This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Front Range OWASP Conference 2013/Presentations

From OWASP
Revision as of 23:09, 7 March 2013 by Jess Garrett (talk | contribs)

Jump to: navigation, search

Session 1: 10:00-10:45

Title: DevFu: The inner ninja in every application developer

Speaker: Danny Chrastil

Track: Technical

Abstract: Many times we try to draw a distinct line between developers and penetration testers. This creates a barrier that developers often feel intimidated to cross. The truth is that developers have an innate ability and perspective to become great penetration testers themselves.

Developers in the security industry carry a unique toolset as ethical hackers / security consultants that sets them apart from traditional penetration testers. By incorporating these skills as developers and combining them with the understanding and experience of building applications, developers can take web application penetration testing a step further than the rest.

In this paper we will be going over the various aspects to the developer DevFu toolbox including: deep programming knowledge, ability to write scripts on the fly, common shortcuts and their pitfalls, speaking the language, and secure coding practices. We will go over specific examples of scripts that increase productivity and extend functionality of existing pen testing programs.


Title: SIP Based Cloud Instances

Speaker: Gregory Disney-Leugers

Track: Deep Dive

Abstract: In this presentation I will demonstrate the practical applications of SIP protocol for local cloud instances and how to create secure connections the cloud using SIP forwarding. Further I will present methods of securing cloud and data by using a Linux firmware router to host local based cloud domains, I will also show secure methods of deploying these systems. In addition I will also show secure methods of using PHP and databases using Sqlite and MongoDB, while using a distributing computing between a Linux server and a Linux based firmware network appliance.

One of the practical application I plan on presenting is using Cloud based SIP as replacement for Samba for file sharing in a corporate environment with S3 and WebDAV; Another application I will present on is creating a local domain such HTTPS://cloud.router.sip.com and how to connect to the cloud from a mobile phone using sip forwarding with SSL tunneling. Lastly I will show how to use SIP based domains on VPN's and to create a private clouds that have a single point of access.

Lastly I will demonstrate how to properly setup a Linux server to host local based domains for secure deployment. In addition I will also show how to properly deploy Cherokee and Apache web servers for hosting sip domains. Finally I will show how to properly configure the sip domains to the Linux based firmware network appliance. At the end of the presentation a viewer will know how to properly deploy Linux server for SIP domain hosting and how to create secure cloud instances with SIP.


Title: Measuring Best Security Practices With Open SAMM

Speaker: Alan Jex

Track: Management

Abstract: Security is becoming a competitive advantage in the marketplace. How do we ensure that security is built into products for our customers? Security vulnerabilities can be introduced at any phase of the software development life cycle (SDLC). The Open Software Assurance Maturity Model (OpenSAMM) is lightweight, flexible framework that helps prevent vulnerabilities and improve security during software development. We should adopt OpenSAMM to measure security best practices and improve our security processes, tools and knowledge.


Title: Electronic Discovery for System Administrators

Speaker: Russell Shumway

Track: Executive/Legal

Abstract: As the Federal Rules of Evidence have evolved over the last several years, and as the volume of information in digital format has overtaken traditional printed media, electronic discovery had become more important than traditional paper-based discovery in litigation. While vendors can help with production, system administrators play a key role in the acquisition and production of Electronically Stored Information (ESI).

This presentation is designed to present an overview of the discovery process, how it differs from traditional computer forensics, and tips for administrators and managers to better assist in the production of ESI in the event of litigation (and hopefully to reduce the costs associated with production).


Session 2: 10:55-11:40

Title: Adventures in Large Scale HTTP Header Abuse

Speaker: Zachary Wolff

Track: Technical

Abstract: While the technique of sending malicious data through HTTP Header fields is not new or unheard of by any means, there is certainly a noticeable lack of available information on the topic. For this reason I set out to to do some research and testing of my own.

It didn't take long to find a site that was vulnerable to an HTTP Header attack and the question I found myself asking was how wide spread is this problem?

Tracking down an answer to this question was not an easy task. In the end it involved the writing of two new tools and then a 'random' audit of 1.6 Million websites.

In this presentation we will look briefly at the history of HTTP Header attacks, the logic that went into the creation of an HTTP Header Audit tool, and most interestingly the findings of the test run.

How many vulnerable websites were discovered? What attacks were they most susceptible to? Which Header fields are most likely to be vulnerable? We will look into these questions and a host of other data collected during the research. We will also discuss defensive techniques around HTTP header abuse and how to efficiently audit a sites HTTP Header fields for vulnerabilities.


Title: How Malware Attacks Web Applications

Speaker: Casey Smith

Track: Deep Dive

Abstract: Modern malware has outpaced the ability for traditional defenses to detect and contain the threats. The core of the presentation will be about several techniques used by malware to attack web applications:

-WebInjects (aka Man-in-the-Browser)

  • Files that contain JavaScript and HTML in order to alter the user experience in the application.

-Form-Grabbing

  • The technique for capturing web form data within browsers.

-Session Hijacking

  • The ability to redirect control of a session to an attacker.

-Persistence and Stealth

  • How does the malware go undetected, for so long?

-Countermeasures

  • How to detect malware interacting with your web applications.


Title: Software Assurance Improvements Through Innovation and Collaboration

Speaker: Kevin Greene

Track: Management

Abstract: Software weaknesses lead to vulnerabilities that put our nation’s critical resources at risk. Software size and complexity introduces risks and impacts the overall quality of software. The material that will be covered in this session addresses areas of research to addresses key problems areas in Software Assurance.


Title: CISPA Why Privacy Advocates This Legislation

Speaker: Maureen Donohue Feinroth

Track: Executive/Legal

Abstract: Reintroduced in the House of Representatives on February 13, 2013, the Cyber Intelligence Sharing and Protection Act (CISPA) is a proposed US law which would allow for the sharing of Internet traffic information between the U.S. government and certain technology and manufacturing companies. The stated aim of the bill is to help the U.S government investigate cyber threats and ensure the security of networks against cyberattack.

CISPA has been criticized by advocates of Internet privacy and civil liberties, such as the Electronic Frontier Foundation, the American Civil Liberties Union, and Avaaz.org. Those groups argue CISPA contains too few limits on how and when the government may monitor a private individual’s Internet browsing information. Additionally, they fear that such new powers could be used to spy on the general public rather than to pursue malicious hackers. CISPA has garnered favor from corporations and lobbying groups such as Microsoft, Facebook and the United States Chamber of Commerce, which look on it as a simple and effective means of sharing important cyber threat information with the government.

Some critics saw CISPA as a second attempt at strengthening digital piracy laws after the anti-piracy Stop Online Piracy Act became deeply unpopular. Intellectual property theft was initially listed in the bill as a possible cause for sharing Web traffic information with the government, though it was removed in subsequent drafts.



Session 3: 12:40-13:25

Title: Angry Cars: Hacking the "Car as Platform"

Speaker: Aaron Weaver

Room/Track: Technical

Abstract: Recently Renault announced "what it describes as a “tablet,” an integrated Android device built into its next range of cars, effectively opening the way to the car-as-a-platform. The car is becoming a new platform. We need developers to work on apps.” Not to be left behind Ford has introduced the OpenXC platform, which it sees as a channel for collaboration between Ford and 3rd party application developers. What role will security play in shaping this newly emerging technology, when your car can tweet it needs an oil change? Cars rely heavily on small embedded microprocessors running on a network that was never designed to be secure. This talk will look at the current technologies used CAN bus, OBDII, and tire pressure monitoring systems and demonstrate their inherent weaknesses. What should be considered in the future when most cars will be connected to the Internet?


Title: Top Ten Web Application Defenses

Speaker: Jim Manico

Track: Deep Dive

Abstract: We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.


Title: Using SaaS and the Cloud to Secure the SDLC

Speaker: Andrew Earle

Track: Management

Abstract: This session will cover SaaS offerings and how they can be effectively utilized in web security development efforts. Over the last few years, cloud services (i.e. SaaS) have been increasingly used as both a starting point for application security efforts and as a full outsourcing of the appsec program. However, by the very nature of cloud outsourcing and delivery, it is difficult to evolve this approach into a mature secure development lifecycle. Developer involvement is a necessity, and the solution has been to bring vulnerability assessment technologies in house. But recently, organizations have started to deploy a mixture of on-premise and cloud appsec solutions as an alternative to the all or nothing paradigm of on-premise or SaaS.

Topics covered include: - Overview of vulnerability assessment using SaaS - Overview of on-premise vulnerability scanning in the SDLC - Challenges of on-premise and SaaS implementations - Private cloud variations of on-premise and SaaS offerings - Hybrid on-premise/cloud implementations in the SDLC - Use of automation and integration with development infrastructure to ease developer adoption of on-premise/cloud appsec implementations - How organizations can use SaaS to get started with application security and mature into a robust software security assurance program featuring on-premise and cloud deployments.


Title: Digital Bounty Hunters - Decoding Bug Bounty Programs

Speaker: Jon Rose

Track: Executive/Legal

Abstract: Let’s deconstruct the world of digital bounty hunters.

Amid the growing trend to “crowd source” services, a few progressive enterprises are taking a new approach to information security. A potential game-changer, these companies are shifting the traditional model of IT risk assessment by opening their doors -- and their wallets -- to freelance hackers who break in without fear of legal repercussions. Bug Bounty Programs pay cash money to hackers for responsibly disclosing security vulnerabilities on production applications and networks.

From the vantage point of the bounty hunter, this presentation will examine who these freelance hackers are, their motivations, and their perspective on the value of bug bounty programs. It is equally as important to understand the perspective of the individuals that run these programs, how the programs fit into a comprehensive, information security framework, as well as key successes and failures to date of this new crowd-sourced model. As part of this, the discussion will review metrics from an existing program and highlight some of the more interesting bugs discovered.

Ultimately, what is the future for these bug bounty programs? Will they disrupt the existing marketplace for professional security consultant services by offering a cheaper, more effective crowd-sourced approach? Or are these programs simply a tool for the most advanced, most daring companies to take their security programs to the next level.



Session 4: 13:35-14:20

Title: Real World Cloud Application Security

Speaker: Jason Chan

Track: Technical

Abstract: This presentation will provide the audience with a case study of how real world organizations using the public cloud are approaching application security. Netflix, one of the largest AWS and public cloud users in the world, will serve as the subject of the case study.

I will cover a variety of topics of interest to application security personnel, including:

-Automating and integrating security into CI/CD environments -Large scale vulnerability management -Continuous security testing and monitoring, including Netflix's Security Monkey and Exploit Monkey frameworks -Cultural integration of security in DevOps/agile organizations


Title: A Demo of and Preventing XSS in .NET Applications

Speaker: Larry Conklin

Track: Deep Dive

Abstract: My presentation is titled “A Demo of and Preventing XSS in .Net applications” Presentation will include using Microsoft’s Web Protection Library/AntiXSS and OWASP’s AntiSamy.NET project and using CAT.Net to find XSS vulnerabilities in .NET applications.


Title: Defending Desktop (.NET/C#) Applications: Mitigating in the Dark (A Case Study Remix)

Speaker: Jon McCoy

Track: Management

Abstract: This presentation is on the case study(s) of desktop applications undergoing a cracking/hacking/attacking life cycle. This is the summation of multiple software projects undergoing attacks from a detected and focused attacker. This presentation follows a Product Owner(s) and Coder(s) going from a self directed response. Your software project has been going for years, your client base is growing, your making deadlines then one day some e-mail shows up and your world starts to crumble. Crack after Crack keeps coming out every version; Your new Upgrades/Code keep showing up in a competing product; Malware keeps hitting your clients. See the steps taken by day-to-day product Owner(s) and Coder(s) as they respond to security events that never crossed their minds as potential threats.


Title: Crafting a Plan for When Security Fails

Speaker: Robert Lelewski

Track: Executive/Legal

Abstract: A computer security incident, whether an exposed system with protected data or a hacked application, requires a planned response to quickly address and contain the threat. We exist in a world where having a plan is a necessity. Companies in various industries possess vast amounts of regulated and confidential data; this arrangement places a great amount of responsibility on the custodian. Unfortunately, in today's world, it is almost inevitable that you will be the target of an attack or mishandle data that may cause a potential exposure. Do you have a codified plan that helps guide your response?

CSIRPs are robust documents that are difficult to create. Developing a CSIRP that takes into account organizational culture and existing structure, creates buy-in from various departments, and is applicable in a wide array of emerging and existing threats while balancing substance and brevity may be a herculean task.

This presentation will provide the basis for the need for a CSIRP, discuss pitfalls and strategies when crafting CSIRPs, explore common ways they fail, and offer tips to create a healthy, viable, and useful process to use when confronting a computer security incident.

Crafting an Incident Response Plan is a presentation geared towards those wishing to learn more about creating a viable computer security incident response plan (CSIRP).



Session 5: 14:30-15:15

Title: DevOps and Security: It's Happening. Right Now.

Speaker: Helen Bravo

Track: Technical

Abstract: How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated.

Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary code analysis overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes. Steps include:

•Re-evaluate existing security tools and consider their integration within a CD environment •Deliver a secured development framework and enforce its usage •Pinpoint precise security code flaws and provide optimal fix recommendations


Title: Data Mining a Mountain of Zero Day Vulnerabilities

Speaker: Joe Brady

Track: Deep Dive

Abstract: Every day, software developers around the world, from Bangalore to Silicon Valley, churn out millions of lines of insecure code. We used static binary analysis on thousands of applications submitted to us by large enterprises, commercial software vendors, open source projects, and software outsourcers, to create an anonymized vulnerability data set. By mining this data we can answer some interesting questions. What types of mistakes do developers make most often? Are we making any progress at eradicating XSS and SQL injection? How long does it really take to remediate software vulnerabilities? How secure are third party software components? We will address these questions and many others, giving you a deep dive into metrics at a scale that can't be found anywhere else.


Title: Linking Security to Business Value in the Customer Service Industry

Speaker: Dan Rojas

Track: Management

Abstract: The value of trust cannot be understated when discussing Superior Customer Service. “The main benefit of trust is customer loyalty, which in turn leads to a longer term relationship, greater share of wallet, and higher advocacy or word of mouth. Results from our consumer survey show that emotional and rational trust drive between 22% and 44% of customer loyalty.” - Study by ESCP Europe Business School

Privacy protection is a pillar of trust. Studies show PRIVACY is of paramount importance to consumers and is growing in importance. A 2012 Ponemon Institute study on the “Most trusted companies on privacy” found that while the importance of privacy has grown over the last seven years, the loss of control over privacy has also grown as well.

The Call Center industry is at the confluence of these competing social and business priorities. On the one hand, the customer service representative (CSR) must engender competence and trustworthiness and on the other hand CSR must ask the caller for a credit card number or social security number, the most private and personal valuable pieces of information a consumer possesses.

Where there is a gap in expectations between consumers and businesses, there is an opportunity for business to differentiate themselves and fill the gap and win market share. This opportunity is being realized by emerging technology designed to satisfy Compliance standards as well as real consumer demand for privacy protections.

Call Centers as well as other types of businesses that can address consumers demand for privacy protections can improve their long term bottom line through TRUST and customer loyalty.


Title: Information Control: The Critical Need for a Defensible Position - Securing the Information Ecosystem

Speaker: Tom Glanville

Track: Executive/Legal

Abstract: Given an overview of Identity Theft, fraud and information exposure participants will discover that the liability of these issues is much broader than they are prepared to manage.

Given case studies and stories from field experience, participants will identify gaps in information compliance policies and practices that place every organization at risk beyond areas of commerce, compliance, and technology.

Upon completion of the session participants will recognize critical gaps in their information ecosystem that need to be addressed in order to create a defensible position in the case of a breach.