OWASP AppSec California

Software development is moving much faster than application security with new platforms, languages, frameworks, paradigms, and methodologies like Agile and Devops.Unfortunately, software assurance hasn't kept up with the times. For the most part, our security techniques were built to work with the way software was built in 2002.

Here are some of the technologies and practices that today’s best software assurance techniques *can’t*handle: JavaScript, Ajax, inversion of control, aspect-oriented programming, frameworks, libraries, SOAP, REST, web services, XML, JSON, raw sockets, HTML5, Agile, DevOps, WebSocket, Cloud, and more. All of these rest pretty much at the core of modern software development.Although we’re making progress in application security, the gains are much slower than the stunning advances in software development. After 10 years of getting further behind every day, software *assurance* is now largely incompatible with modern software *development*. It’s not just security tools – application security processes are largely incompatible as well. And the result is that security has very little influence on the software trajectory at all.Unless the application security community figures out how to be a relevant part of software development, we will continue to lag behind and effect minimal change. In this talk, I will explore a radically different approach based on instrumenting an entire IT organization with passive sensors to collect real time data that can be used to identify vulnerabilities, enhance security architecture, and (most importantly) enable application security to generate value. The goal is unprecedented real-time visibility into application security across an organization's entire application portfolio, allowing all the stakeholders in security to collaborate and finally become proactive.

Traditionally, defense has been approached without enough emphasis on countering real world attack behaviors. This presentation will cover new network defense techniques from an attack perspective, specifically focusing on building detection systems around initial compromise, persistence/C2, and lateral movement. It will discuss practical methods of alerting on both host and network level persistence, what works (and what doesn’t!) with network traffic anomaly analysis, and useful approaches for correlating weak and strong attack signals. Finally, this presentation will demonstrate effective ways to reduce organizational attack surface, simulate realistic adversaries, and increase cost for attackers.

Social engineers use a dangerous combination of technology and old fashioned con artistry to infiltrate organizations every day. In this talk we'll walk through the social engineering process including research, target selection, attack selection, and attack execution. Learn to see the world through the eyes of a social engineer and prevent yourself from being a victim.

Most application risk managers agree that training software developers to understand security concepts can be an important part of any software security program. Couple that with the Payment Card Industry, who mandate that developers should have training in secure coding techniques as laid out in their Data Security Standard. Yet others call developer training "compliance-ware," a necessary evil and a tax on software development in the enterprise.
This presentation shares the results of a yearlong survey of nearly 1,000 software developers that captures their knowledge of application security before and after formal training. The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements. The session also includes the results of a "retest" of a subset of respondents, to identify how much security knowledge they retained after a specific length of time. The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.

X-as-a-Service products are integral in the U.S. tech industry with their ability to take the pain out of server configuration, maintenance, provisioning, data storage and other aspects of running a server. With the recent outing of PRISM, a clandestine national security electronic surveillance program, the next desirable IT feature is "not subject to American law." How can we leverage cloud-based software while maintaining privacy?

This talk is a look at what exactly PRISM is, how PRISM affects cloud services, and how best to approach securing data and preserving privacy within the cloud.

JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language?Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to infecting users with malware. Hackers are beginning to recognize this new playground and are quickly adding JavaScript exploitation tools to their Web attack arsenal.In this talk we explore the vulnerabilities behind Javascript, including:- A new class of vulnerabilities unique only to JavaScript- Vulnerabilities in 3rd-party platforms which are exploited through JavaScript code- HTML5 is considered the NG-Javascript. In turn, HTML5 introduces a new set of vulnerabilities

While web applications have become richer to provide a higher level user experience, they run increasingly large amounts of code on both the server and client sides. A few of the pages on the web server may be performance bottlenecks. Identifying those pages gives both application owners as well as potential attackers the chance to be more efficient in performance or attack.

Online advertising networks can be a web hacker¹s best friend. For mere
pennies per thousand impressions (that means browsers) there are service
providers who allow you to broadly distribute arbitrary javascript -- even
malicious javascript! You are SUPPOSED to use this ³feature² to show ads,
to track users, and get clicks, but that doesn¹t mean you have to abide.
Absolutely nothing prevents spending $10, $100, or more to create a
massive javascript-driven browser botnet instantly. The real-world power
is spooky cool. We know, because we tested itŠ in-the-wild. Besides
attacking ourselves we've also tested against a well known target with
lots of DDoS protectionŠ Akamai.

With a few lines of HTML5 and javascript code we¹ll demonstrate just how
you can easily commandeer browsers to perform DDoS attacks, participate in
email spam campaigns, crack hashes and even help brute-force passwords.
Put simply, instruct browsers to make HTTP requests they didn¹t intend,
even something as well-known as Cross-Site Request Forgery. With CSRF, no
zero-days or malware is required. Oh, and there is no patch. The Web is
supposed to work this way. Also nice, when the user leaves the page, our
code vanishes. No traces. No tracks.

Before leveraging advertising networks, the reason this attack scenario
didn¹t worry many people is because it has always been difficult to scale
up, which is to say, simultaneously control enough browsers (aka botnets)
to reach critical mass. Previously, web hackers tried poisoning search
engine results, phishing users via email, link spamming Facebook, Twitter
and instant messages, Cross-Site Scripting attacks, publishing rigged open
proxies, and malicious browser plugins. While all useful methods in
certain scenarios, they lack simplicity, invisibility, and most
importantly -- scale. That¹s what we want! At a moment¹s notice, we will
show how it is possible to run javascript on an impressively large number
of browsers all at once and no one will be the wiser. Today this is
possible, and practical.

The OWASP Zed Attack Proxy (ZAP) is "an easy to use integrated penetration testing tool for finding vulnerabilities in web applications." The technology is comparable to IBM AppScan and HP WebInspect - but free, open source and maintained by OWASP volunteers. The project has seen a tremendous amount of development lately. Learn about the tool, what it can do for you, and optionally bring your laptop to follow along as we use it to test some (purposefully insecure) web applications.

The web development community has seen a rise in new web frameworks that provide small to large organizations with the opportunity to decrease development time and increase productivity. Frameworks such as Play! and Node.js as well as their supporting API(s) allow development staff to quickly and efficiently create and ship a product. But with these new frameworks come the same security issues that have plagued the web for years.

This talk will show how frameworks such as Spring and Django have solved these issues in the past, gaps in the newer frameworks, and provide code examples as well as offer helpful solutions to address these concerns within the frameworks discussed during this talk.

The OWASP Top 10 Mobile Risks were first created in 2011. However, a lot has changed over the past three years. The mobile platforms themselves have evolved, mobile threats have evolved, and app developers have experimented with crazy new things. As a result, the OWASP Mobile Security Project decided it was the time to take another look at the threat landscape.

In this presentation, we will present the 2014 version of the OWASP Top 10 Mobile Risks for the first time. We will highlight the differences between the 2011 and 2014 versions and we will explain why some risks were added to the list, dropped altogether, elevated in criticality, or bumped down a few notches. As we present each risk that made the list, we will provide supporting data and explain the reasoning behind each entry in detail.

But what would an OWASP presentation be without also providing solutions to the problems we’re pointing out? For each of the risks identified, recommended fixes will be provided for the most commonly used mobile platforms (which pretty much means iOS, Android, and if we’re feeling adventurous, Windows Phone).

In today’s digitally connected world, organizations must work with multiple partners across their lines of businesses. As these partners are allowed to connect into the parent networks, the risk of propagating a vulnerability from a partner into parent networks increases. Cybercriminals are looking to exploit the holes in the partner and supply chain networks to steal corporate information and valuable data from parent networks. As these targeted attacks can be a substantial risk to organizations along the breadth of the supply chain, software security experts have been working to find a more permanent way to ensure the integrity of the software supply chain.

In this presentation, Cenzic’s CEO John Weinschenk will discuss the software supply chain domain, and the potential checks and balances that could enable companies to ensure the “chain of custody” as the applications connect across multiple networks. John will discuss methods for securing code as it is passed between organizations, and methods for improving the software development process so that vulnerabilities are less likely to be introduced.

I recently found myself at a client site, faced with 2.6 million lines of code; none of which could leave the building. I started climbing this small mountain. This talk discusses my approach to this problem, experiments run during this assessment, and some unexpected encounters along the way.

This talk is called "DIY Command & Control For Fun And *No* Profit" because many security professionals have heard about Command & Control botnets, even more have been infected by them. Very few have had the opportunity to actually look inside the server control panel of a C&C. This mainly hands - on presentation will walk you through a very dark corner of the Internet and provide a glimpse of the daily life of a cybercriminal. Live malware will be used during this presentation so make sure you turn off your Wi-Fi.

In the Internet of Things, security issues have grown wellbeyond our day jobs. Our dependence on software is growing faster than ourability to secure it. In our efforts to find the grown-ups who are payingattention to these risks, one painful truth has become clear: The CavalryIsn¹t Coming. Our fate falls to us or to no one. At BSidesLV and DEF CON21, a call was made and many of you have answered. At DerbyCon, we beginthe work of shaping our futures. Here at AppSec, we have the opportunityto level-up and reframe our role in all of this. As the initiated, we facea clear and present danger in the criminalization of research, to ourliberties, and (with our increased dependence on indefensible IT) even tohuman safety and human life. What was once our hobby became our professionand (when we weren't looking) now permeates every aspect of our personallives, our families, our safety Now that security issues are mainstream,security illiteracy has lead to very dangerous precedents as many of usare watching our own demise. It is time for some uncomfortableexperimentation.
This session will both frame the plans to engage in Legislative, Judicial,Professional, and Media (hearts & minds) channels and to organize andinitiate our constitutional congress working sessions.  The time is now. It will not be easy, butit is necessary, and we are up for the challenge.
It's high time we make our dent in the universe. For background, pleasewatch the video of the launch of @iamthecavalry : http://bit.ly/16YbpC1 > Join the conversations also at: google group:https://groups.google.com/d/forum/iamthecavalry

As we secure applications leveraging sandboxes, it is important to understand the attack surface as it presents opportunities for attackers. In this talk we’ll decompose application sandboxes from the lens of a pen-tester. We look at various popular sandboxes such as Google Chrome, Adobe ReaderX, and Sandboxie, amongst others, and discuss the limitations of each technology and its implementation details. Further, we discuss in depth with live exploits how to break out of each category of sandbox by leveraging various kernel and user mode exploits – something that future malware could leverage. Some of these exploit vectors have not been discussed widely and awareness is important.

CSRF is an often misunderstood vulnerability. In this talk I will introduce CSRF and the basic defenses against it. Then I will go through all of the various major solutions and describe how theyimplement the general solution and the positives and negatives of each implementation.
The general solution is to implement the synchronizer token pattern. This is usually done in the framework and not by the individual developer. For example .net applications can use the antiforgerytoken (for MVC applications) or viewstateuserkey. Tomcat web server and F5 load balancers also now include CSRF prevention filters. OWASP of course has the CSRF guard. All of these solutions though are slightly different and can lead to different side effects, some of which are little understood and poorly documented. Some side effects can impact usability, or cause worse security problems while trying to defend against CSRF.

Application-Level Denial of Service (DoS) attacks are a threat to nearly everyone hosting content on the Internet. DoS attacks are simple to launch, but can be difficult to defend against. Modern websites are a diverse set of moving parts, and a malicious actor only needs to find the point at which any one of these systems is overwhelmed to bring your website to a halt.

Organizations may approach this problem by increasing capacity, perhaps leveraging the cloud to expand horizontally. This can be a successful short term mitigation strategy, but a combined historic and real-time view of who is accessing your website (and why) gives you the chance to actively defend as opposed to simply absorbing the traffic. Trending this data over time allows your response time to decrease while keeping your front door open. In this talk I will present a new open source project, written primarily in Node.js, that can be used as a defense framework for mitigating these attacks.

libinjection was introduced at Black Hat USA 2012 to quickly and accurately detect SQLi attacks from user inputs.  Two years later the algorithm has been used by a number of open-source and proprietary WAFs and honeypots.  This talk will introduce a new algorithm for detecting XSS attacks.   Like the SQLi libinjection algorithm, this does not use regular expressions, is very fast, and has a low false positive rate.   Also like the original libinjection algorithm, this is available on GitHub with free license.   We’ll discuss the current state of libinjection SQLi, how SQLi and XSS differ semantically from an defenders point of view,  how the libinjection algorithm works, the current results and availability.

You cannot hack your way secure! 
The OWASP Proactive Controls is a "Top 10 like document" aimed to help developers build secure applications. This project is phrased and built in a positive, testable manner that describes the Top 10 software control categories that architects and developers should absolutely, positively include 100% of the time in every software project. 
This talk will cover the fundamental controls in critical software categories such as Authentication, Access Control, Validation, Encoding, Query Parameterization, Data Protection, Secure Requirements, Secure Architecture and Secure Design.

It’s 2013, and cross-site scripting is still on the OWASP top 10, ten years after it was in the number four slot on the same list. Cross-site scripting, although seemingly easy to remediate, continues to be problematic for developers, as edge cases crop up where the typical mitigation strategies are confusing. However advances in modern browser security provide developers the opportunity to become far more proactive in addressing this vulnerability class using a technology known as content-security policy (CSP).

When configured and implemented correctly, CSP can severely cripple cross-site scripting attacks. Big technology companies such as Twitter, Facebook, Etsy, and Github are using this to transparently protect their end users from this common vulnerability class.

This session is a combination of short micro talks and a panel discussion geared at getting you the tools needed to understand and implement CSP.

The first microtalk will be a primer to CSP. We will break down what CSP is and provide you the tools to get started with it. The next microtalk is centered around how to sell CSP to management, and techniques to increase adoption in your organization. The final microtalk is around what the web may look like in 5 years, and how content-security policy will play a key role in mitigating increasingly potent client-side attacks.

• What is HTML 5.0?
o New features
• HTML & Security
o Cross Origin Resource Sharing (CORS)
o Local Client Storage
o Local Storage
o WebSQL
o New tags and attributes
o Web Workers
o Sandboxing iframes
o GeoLocation
o Optional content – would be included in a training session
• Cross Document Messaging
• WebGL
• Desktop Notifications
• SVG and new formats
• Speech input mechanisms
• Web Sockets

Too often organizations conduct assessments within a vacuum: physical, network, social, or application-layer. Attackers do not confine themselves similarly and avail themselves of whatever combination of techniques most effectively achieves their desired impact. Red team assessments aim to simulate these attacks more realistically and identify risk through composite, cross-domain attack vectors. This talk will cover several shortcomings with the current "model" of red teaming across the industry and how we can more effectively incorporate the application-specific attack surface into a red team effort. War stories will be shared to show the effectiveness of application-centric composite attacks in this new approach.