=183073"