Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
AppSecUSA 2015 - Buy ticket at http://2015.appsecusa.org/buy/
 
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Tuesday, September 22
 

8:00am

Registration
Tuesday September 22, 2015 8:00am - 9:00am
TBA

9:00am

Training (2 days) : Malware Crash Course
This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. Students will learn how to extract host and network-based indicators from a malicious program. Students will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned.

What You Will Learn:

Hands-on malware dissection
How to create a safe malware analysis environment
How to quickly extract network and host-based indicators
How to perform dynamic analysis using system monitoring utilities to capture the file system, registry, and network activity generated by malware
How to debug malware and modify control flow and logic of software
To analyze assembly code after a crash course in the Intel x86 assembly language
Windows internals and APIs
How to use key analysis tools like IDA Pro and OllyDbg
What to look for when analyzing a piece of malware
The art of malware analysis - not just running tools

Labs are scheduled throughout the course and reinforce the concepts taught in each module. The estimate is that between 60% - 70% of class time is spent on lab work.

Who Should Take This Course?
Software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.

Students should have:
Excellent knowledge of computer and operating system fundamentals
Computer programming fundamentals and Windows Internals experience is highly recommended

What Should Students Bring?
Students must bring their own laptop with VMware Workstation, Server, or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.

A licensed copy of IDA Pro is highly recommended to participate in ALL labs, but the free version can be used in most cases.

Speakers
avatar for James “Tom” Bennett

James “Tom” Bennett

James T. Bennett is a seasoned malware analyst with over 10 years of experience working to improve technologies used to detect threats on the network and host levels. | Mr. Bennett is currently employed as a Staff Threat Research Engineer with FireEye where he analyzes malware used in targeted attacks in order to improve detection technologies and aid in incident response and threat intelligence gathering.
avatar for Peter Kacherginsky

Peter Kacherginsky

Reverse Engineer, FireEye
Peter Kacherginsky is a malware analyst, exploit developer, penetration tester, and incident responder with over 8 years of experience in the security industry. He is a big fan of IDA Pro and won last year's IDA Pro plugin contest. A number of Peter's open source security tools have been included in the Kali Linux/Backtrack security distribution. | | Mr. Kacherginsky works on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as... Read More →
avatar for Dominic Weber

Dominic Weber

Senior Manager, FireEye
Hi ! | I am Dominic Weber and I have 13 years of computer forensic experience researching NTFS, ExFAT and the Windows key management If you've used EnCase, you've used my C++/ Windows code. Before that I Worked in 3D full body motion capture / rendering and video games. | | I work on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as a Senior Manager and Malware Research Engineer with FireEye where I analyze malware and... Read More →


Tuesday September 22, 2015 9:00am - 10:30am
Pacific O

9:00am

Training (2 days): Advanced Android and iOS Hands-on Exploitation
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Advanced Android and iOS Hands-on Exploitation is a unique training which covers security and exploitation of the two dominant mobile platforms - Android and iOS. This is a three day action packed class, full of hands-on challenges and CTF labs, for both Android and iOS environment. The entire class will be based on a custom VM which has been prepared exclusively for the training. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms. 

Some of the topics that will be covered are Advanced Auditing of iOS and Android Applications, Reverse Engineering, Bypassing Obfuscations, Automating security analysis, Exploiting and patching apps, Advanced ARM Exploitation, API Hooking and a lot more. 

The 2-day class is designed in a CTF approach where each of the module is followed by a complete hands-on lab, giving the attendees a chance to apply the knowledge and skills learnt during the class in real life scenario. Students will also be provided with the author signed copy of the book "Learning Pentesting for Android Devices", printed reference materials and handouts to be used during and after the training class, and private scripts written by the trainer for Android and iOS app security analysis.

Since this is a hands-on class, almost most of the content will be hands-on and challenge based. The VM that will be distributed to the students will have a bunch of different real world applications, along with specific custom vulnerable apps made for the training. 

The students will be using a lot of different techniques and a few tools as well, to perform mobile exploitation. 

Some of the lab exercises include : 

[+] Cracking Android Applications by reversing and modifying the smali code
[+] Patching Drozer in order to perform automated exploitation for applications which are not directly vulnerable
[+] Network traffic analysis to identify traffic based vulns in android and iOS apps
[+] Runtime manipulation of Android apps and writing custom API hooks using Cydia Substrate and Dynamic Instrumentation frameworks. 
[+] Advanced Cycript usage to bypass security measures in iOS Applications
[+] Dynamic Library Injection in iOS apps 

These are just some of the labs that will be hands-on during the 2-day class. Obviously, there are more others as we will start from the ground basics, assuming the attendee hasn't done mobile security before.

Who Should Take This Course?
Security Researchers who want to get started into Mobile Security
Mobile Security Enthusiasts
Penetration Testers
Mobile Developers

What Should Students Bring?
Laptop with Administrative access
Atleast 20 GB of free disk space
4 GB RAM 
Genymotion installed and configured with Android v 4.1.1 and 5.0 images

Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile security firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation. | | He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also... Read More →


Tuesday September 22, 2015 9:00am - 10:30am
Pacific G

9:00am

Training (2 days): Creating and automating your own AppSec Pipeline
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

Who Should Take This Course?
AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline.

What Should Students Bring?
A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Tuesday September 22, 2015 9:00am - 10:30am
Pacific F

9:00am

Training (2 days): Hands-on Auditing of the OWASP Application Security Verification Standard
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The OWASP Application Verification Standard provides great guidelines which help us develop secure applications. However, nobody is perfect. How do we audit to ensure we are following these standards consistently? This hands-on training provides examples of how to audit our web-based applications for adherence to the OWASP ASVS using the Burp Suite interception proxy and a few other free tools. Learn how to use Burp Suite and how to ensure applications comply with written standards.

All testing will be against targets included on the Samurai WTF distribution which will allow students to follow along with the demonstrations and participate in the hands-on labs. Hands-on labs include auditing horizontal and vertical brute-force controls, XSS and BeEF, CSRF by example, exploiting insecure direct object references and many more.

Who Should Take This Course?
This course is designed for application security professionals, security auditors, quality assurance engineers, and software developers.

What Should Students Bring?
Samurai WTF

Speakers
avatar for David Hazar

David Hazar

Product Development Security Lead, Oracle Service Cloud
I am all about application security and the need to better secure our applications by not only identifying issues, but training developers to understand these issues and write more secure code. QA engineers also need to understand these issues so they can write meaningful test cases. Don't forget to sign up for my two-day training "Hands-on Auditing of the OWASP Application Security Verification Standard"!


Tuesday September 22, 2015 9:00am - 10:30am
Pacific I

9:00am

Training (2 days): OWASP Top 10 – Exploitation and Effective Safeguards
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. 

The course will cover the following topics:
1. SSL Certificates
2. Password Management
3. Cryptography Concepts
4. OWASP Top 10 web application vulnerabilities:
A1 - Injection Attacks
a. Command Injection
b. File Injection
c. SQL Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
14. Securing AJAX and Web Services (REST and SOAP)
15. OWASP Application Security Verification Standard (ASVS)
16. Web Application Firewalls (WAF)
17. Using a Vulnerability Scanner (Zed Attack Proxy - ZAP)
18. Effective Code Review Techniques
19. OWASP Enterprise Security API
20. Secure Coding Best Practices
21. Effective Safeguards

Demos from the instructor:
1. SQL Injection Attack
2. Cross-Site Scripting Attack
3. Insecure Direct Object References
4. Sensitive Data Exposure
5. Cross-Site Request Forgery

Using their laptop and the provided virtual machines, participants will have 7 hands-on exercises:
1. Session Initialization and Client-Side Validation
• Part 1: Web Proxy and Session Initialization
• Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Using a Web Application Vulnerability Scanner
5. Sniffing Encrypted Traffic
6. Launching Command Injection Attacks
7. Create SSL certificates

In addition, each participant will receive a printed student guide containing all the slides and exercises.

Who Should Take This Course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

What Should Students Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.

Speakers
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →


Tuesday September 22, 2015 9:00am - 10:30am
Pacific D & E

9:00am

Training (2 days): Securely Designing and Developing with Popular MVC Frameworks
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The Model-View-Controller (MVC) model is commonly adapted by many frameworks. These are used by many business applications today as they bring structure and maintainability to coding. This training will focus on introducing the following design flaws that are applicable to most of the standard and custom-designed MVC frameworks.

• Crash course on Application design and MVC
• Ignore design at your own peril!
• Insecure Invocation of Business Logic
• Data Binding Flaws and Backdoors parameters
• Incorrect implementation of security controls
• Incorrect Placement of Security Checks
• Insecure Configurations
• Control flow vulnerabilities

The first day of the training will cover the above-mentioned general design principles in custom-designed and Struts2 frameworks, and on the second day, Spring and ASP.NET MVC frameworks will be analyzed.

Majority of the code in today’s applications come from libraries. According to a recent study done by Contrast Security, 28% of library downloads have known vulnerabilities and the most downloaded vulnerable libraries were GWT, Xerces, Spring MVC and Struts.

Additionally, due to compatibility issues and lack of awareness many of the applications are not upgraded with the secure framework/library versions. This would pose a major risk to the applications. This training will help developers and security analysts in identifying framework specific security vulnerabilities in their applications. Considering these vulnerabilities in Frameworks/libraries are not usually considered in security assessments, this training is going to be a good start.

The hands-on lab exercises incorporate demo applications built using custom-designed frameworks and vulnerable versions of Struts, Spring MVC and ASP.NET MVC applications. Vulnerabilities in these applications are showcased by considering real-time scenarios. Some of the framework-specific vulnerabilities that are included in the demo applications are the following:

• Struts2 Prefixed Parameters OGNL Injection Vulnerability
• Spring Data Binding flaw in multi step operations
• XML External Entity Injection Vulnerability in Spring Framework

All the above-mentioned applications will be shared with the attendees in a VMware image. This will help in avoiding delays occurring due to unwanted installations and dependency issues.

Who Should Take This Course?
• Professional Pentesters - who are auditing business applications designed using standard frameworks
• Design architects and developers - who need to design and code web applications securely
• Anyone with knowledge of MVC frameworks

This training imparts knowledge on secure design principles. It would highlight what goes wrong in most of the custom MVC designs and while using standard MVC frameworks like Spring, Hibernate and Struts. The training will introduce different design related flaws, flaws associated with some vulnerable framework versions and their mitigations.

What Should Students Bring?
All the students will be provided with VMware images with pre-loaded applications and software for lab exercises. Hence, attendees are expected to carry laptops that are installed with VMware player/ workstation.

Speakers
avatar for Muhammed Noushad K

Muhammed Noushad K

Senior Analyst and Team Lead, Paladion Networks
Muhammed Noushad K. has been associated with information security for more than 6 years with rich experience in Application Security and Secure Code Reviews. He has performed code review of various applications built on diverse frameworks and platforms. He was instrumental in creating code review plans for Struts and Spring frameworks, which are pivotal in performing efficient code reviews. He is also a frequent blogger for Paladion on various... Read More →


Tuesday September 22, 2015 9:00am - 10:30am
Pacific N

10:30am

Coffee Break
Tuesday September 22, 2015 10:30am - 11:00am
TBA

11:00am

Training (2 days) : Malware Crash Course
This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. Students will learn how to extract host and network-based indicators from a malicious program. Students will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned.

What You Will Learn:

Hands-on malware dissection
How to create a safe malware analysis environment
How to quickly extract network and host-based indicators
How to perform dynamic analysis using system monitoring utilities to capture the file system, registry, and network activity generated by malware
How to debug malware and modify control flow and logic of software
To analyze assembly code after a crash course in the Intel x86 assembly language
Windows internals and APIs
How to use key analysis tools like IDA Pro and OllyDbg
What to look for when analyzing a piece of malware
The art of malware analysis - not just running tools

Labs are scheduled throughout the course and reinforce the concepts taught in each module. The estimate is that between 60% - 70% of class time is spent on lab work.

Who Should Take This Course?
Software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.

Students should have:
Excellent knowledge of computer and operating system fundamentals
Computer programming fundamentals and Windows Internals experience is highly recommended

What Should Students Bring?
Students must bring their own laptop with VMware Workstation, Server, or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.

A licensed copy of IDA Pro is highly recommended to participate in ALL labs, but the free version can be used in most cases.

Speakers
avatar for James “Tom” Bennett

James “Tom” Bennett

James T. Bennett is a seasoned malware analyst with over 10 years of experience working to improve technologies used to detect threats on the network and host levels. | Mr. Bennett is currently employed as a Staff Threat Research Engineer with FireEye where he analyzes malware used in targeted attacks in order to improve detection technologies and aid in incident response and threat intelligence gathering.
avatar for Peter Kacherginsky

Peter Kacherginsky

Reverse Engineer, FireEye
Peter Kacherginsky is a malware analyst, exploit developer, penetration tester, and incident responder with over 8 years of experience in the security industry. He is a big fan of IDA Pro and won last year's IDA Pro plugin contest. A number of Peter's open source security tools have been included in the Kali Linux/Backtrack security distribution. | | Mr. Kacherginsky works on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as... Read More →
avatar for Dominic Weber

Dominic Weber

Senior Manager, FireEye
Hi ! | I am Dominic Weber and I have 13 years of computer forensic experience researching NTFS, ExFAT and the Windows key management If you've used EnCase, you've used my C++/ Windows code. Before that I Worked in 3D full body motion capture / rendering and video games. | | I work on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as a Senior Manager and Malware Research Engineer with FireEye where I analyze malware and... Read More →


Tuesday September 22, 2015 11:00am - 12:15pm
Pacific O

11:00am

Training (2 days): Advanced Android and iOS Hands-on Exploitation
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Advanced Android and iOS Hands-on Exploitation is a unique training which covers security and exploitation of the two dominant mobile platforms - Android and iOS. This is a three day action packed class, full of hands-on challenges and CTF labs, for both Android and iOS environment. The entire class will be based on a custom VM which has been prepared exclusively for the training. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms. 

Some of the topics that will be covered are Advanced Auditing of iOS and Android Applications, Reverse Engineering, Bypassing Obfuscations, Automating security analysis, Exploiting and patching apps, Advanced ARM Exploitation, API Hooking and a lot more. 

The 2-day class is designed in a CTF approach where each of the module is followed by a complete hands-on lab, giving the attendees a chance to apply the knowledge and skills learnt during the class in real life scenario. Students will also be provided with the author signed copy of the book "Learning Pentesting for Android Devices", printed reference materials and handouts to be used during and after the training class, and private scripts written by the trainer for Android and iOS app security analysis.

Since this is a hands-on class, almost most of the content will be hands-on and challenge based. The VM that will be distributed to the students will have a bunch of different real world applications, along with specific custom vulnerable apps made for the training. 

The students will be using a lot of different techniques and a few tools as well, to perform mobile exploitation. 

Some of the lab exercises include : 

[+] Cracking Android Applications by reversing and modifying the smali code
[+] Patching Drozer in order to perform automated exploitation for applications which are not directly vulnerable
[+] Network traffic analysis to identify traffic based vulns in android and iOS apps
[+] Runtime manipulation of Android apps and writing custom API hooks using Cydia Substrate and Dynamic Instrumentation frameworks. 
[+] Advanced Cycript usage to bypass security measures in iOS Applications
[+] Dynamic Library Injection in iOS apps 

These are just some of the labs that will be hands-on during the 2-day class. Obviously, there are more others as we will start from the ground basics, assuming the attendee hasn't done mobile security before.

Who Should Take This Course?
Security Researchers who want to get started into Mobile Security
Mobile Security Enthusiasts
Penetration Testers
Mobile Developers

What Should Students Bring?
Laptop with Administrative access
Atleast 20 GB of free disk space
4 GB RAM 
Genymotion installed and configured with Android v 4.1.1 and 5.0 images

Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile security firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation. | | He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also... Read More →


Tuesday September 22, 2015 11:00am - 12:30pm
Pacific G

11:00am

Training (2 days): Creating and automating your own AppSec Pipeline
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

Who Should Take This Course?
AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline.

What Should Students Bring?
A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Tuesday September 22, 2015 11:00am - 12:30pm
Pacific F

11:00am

Training (2 days): Hands-on Auditing of the OWASP Application Security Verification Standard
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The OWASP Application Verification Standard provides great guidelines which help us develop secure applications. However, nobody is perfect. How do we audit to ensure we are following these standards consistently? This hands-on training provides examples of how to audit our web-based applications for adherence to the OWASP ASVS using the Burp Suite interception proxy and a few other free tools. Learn how to use Burp Suite and how to ensure applications comply with written standards.

All testing will be against targets included on the Samurai WTF distribution which will allow students to follow along with the demonstrations and participate in the hands-on labs. Hands-on labs include auditing horizontal and vertical brute-force controls, XSS and BeEF, CSRF by example, exploiting insecure direct object references and many more.

Who Should Take This Course?
This course is designed for application security professionals, security auditors, quality assurance engineers, and software developers.

What Should Students Bring?
Samurai WTF

Speakers
avatar for David Hazar

David Hazar

Product Development Security Lead, Oracle Service Cloud
I am all about application security and the need to better secure our applications by not only identifying issues, but training developers to understand these issues and write more secure code. QA engineers also need to understand these issues so they can write meaningful test cases. Don't forget to sign up for my two-day training "Hands-on Auditing of the OWASP Application Security Verification Standard"!


Tuesday September 22, 2015 11:00am - 12:30pm
Pacific I

11:00am

Training (2 days): OWASP Top 10 – Exploitation and Effective Safeguards
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. 

The course will cover the following topics:
1. SSL Certificates
2. Password Management
3. Cryptography Concepts
4. OWASP Top 10 web application vulnerabilities:
A1 - Injection Attacks
a. Command Injection
b. File Injection
c. SQL Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
14. Securing AJAX and Web Services (REST and SOAP)
15. OWASP Application Security Verification Standard (ASVS)
16. Web Application Firewalls (WAF)
17. Using a Vulnerability Scanner (Zed Attack Proxy - ZAP)
18. Effective Code Review Techniques
19. OWASP Enterprise Security API
20. Secure Coding Best Practices
21. Effective Safeguards

Demos from the instructor:
1. SQL Injection Attack
2. Cross-Site Scripting Attack
3. Insecure Direct Object References
4. Sensitive Data Exposure
5. Cross-Site Request Forgery

Using their laptop and the provided virtual machines, participants will have 7 hands-on exercises:
1. Session Initialization and Client-Side Validation
• Part 1: Web Proxy and Session Initialization
• Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Using a Web Application Vulnerability Scanner
5. Sniffing Encrypted Traffic
6. Launching Command Injection Attacks
7. Create SSL certificates

In addition, each participant will receive a printed student guide containing all the slides and exercises.

Who Should Take This Course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

What Should Students Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.

Speakers
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →


Tuesday September 22, 2015 11:00am - 12:30pm
Pacific D & E

11:00am

Training (2 days): Securely Designing and Developing with Popular MVC Frameworks
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The Model-View-Controller (MVC) model is commonly adapted by many frameworks. These are used by many business applications today as they bring structure and maintainability to coding. This training will focus on introducing the following design flaws that are applicable to most of the standard and custom-designed MVC frameworks.

• Crash course on Application design and MVC
• Ignore design at your own peril!
• Insecure Invocation of Business Logic
• Data Binding Flaws and Backdoors parameters
• Incorrect implementation of security controls
• Incorrect Placement of Security Checks
• Insecure Configurations
• Control flow vulnerabilities

The first day of the training will cover the above-mentioned general design principles in custom-designed and Struts2 frameworks, and on the second day, Spring and ASP.NET MVC frameworks will be analyzed.

Majority of the code in today’s applications come from libraries. According to a recent study done by Contrast Security, 28% of library downloads have known vulnerabilities and the most downloaded vulnerable libraries were GWT, Xerces, Spring MVC and Struts.

Additionally, due to compatibility issues and lack of awareness many of the applications are not upgraded with the secure framework/library versions. This would pose a major risk to the applications. This training will help developers and security analysts in identifying framework specific security vulnerabilities in their applications. Considering these vulnerabilities in Frameworks/libraries are not usually considered in security assessments, this training is going to be a good start.

The hands-on lab exercises incorporate demo applications built using custom-designed frameworks and vulnerable versions of Struts, Spring MVC and ASP.NET MVC applications. Vulnerabilities in these applications are showcased by considering real-time scenarios. Some of the framework-specific vulnerabilities that are included in the demo applications are the following:

• Struts2 Prefixed Parameters OGNL Injection Vulnerability
• Spring Data Binding flaw in multi step operations
• XML External Entity Injection Vulnerability in Spring Framework

All the above-mentioned applications will be shared with the attendees in a VMware image. This will help in avoiding delays occurring due to unwanted installations and dependency issues.

Who Should Take This Course?
• Professional Pentesters - who are auditing business applications designed using standard frameworks
• Design architects and developers - who need to design and code web applications securely
• Anyone with knowledge of MVC frameworks

This training imparts knowledge on secure design principles. It would highlight what goes wrong in most of the custom MVC designs and while using standard MVC frameworks like Spring, Hibernate and Struts. The training will introduce different design related flaws, flaws associated with some vulnerable framework versions and their mitigations.

What Should Students Bring?
All the students will be provided with VMware images with pre-loaded applications and software for lab exercises. Hence, attendees are expected to carry laptops that are installed with VMware player/ workstation.

Speakers
avatar for Muhammed Noushad K

Muhammed Noushad K

Senior Analyst and Team Lead, Paladion Networks
Muhammed Noushad K. has been associated with information security for more than 6 years with rich experience in Application Security and Secure Code Reviews. He has performed code review of various applications built on diverse frameworks and platforms. He was instrumental in creating code review plans for Struts and Spring frameworks, which are pivotal in performing efficient code reviews. He is also a frequent blogger for Paladion on various... Read More →


Tuesday September 22, 2015 11:00am - 12:30pm
Pacific N

12:30pm

Lunch
Tuesday September 22, 2015 12:30pm - 1:30pm
TBA

1:30pm

Training (2 days) : Malware Crash Course
This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. Students will learn how to extract host and network-based indicators from a malicious program. Students will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned.

What You Will Learn:

Hands-on malware dissection
How to create a safe malware analysis environment
How to quickly extract network and host-based indicators
How to perform dynamic analysis using system monitoring utilities to capture the file system, registry, and network activity generated by malware
How to debug malware and modify control flow and logic of software
To analyze assembly code after a crash course in the Intel x86 assembly language
Windows internals and APIs
How to use key analysis tools like IDA Pro and OllyDbg
What to look for when analyzing a piece of malware
The art of malware analysis - not just running tools

Labs are scheduled throughout the course and reinforce the concepts taught in each module. The estimate is that between 60% - 70% of class time is spent on lab work.

Who Should Take This Course?
Software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.

Students should have:
Excellent knowledge of computer and operating system fundamentals
Computer programming fundamentals and Windows Internals experience is highly recommended

What Should Students Bring?
Students must bring their own laptop with VMware Workstation, Server, or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.

A licensed copy of IDA Pro is highly recommended to participate in ALL labs, but the free version can be used in most cases.

Speakers
avatar for James “Tom” Bennett

James “Tom” Bennett

James T. Bennett is a seasoned malware analyst with over 10 years of experience working to improve technologies used to detect threats on the network and host levels. | Mr. Bennett is currently employed as a Staff Threat Research Engineer with FireEye where he analyzes malware used in targeted attacks in order to improve detection technologies and aid in incident response and threat intelligence gathering.
avatar for Peter Kacherginsky

Peter Kacherginsky

Reverse Engineer, FireEye
Peter Kacherginsky is a malware analyst, exploit developer, penetration tester, and incident responder with over 8 years of experience in the security industry. He is a big fan of IDA Pro and won last year's IDA Pro plugin contest. A number of Peter's open source security tools have been included in the Kali Linux/Backtrack security distribution. | | Mr. Kacherginsky works on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as... Read More →
avatar for Dominic Weber

Dominic Weber

Senior Manager, FireEye
Hi ! | I am Dominic Weber and I have 13 years of computer forensic experience researching NTFS, ExFAT and the Windows key management If you've used EnCase, you've used my C++/ Windows code. Before that I Worked in 3D full body motion capture / rendering and video games. | | I work on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as a Senior Manager and Malware Research Engineer with FireEye where I analyze malware and... Read More →


Tuesday September 22, 2015 1:30pm - 3:00pm
Pacific O

1:30pm

Training (2 days): Advanced Android and iOS Hands-on Exploitation
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Advanced Android and iOS Hands-on Exploitation is a unique training which covers security and exploitation of the two dominant mobile platforms - Android and iOS. This is a three day action packed class, full of hands-on challenges and CTF labs, for both Android and iOS environment. The entire class will be based on a custom VM which has been prepared exclusively for the training. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms. 

Some of the topics that will be covered are Advanced Auditing of iOS and Android Applications, Reverse Engineering, Bypassing Obfuscations, Automating security analysis, Exploiting and patching apps, Advanced ARM Exploitation, API Hooking and a lot more. 

The 2-day class is designed in a CTF approach where each of the module is followed by a complete hands-on lab, giving the attendees a chance to apply the knowledge and skills learnt during the class in real life scenario. Students will also be provided with the author signed copy of the book "Learning Pentesting for Android Devices", printed reference materials and handouts to be used during and after the training class, and private scripts written by the trainer for Android and iOS app security analysis.

Since this is a hands-on class, almost most of the content will be hands-on and challenge based. The VM that will be distributed to the students will have a bunch of different real world applications, along with specific custom vulnerable apps made for the training. 

The students will be using a lot of different techniques and a few tools as well, to perform mobile exploitation. 

Some of the lab exercises include : 

[+] Cracking Android Applications by reversing and modifying the smali code
[+] Patching Drozer in order to perform automated exploitation for applications which are not directly vulnerable
[+] Network traffic analysis to identify traffic based vulns in android and iOS apps
[+] Runtime manipulation of Android apps and writing custom API hooks using Cydia Substrate and Dynamic Instrumentation frameworks. 
[+] Advanced Cycript usage to bypass security measures in iOS Applications
[+] Dynamic Library Injection in iOS apps 

These are just some of the labs that will be hands-on during the 2-day class. Obviously, there are more others as we will start from the ground basics, assuming the attendee hasn't done mobile security before.

Who Should Take This Course?
Security Researchers who want to get started into Mobile Security
Mobile Security Enthusiasts
Penetration Testers
Mobile Developers

What Should Students Bring?
Laptop with Administrative access
Atleast 20 GB of free disk space
4 GB RAM 
Genymotion installed and configured with Android v 4.1.1 and 5.0 images

Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile security firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation. | | He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also... Read More →


Tuesday September 22, 2015 1:30pm - 3:00pm
Pacific G

1:30pm

Training (2 days): Creating and automating your own AppSec Pipeline
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

Who Should Take This Course?
AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline.

What Should Students Bring?
A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Tuesday September 22, 2015 1:30pm - 3:00pm
Pacific F

1:30pm

Training (2 days): Hands-on Auditing of the OWASP Application Security Verification Standard
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The OWASP Application Verification Standard provides great guidelines which help us develop secure applications. However, nobody is perfect. How do we audit to ensure we are following these standards consistently? This hands-on training provides examples of how to audit our web-based applications for adherence to the OWASP ASVS using the Burp Suite interception proxy and a few other free tools. Learn how to use Burp Suite and how to ensure applications comply with written standards.

All testing will be against targets included on the Samurai WTF distribution which will allow students to follow along with the demonstrations and participate in the hands-on labs. Hands-on labs include auditing horizontal and vertical brute-force controls, XSS and BeEF, CSRF by example, exploiting insecure direct object references and many more.

Who Should Take This Course?
This course is designed for application security professionals, security auditors, quality assurance engineers, and software developers.

What Should Students Bring?
Samurai WTF

Speakers
avatar for David Hazar

David Hazar

Product Development Security Lead, Oracle Service Cloud
I am all about application security and the need to better secure our applications by not only identifying issues, but training developers to understand these issues and write more secure code. QA engineers also need to understand these issues so they can write meaningful test cases. Don't forget to sign up for my two-day training "Hands-on Auditing of the OWASP Application Security Verification Standard"!


Tuesday September 22, 2015 1:30pm - 3:00pm
Pacific I

1:30pm

Training (2 days): Securely Designing and Developing with Popular MVC Frameworks
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The Model-View-Controller (MVC) model is commonly adapted by many frameworks. These are used by many business applications today as they bring structure and maintainability to coding. This training will focus on introducing the following design flaws that are applicable to most of the standard and custom-designed MVC frameworks.

• Crash course on Application design and MVC
• Ignore design at your own peril!
• Insecure Invocation of Business Logic
• Data Binding Flaws and Backdoors parameters
• Incorrect implementation of security controls
• Incorrect Placement of Security Checks
• Insecure Configurations
• Control flow vulnerabilities

The first day of the training will cover the above-mentioned general design principles in custom-designed and Struts2 frameworks, and on the second day, Spring and ASP.NET MVC frameworks will be analyzed.

Majority of the code in today’s applications come from libraries. According to a recent study done by Contrast Security, 28% of library downloads have known vulnerabilities and the most downloaded vulnerable libraries were GWT, Xerces, Spring MVC and Struts.

Additionally, due to compatibility issues and lack of awareness many of the applications are not upgraded with the secure framework/library versions. This would pose a major risk to the applications. This training will help developers and security analysts in identifying framework specific security vulnerabilities in their applications. Considering these vulnerabilities in Frameworks/libraries are not usually considered in security assessments, this training is going to be a good start.

The hands-on lab exercises incorporate demo applications built using custom-designed frameworks and vulnerable versions of Struts, Spring MVC and ASP.NET MVC applications. Vulnerabilities in these applications are showcased by considering real-time scenarios. Some of the framework-specific vulnerabilities that are included in the demo applications are the following:

• Struts2 Prefixed Parameters OGNL Injection Vulnerability
• Spring Data Binding flaw in multi step operations
• XML External Entity Injection Vulnerability in Spring Framework

All the above-mentioned applications will be shared with the attendees in a VMware image. This will help in avoiding delays occurring due to unwanted installations and dependency issues.

Who Should Take This Course?
• Professional Pentesters - who are auditing business applications designed using standard frameworks
• Design architects and developers - who need to design and code web applications securely
• Anyone with knowledge of MVC frameworks

This training imparts knowledge on secure design principles. It would highlight what goes wrong in most of the custom MVC designs and while using standard MVC frameworks like Spring, Hibernate and Struts. The training will introduce different design related flaws, flaws associated with some vulnerable framework versions and their mitigations.

What Should Students Bring?
All the students will be provided with VMware images with pre-loaded applications and software for lab exercises. Hence, attendees are expected to carry laptops that are installed with VMware player/ workstation.

Speakers
avatar for Muhammed Noushad K

Muhammed Noushad K

Senior Analyst and Team Lead, Paladion Networks
Muhammed Noushad K. has been associated with information security for more than 6 years with rich experience in Application Security and Secure Code Reviews. He has performed code review of various applications built on diverse frameworks and platforms. He was instrumental in creating code review plans for Struts and Spring frameworks, which are pivotal in performing efficient code reviews. He is also a frequent blogger for Paladion on various... Read More →


Tuesday September 22, 2015 1:30pm - 3:00pm
Pacific N

1:30pm

Training (2 days): OWASP Top 10 – Exploitation and Effective Safeguards
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. 

The course will cover the following topics:
1. SSL Certificates
2. Password Management
3. Cryptography Concepts
4. OWASP Top 10 web application vulnerabilities:
A1 - Injection Attacks
a. Command Injection
b. File Injection
c. SQL Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
14. Securing AJAX and Web Services (REST and SOAP)
15. OWASP Application Security Verification Standard (ASVS)
16. Web Application Firewalls (WAF)
17. Using a Vulnerability Scanner (Zed Attack Proxy - ZAP)
18. Effective Code Review Techniques
19. OWASP Enterprise Security API
20. Secure Coding Best Practices
21. Effective Safeguards

Demos from the instructor:
1. SQL Injection Attack
2. Cross-Site Scripting Attack
3. Insecure Direct Object References
4. Sensitive Data Exposure
5. Cross-Site Request Forgery

Using their laptop and the provided virtual machines, participants will have 7 hands-on exercises:
1. Session Initialization and Client-Side Validation
• Part 1: Web Proxy and Session Initialization
• Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Using a Web Application Vulnerability Scanner
5. Sniffing Encrypted Traffic
6. Launching Command Injection Attacks
7. Create SSL certificates

In addition, each participant will receive a printed student guide containing all the slides and exercises.

Who Should Take This Course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

What Should Students Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.

Speakers
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →


Tuesday September 22, 2015 1:30pm - 3:30pm
Pacific D & E

3:00pm

Coffee Break
Tuesday September 22, 2015 3:00pm - 3:30pm
TBA

3:30pm

Training (2 days) : Malware Crash Course
This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. Students will learn how to extract host and network-based indicators from a malicious program. Students will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned.

What You Will Learn:

Hands-on malware dissection
How to create a safe malware analysis environment
How to quickly extract network and host-based indicators
How to perform dynamic analysis using system monitoring utilities to capture the file system, registry, and network activity generated by malware
How to debug malware and modify control flow and logic of software
To analyze assembly code after a crash course in the Intel x86 assembly language
Windows internals and APIs
How to use key analysis tools like IDA Pro and OllyDbg
What to look for when analyzing a piece of malware
The art of malware analysis - not just running tools

Labs are scheduled throughout the course and reinforce the concepts taught in each module. The estimate is that between 60% - 70% of class time is spent on lab work.

Who Should Take This Course?
Software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.

Students should have:
Excellent knowledge of computer and operating system fundamentals
Computer programming fundamentals and Windows Internals experience is highly recommended

What Should Students Bring?
Students must bring their own laptop with VMware Workstation, Server, or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.

A licensed copy of IDA Pro is highly recommended to participate in ALL labs, but the free version can be used in most cases.

Speakers
avatar for James “Tom” Bennett

James “Tom” Bennett

James T. Bennett is a seasoned malware analyst with over 10 years of experience working to improve technologies used to detect threats on the network and host levels. | Mr. Bennett is currently employed as a Staff Threat Research Engineer with FireEye where he analyzes malware used in targeted attacks in order to improve detection technologies and aid in incident response and threat intelligence gathering.
avatar for Peter Kacherginsky

Peter Kacherginsky

Reverse Engineer, FireEye
Peter Kacherginsky is a malware analyst, exploit developer, penetration tester, and incident responder with over 8 years of experience in the security industry. He is a big fan of IDA Pro and won last year's IDA Pro plugin contest. A number of Peter's open source security tools have been included in the Kali Linux/Backtrack security distribution. | | Mr. Kacherginsky works on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as... Read More →
avatar for Dominic Weber

Dominic Weber

Senior Manager, FireEye
Hi ! | I am Dominic Weber and I have 13 years of computer forensic experience researching NTFS, ExFAT and the Windows key management If you've used EnCase, you've used my C++/ Windows code. Before that I Worked in 3D full body motion capture / rendering and video games. | | I work on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as a Senior Manager and Malware Research Engineer with FireEye where I analyze malware and... Read More →


Tuesday September 22, 2015 3:30pm - 5:00pm
Pacific O

3:30pm

Training (2 days): Advanced Android and iOS Hands-on Exploitation
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Advanced Android and iOS Hands-on Exploitation is a unique training which covers security and exploitation of the two dominant mobile platforms - Android and iOS. This is a three day action packed class, full of hands-on challenges and CTF labs, for both Android and iOS environment. The entire class will be based on a custom VM which has been prepared exclusively for the training. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms. 

Some of the topics that will be covered are Advanced Auditing of iOS and Android Applications, Reverse Engineering, Bypassing Obfuscations, Automating security analysis, Exploiting and patching apps, Advanced ARM Exploitation, API Hooking and a lot more. 

The 2-day class is designed in a CTF approach where each of the module is followed by a complete hands-on lab, giving the attendees a chance to apply the knowledge and skills learnt during the class in real life scenario. Students will also be provided with the author signed copy of the book "Learning Pentesting for Android Devices", printed reference materials and handouts to be used during and after the training class, and private scripts written by the trainer for Android and iOS app security analysis.

Since this is a hands-on class, almost most of the content will be hands-on and challenge based. The VM that will be distributed to the students will have a bunch of different real world applications, along with specific custom vulnerable apps made for the training. 

The students will be using a lot of different techniques and a few tools as well, to perform mobile exploitation. 

Some of the lab exercises include : 

[+] Cracking Android Applications by reversing and modifying the smali code
[+] Patching Drozer in order to perform automated exploitation for applications which are not directly vulnerable
[+] Network traffic analysis to identify traffic based vulns in android and iOS apps
[+] Runtime manipulation of Android apps and writing custom API hooks using Cydia Substrate and Dynamic Instrumentation frameworks. 
[+] Advanced Cycript usage to bypass security measures in iOS Applications
[+] Dynamic Library Injection in iOS apps 

These are just some of the labs that will be hands-on during the 2-day class. Obviously, there are more others as we will start from the ground basics, assuming the attendee hasn't done mobile security before.

Who Should Take This Course?
Security Researchers who want to get started into Mobile Security
Mobile Security Enthusiasts
Penetration Testers
Mobile Developers

What Should Students Bring?
Laptop with Administrative access
Atleast 20 GB of free disk space
4 GB RAM 
Genymotion installed and configured with Android v 4.1.1 and 5.0 images

Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile security firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation. | | He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also... Read More →


Tuesday September 22, 2015 3:30pm - 5:00pm
Pacific G

3:30pm

Training (2 days): Creating and automating your own AppSec Pipeline
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

Who Should Take This Course?
AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline.

What Should Students Bring?
A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Tuesday September 22, 2015 3:30pm - 5:00pm
Pacific F

3:30pm

Training (2 days): Hands-on Auditing of the OWASP Application Security Verification Standard
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The OWASP Application Verification Standard provides great guidelines which help us develop secure applications. However, nobody is perfect. How do we audit to ensure we are following these standards consistently? This hands-on training provides examples of how to audit our web-based applications for adherence to the OWASP ASVS using the Burp Suite interception proxy and a few other free tools. Learn how to use Burp Suite and how to ensure applications comply with written standards.

All testing will be against targets included on the Samurai WTF distribution which will allow students to follow along with the demonstrations and participate in the hands-on labs. Hands-on labs include auditing horizontal and vertical brute-force controls, XSS and BeEF, CSRF by example, exploiting insecure direct object references and many more.

Who Should Take This Course?
This course is designed for application security professionals, security auditors, quality assurance engineers, and software developers.

What Should Students Bring?
Samurai WTF

Speakers
avatar for David Hazar

David Hazar

Product Development Security Lead, Oracle Service Cloud
I am all about application security and the need to better secure our applications by not only identifying issues, but training developers to understand these issues and write more secure code. QA engineers also need to understand these issues so they can write meaningful test cases. Don't forget to sign up for my two-day training "Hands-on Auditing of the OWASP Application Security Verification Standard"!


Tuesday September 22, 2015 3:30pm - 5:00pm
Pacific I

3:30pm

Training (2 days): OWASP Top 10 – Exploitation and Effective Safeguards
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. 

The course will cover the following topics:
1. SSL Certificates
2. Password Management
3. Cryptography Concepts
4. OWASP Top 10 web application vulnerabilities:
A1 - Injection Attacks
a. Command Injection
b. File Injection
c. SQL Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
14. Securing AJAX and Web Services (REST and SOAP)
15. OWASP Application Security Verification Standard (ASVS)
16. Web Application Firewalls (WAF)
17. Using a Vulnerability Scanner (Zed Attack Proxy - ZAP)
18. Effective Code Review Techniques
19. OWASP Enterprise Security API
20. Secure Coding Best Practices
21. Effective Safeguards

Demos from the instructor:
1. SQL Injection Attack
2. Cross-Site Scripting Attack
3. Insecure Direct Object References
4. Sensitive Data Exposure
5. Cross-Site Request Forgery

Using their laptop and the provided virtual machines, participants will have 7 hands-on exercises:
1. Session Initialization and Client-Side Validation
• Part 1: Web Proxy and Session Initialization
• Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Using a Web Application Vulnerability Scanner
5. Sniffing Encrypted Traffic
6. Launching Command Injection Attacks
7. Create SSL certificates

In addition, each participant will receive a printed student guide containing all the slides and exercises.

Who Should Take This Course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

What Should Students Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.

Speakers
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →


Tuesday September 22, 2015 3:30pm - 5:00pm
Pacific D & E

3:30pm

Training (2 days): Securely Designing and Developing with Popular MVC Frameworks
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The Model-View-Controller (MVC) model is commonly adapted by many frameworks. These are used by many business applications today as they bring structure and maintainability to coding. This training will focus on introducing the following design flaws that are applicable to most of the standard and custom-designed MVC frameworks.

• Crash course on Application design and MVC
• Ignore design at your own peril!
• Insecure Invocation of Business Logic
• Data Binding Flaws and Backdoors parameters
• Incorrect implementation of security controls
• Incorrect Placement of Security Checks
• Insecure Configurations
• Control flow vulnerabilities

The first day of the training will cover the above-mentioned general design principles in custom-designed and Struts2 frameworks, and on the second day, Spring and ASP.NET MVC frameworks will be analyzed.

Majority of the code in today’s applications come from libraries. According to a recent study done by Contrast Security, 28% of library downloads have known vulnerabilities and the most downloaded vulnerable libraries were GWT, Xerces, Spring MVC and Struts.

Additionally, due to compatibility issues and lack of awareness many of the applications are not upgraded with the secure framework/library versions. This would pose a major risk to the applications. This training will help developers and security analysts in identifying framework specific security vulnerabilities in their applications. Considering these vulnerabilities in Frameworks/libraries are not usually considered in security assessments, this training is going to be a good start.

The hands-on lab exercises incorporate demo applications built using custom-designed frameworks and vulnerable versions of Struts, Spring MVC and ASP.NET MVC applications. Vulnerabilities in these applications are showcased by considering real-time scenarios. Some of the framework-specific vulnerabilities that are included in the demo applications are the following:

• Struts2 Prefixed Parameters OGNL Injection Vulnerability
• Spring Data Binding flaw in multi step operations
• XML External Entity Injection Vulnerability in Spring Framework

All the above-mentioned applications will be shared with the attendees in a VMware image. This will help in avoiding delays occurring due to unwanted installations and dependency issues.

Who Should Take This Course?
• Professional Pentesters - who are auditing business applications designed using standard frameworks
• Design architects and developers - who need to design and code web applications securely
• Anyone with knowledge of MVC frameworks

This training imparts knowledge on secure design principles. It would highlight what goes wrong in most of the custom MVC designs and while using standard MVC frameworks like Spring, Hibernate and Struts. The training will introduce different design related flaws, flaws associated with some vulnerable framework versions and their mitigations.

What Should Students Bring?
All the students will be provided with VMware images with pre-loaded applications and software for lab exercises. Hence, attendees are expected to carry laptops that are installed with VMware player/ workstation.

Speakers
avatar for Muhammed Noushad K

Muhammed Noushad K

Senior Analyst and Team Lead, Paladion Networks
Muhammed Noushad K. has been associated with information security for more than 6 years with rich experience in Application Security and Secure Code Reviews. He has performed code review of various applications built on diverse frameworks and platforms. He was instrumental in creating code review plans for Struts and Spring frameworks, which are pivotal in performing efficient code reviews. He is also a frequent blogger for Paladion on various... Read More →


Tuesday September 22, 2015 3:30pm - 5:00pm
Pacific N
 
Wednesday, September 23
 

8:00am

Registration
Wednesday September 23, 2015 8:00am - 9:00am
TBA

9:00am

Training (1 day): Hands-on Website Exploitation with Python
This training will teach students how to conduct website assessments with Python. Students will learn the essentials of the python language and learn to create useful algorithms that perform various exploits through "other" tools like Nmap and through "custom" tools that perform password cracking, DOM modification, injections, and more. The capstone of the class is the development of a python based web application scanner and using it to assess some various broken web applications.

Students will perform the following tasks:
>>Quickstart basics of Python programming
>>Development of various scripts to perform: Network sniffing and exploitation (including one than integrates Nmap functions), DOM modification, Searching an Analysis, plugin grabber which integrates with "Exploit DB" (this includes the ability to store information for future or automated exploitation), Password cracking, SQL Injection, CSRF, XSS (including the automation of XSS identification), root exploitation, porting of various other scripts into Python (focus on ruby scripts)
>>Development of a custom Web Application scanner
>>Use of these new tools to attack various intentionally broken web apps, including a vulnerable shell-shock server

Who Should Take This Course?
This class does not require python experience and is encouraged for the un-seasoned pen-testers who want to learn this language and integrate it into their professional security testing.

What Should Students Bring?
Students should bring a laptop with Oracle virtualbox or VMplayer installed. Lecture material and lab exercises will be provided in electronic form.

Speakers
avatar for Michael Born

Michael Born

Security Consultant, Solutionary
I enjoy breaking into things more than defending, I love Python, can tolerate Ruby, and am always trying to improve at C and Assembly. My current security testing focus is network penetration testing, application penetration testing, and mobile application penetration testing.
avatar for Fred Donovan

Fred Donovan

Professor and Director of an MSCS program | Enjoy discussions on "hacking back" | Friend and brother to many


Wednesday September 23, 2015 9:00am - 10:30am
Pacific B

9:00am

Training (1 day): Risk Management Like a Boss: Making Your Risks Work for You
Arguably, the single most valuable skill that you can learn in Information Security today in order to improve your security posture for tomorrow is Risk Management. The simple process of identifying your risks, planning your mitigations, and performing reviews puts your company squarely in the drivers seat when it comes to justifying its security expenditures in order to reduce risk. SimpleRisk is the only free and open source alternative to the bloated and expensive Governance, Risk, and Compliance (GRC) platforms out there and is being used by corporations of all sizes, around the world, to perform their risk management activities. During this seminar, Josh Sokol, the Creator of SimpleRisk, will walk attendees through the basics of risk management using hands-on activities and the SimpleRisk tool. By the end of the course, attendees will have the knowledge necessary in order to deploy SimpleRisk in their environment, use it to manage their risks, and have a firm grasp on the processes involved in managing risks.

SimpleRisk is free to download at http://www.simplerisk.org and is released under the Mozilla Public License (MPL) 2.0. This means that those who use it are free to use it, modify it, or even sell it at will. SimpleRisk does sell some additional enterprise functionality such as LDAP authentication, team separation, and e-mail notifications, but the tool is fully functional in performing risk management activities without these and they are completely out of scope for the class.

1) Installing SimpleRisk on a LAMP stack
2) Configuring SimpleRisk
3) Brainstorming risks and naming them
4) Submitting risks
5) Planning mitigations
6) Performing management reviews
7) Creating projects and assigning risks

Who Should Take This Course?
This course is designed to take a person with no prior experience in risk management and teach them how to perform risk management activities such as assessing risk, documenting risk, planning mitigations, and performing management reviews. Attendees will learn how to install and configure the free and open source SimpleRisk risk management framework and will leverage it to become risk management experts for their organization.

What Should Students Bring?
Students will need to bring a laptop running a virtual machine (VMWare, Virtualbox, or Parallels should work fine) containing Ubuntu 14.04 LTS. The installation of SimpleRisk will happen as part of an in-class activity and will be used for all in-class exercises.

Speakers
avatar for Josh Sokol

Josh Sokol

Information Security Program Owner, National Instruments
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Josh manages all compliance, security architecture, risk management, and vulnerability... Read More →


Wednesday September 23, 2015 9:00am - 10:30am
Pacific A

9:00am

Training (1 day): Simple End-to-End App Security with AWS
As security consultants, developers, managers, and architects we are faced with not only delivering customer value but delivering customer value responsibly. Often times after a plethora of decisions have been made.

In this hands on workshop, a reference microservices application hosting environment will be instantiated including some sample services and applications. We will decompose the reference environment to examine how it leverages (or fails to leverage) some of security capabilities from AWS. Then we will decompose the applications themselves. During this bottom up and top down inspection we will identify common mistakes and point out opportunities to prevent and accidentally inject vulnerabilities.

This workshop will help security consultants, architects, and developers develop operational and design time checklists for their organizations or customers.   

Bring your laptop and AWS account since Cloud Formation templates will be provided so you can follow along. 

Speakers
avatar for Nicholas J. Parks

Nicholas J. Parks

Nicholas is a technology professional that started as a software engineer that developed commercial products to manage data centers. He then ventured into delivering Java PaaS solutions with a focus on providing application security as a service. This included delivering managed life cycle solutions to customers across various industries. As an Amazon Certified Solution Architect he has assisted customers improve operational delivery of... Read More →


Wednesday September 23, 2015 9:00am - 10:30am
Pacific H

9:00am

Training (2 days) : Malware Crash Course
This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. Students will learn how to extract host and network-based indicators from a malicious program. Students will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned.

What You Will Learn:

Hands-on malware dissection
How to create a safe malware analysis environment
How to quickly extract network and host-based indicators
How to perform dynamic analysis using system monitoring utilities to capture the file system, registry, and network activity generated by malware
How to debug malware and modify control flow and logic of software
To analyze assembly code after a crash course in the Intel x86 assembly language
Windows internals and APIs
How to use key analysis tools like IDA Pro and OllyDbg
What to look for when analyzing a piece of malware
The art of malware analysis - not just running tools

Labs are scheduled throughout the course and reinforce the concepts taught in each module. The estimate is that between 60% - 70% of class time is spent on lab work.

Who Should Take This Course?
Software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.

Students should have:
Excellent knowledge of computer and operating system fundamentals
Computer programming fundamentals and Windows Internals experience is highly recommended

What Should Students Bring?
Students must bring their own laptop with VMware Workstation, Server, or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.

A licensed copy of IDA Pro is highly recommended to participate in ALL labs, but the free version can be used in most cases.

Speakers
avatar for James “Tom” Bennett

James “Tom” Bennett

James T. Bennett is a seasoned malware analyst with over 10 years of experience working to improve technologies used to detect threats on the network and host levels. | Mr. Bennett is currently employed as a Staff Threat Research Engineer with FireEye where he analyzes malware used in targeted attacks in order to improve detection technologies and aid in incident response and threat intelligence gathering.
avatar for Peter Kacherginsky

Peter Kacherginsky

Reverse Engineer, FireEye
Peter Kacherginsky is a malware analyst, exploit developer, penetration tester, and incident responder with over 8 years of experience in the security industry. He is a big fan of IDA Pro and won last year's IDA Pro plugin contest. A number of Peter's open source security tools have been included in the Kali Linux/Backtrack security distribution. | | Mr. Kacherginsky works on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as... Read More →
avatar for Dominic Weber

Dominic Weber

Senior Manager, FireEye
Hi ! | I am Dominic Weber and I have 13 years of computer forensic experience researching NTFS, ExFAT and the Windows key management If you've used EnCase, you've used my C++/ Windows code. Before that I Worked in 3D full body motion capture / rendering and video games. | | I work on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as a Senior Manager and Malware Research Engineer with FireEye where I analyze malware and... Read More →


Wednesday September 23, 2015 9:00am - 10:30am
Pacific O

9:00am

Training (2 days): Advanced Android and iOS Hands-on Exploitation
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Advanced Android and iOS Hands-on Exploitation is a unique training which covers security and exploitation of the two dominant mobile platforms - Android and iOS. This is a three day action packed class, full of hands-on challenges and CTF labs, for both Android and iOS environment. The entire class will be based on a custom VM which has been prepared exclusively for the training. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms. 

Some of the topics that will be covered are Advanced Auditing of iOS and Android Applications, Reverse Engineering, Bypassing Obfuscations, Automating security analysis, Exploiting and patching apps, Advanced ARM Exploitation, API Hooking and a lot more. 

The 2-day class is designed in a CTF approach where each of the module is followed by a complete hands-on lab, giving the attendees a chance to apply the knowledge and skills learnt during the class in real life scenario. Students will also be provided with the author signed copy of the book "Learning Pentesting for Android Devices", printed reference materials and handouts to be used during and after the training class, and private scripts written by the trainer for Android and iOS app security analysis.

Since this is a hands-on class, almost most of the content will be hands-on and challenge based. The VM that will be distributed to the students will have a bunch of different real world applications, along with specific custom vulnerable apps made for the training. 

The students will be using a lot of different techniques and a few tools as well, to perform mobile exploitation. 

Some of the lab exercises include : 

[+] Cracking Android Applications by reversing and modifying the smali code
[+] Patching Drozer in order to perform automated exploitation for applications which are not directly vulnerable
[+] Network traffic analysis to identify traffic based vulns in android and iOS apps
[+] Runtime manipulation of Android apps and writing custom API hooks using Cydia Substrate and Dynamic Instrumentation frameworks. 
[+] Advanced Cycript usage to bypass security measures in iOS Applications
[+] Dynamic Library Injection in iOS apps 

These are just some of the labs that will be hands-on during the 2-day class. Obviously, there are more others as we will start from the ground basics, assuming the attendee hasn't done mobile security before.

Who Should Take This Course?
Security Researchers who want to get started into Mobile Security
Mobile Security Enthusiasts
Penetration Testers
Mobile Developers

What Should Students Bring?
Laptop with Administrative access
Atleast 20 GB of free disk space
4 GB RAM 
Genymotion installed and configured with Android v 4.1.1 and 5.0 images

Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile security firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation. | | He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also... Read More →


Wednesday September 23, 2015 9:00am - 10:30am
Pacific G

9:00am

Training (2 days): Creating and automating your own AppSec Pipeline
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

Who Should Take This Course?
AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline.

What Should Students Bring?
A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Wednesday September 23, 2015 9:00am - 10:30am
Pacific F

9:00am

Training (2 days): Hands-on Auditing of the OWASP Application Security Verification Standard
Speakers
avatar for David Hazar

David Hazar

Product Development Security Lead, Oracle Service Cloud
I am all about application security and the need to better secure our applications by not only identifying issues, but training developers to understand these issues and write more secure code. QA engineers also need to understand these issues so they can write meaningful test cases. Don't forget to sign up for my two-day training "Hands-on Auditing of the OWASP Application Security Verification Standard"!


Wednesday September 23, 2015 9:00am - 10:30am
Pacific I

9:00am

Training (2 days): Securely Designing and Developing with Popular MVC Frameworks
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The Model-View-Controller (MVC) model is commonly adapted by many frameworks. These are used by many business applications today as they bring structure and maintainability to coding. This training will focus on introducing the following design flaws that are applicable to most of the standard and custom-designed MVC frameworks.

• Crash course on Application design and MVC
• Ignore design at your own peril!
• Insecure Invocation of Business Logic
• Data Binding Flaws and Backdoors parameters
• Incorrect implementation of security controls
• Incorrect Placement of Security Checks
• Insecure Configurations
• Control flow vulnerabilities

The first day of the training will cover the above-mentioned general design principles in custom-designed and Struts2 frameworks, and on the second day, Spring and ASP.NET MVC frameworks will be analyzed.

Majority of the code in today’s applications come from libraries. According to a recent study done by Contrast Security, 28% of library downloads have known vulnerabilities and the most downloaded vulnerable libraries were GWT, Xerces, Spring MVC and Struts.

Additionally, due to compatibility issues and lack of awareness many of the applications are not upgraded with the secure framework/library versions. This would pose a major risk to the applications. This training will help developers and security analysts in identifying framework specific security vulnerabilities in their applications. Considering these vulnerabilities in Frameworks/libraries are not usually considered in security assessments, this training is going to be a good start.

The hands-on lab exercises incorporate demo applications built using custom-designed frameworks and vulnerable versions of Struts, Spring MVC and ASP.NET MVC applications. Vulnerabilities in these applications are showcased by considering real-time scenarios. Some of the framework-specific vulnerabilities that are included in the demo applications are the following:

• Struts2 Prefixed Parameters OGNL Injection Vulnerability
• Spring Data Binding flaw in multi step operations
• XML External Entity Injection Vulnerability in Spring Framework

All the above-mentioned applications will be shared with the attendees in a VMware image. This will help in avoiding delays occurring due to unwanted installations and dependency issues.

Who Should Take This Course?
• Professional Pentesters - who are auditing business applications designed using standard frameworks
• Design architects and developers - who need to design and code web applications securely
• Anyone with knowledge of MVC frameworks

This training imparts knowledge on secure design principles. It would highlight what goes wrong in most of the custom MVC designs and while using standard MVC frameworks like Spring, Hibernate and Struts. The training will introduce different design related flaws, flaws associated with some vulnerable framework versions and their mitigations.

What Should Students Bring?
All the students will be provided with VMware images with pre-loaded applications and software for lab exercises. Hence, attendees are expected to carry laptops that are installed with VMware player/ workstation.

Speakers
avatar for Muhammed Noushad K

Muhammed Noushad K

Senior Analyst and Team Lead, Paladion Networks
Muhammed Noushad K. has been associated with information security for more than 6 years with rich experience in Application Security and Secure Code Reviews. He has performed code review of various applications built on diverse frameworks and platforms. He was instrumental in creating code review plans for Struts and Spring frameworks, which are pivotal in performing efficient code reviews. He is also a frequent blogger for Paladion on various... Read More →


Wednesday September 23, 2015 9:00am - 10:30am
Pacific N

9:00am

Training (2 days): OWASP Top 10 – Exploitation and Effective Safeguards
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. 

The course will cover the following topics:
1. SSL Certificates
2. Password Management
3. Cryptography Concepts
4. OWASP Top 10 web application vulnerabilities:
A1 - Injection Attacks
a. Command Injection
b. File Injection
c. SQL Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
14. Securing AJAX and Web Services (REST and SOAP)
15. OWASP Application Security Verification Standard (ASVS)
16. Web Application Firewalls (WAF)
17. Using a Vulnerability Scanner (Zed Attack Proxy - ZAP)
18. Effective Code Review Techniques
19. OWASP Enterprise Security API
20. Secure Coding Best Practices
21. Effective Safeguards

Demos from the instructor:
1. SQL Injection Attack
2. Cross-Site Scripting Attack
3. Insecure Direct Object References
4. Sensitive Data Exposure
5. Cross-Site Request Forgery

Using their laptop and the provided virtual machines, participants will have 7 hands-on exercises:
1. Session Initialization and Client-Side Validation
• Part 1: Web Proxy and Session Initialization
• Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Using a Web Application Vulnerability Scanner
5. Sniffing Encrypted Traffic
6. Launching Command Injection Attacks
7. Create SSL certificates

In addition, each participant will receive a printed student guide containing all the slides and exercises.

Who Should Take This Course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

What Should Students Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.

Speakers
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →


Wednesday September 23, 2015 9:00am - 10:30pm
Pacific D & E

10:30am

Coffee Break
Wednesday September 23, 2015 10:30am - 11:00am
TBA

11:00am

Training (2 days) : Malware Crash Course
This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. Students will learn how to extract host and network-based indicators from a malicious program. Students will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned.

What You Will Learn:

Hands-on malware dissection
How to create a safe malware analysis environment
How to quickly extract network and host-based indicators
How to perform dynamic analysis using system monitoring utilities to capture the file system, registry, and network activity generated by malware
How to debug malware and modify control flow and logic of software
To analyze assembly code after a crash course in the Intel x86 assembly language
Windows internals and APIs
How to use key analysis tools like IDA Pro and OllyDbg
What to look for when analyzing a piece of malware
The art of malware analysis - not just running tools

Labs are scheduled throughout the course and reinforce the concepts taught in each module. The estimate is that between 60% - 70% of class time is spent on lab work.

Who Should Take This Course?
Software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.

Students should have:
Excellent knowledge of computer and operating system fundamentals
Computer programming fundamentals and Windows Internals experience is highly recommended

What Should Students Bring?
Students must bring their own laptop with VMware Workstation, Server, or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.

A licensed copy of IDA Pro is highly recommended to participate in ALL labs, but the free version can be used in most cases.

Speakers
avatar for James “Tom” Bennett

James “Tom” Bennett

James T. Bennett is a seasoned malware analyst with over 10 years of experience working to improve technologies used to detect threats on the network and host levels. | Mr. Bennett is currently employed as a Staff Threat Research Engineer with FireEye where he analyzes malware used in targeted attacks in order to improve detection technologies and aid in incident response and threat intelligence gathering.
avatar for Peter Kacherginsky

Peter Kacherginsky

Reverse Engineer, FireEye
Peter Kacherginsky is a malware analyst, exploit developer, penetration tester, and incident responder with over 8 years of experience in the security industry. He is a big fan of IDA Pro and won last year's IDA Pro plugin contest. A number of Peter's open source security tools have been included in the Kali Linux/Backtrack security distribution. | | Mr. Kacherginsky works on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as... Read More →
avatar for Dominic Weber

Dominic Weber

Senior Manager, FireEye
Hi ! | I am Dominic Weber and I have 13 years of computer forensic experience researching NTFS, ExFAT and the Windows key management If you've used EnCase, you've used my C++/ Windows code. Before that I Worked in 3D full body motion capture / rendering and video games. | | I work on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as a Senior Manager and Malware Research Engineer with FireEye where I analyze malware and... Read More →


Wednesday September 23, 2015 11:00am - 11:30am
Pacific O

11:00am

Training (1 day): Hands-on Website Exploitation with Python
This training will teach students how to conduct website assessments with Python. Students will learn the essentials of the python language and learn to create useful algorithms that perform various exploits through "other" tools like Nmap and through "custom" tools that perform password cracking, DOM modification, injections, and more. The capstone of the class is the development of a python based web application scanner and using it to assess some various broken web applications.

Students will perform the following tasks:
>>Quickstart basics of Python programming
>>Development of various scripts to perform: Network sniffing and exploitation (including one than integrates Nmap functions), DOM modification, Searching an Analysis, plugin grabber which integrates with "Exploit DB" (this includes the ability to store information for future or automated exploitation), Password cracking, SQL Injection, CSRF, XSS (including the automation of XSS identification), root exploitation, porting of various other scripts into Python (focus on ruby scripts)
>>Development of a custom Web Application scanner
>>Use of these new tools to attack various intentionally broken web apps, including a vulnerable shell-shock server

Who Should Take This Course?
This class does not require python experience and is encouraged for the un-seasoned pen-testers who want to learn this language and integrate it into their professional security testing.

What Should Students Bring?
Students should bring a laptop with Oracle virtualbox or VMplayer installed. Lecture material and lab exercises will be provided in electronic form.

Speakers
avatar for Michael Born

Michael Born

Security Consultant, Solutionary
I enjoy breaking into things more than defending, I love Python, can tolerate Ruby, and am always trying to improve at C and Assembly. My current security testing focus is network penetration testing, application penetration testing, and mobile application penetration testing.
avatar for Fred Donovan

Fred Donovan

Professor and Director of an MSCS program | Enjoy discussions on "hacking back" | Friend and brother to many


Wednesday September 23, 2015 11:00am - 12:30pm
Pacific B

11:00am

Training (1 day): Risk Management Like a Boss: Making Your Risks Work for You
Arguably, the single most valuable skill that you can learn in Information Security today in order to improve your security posture for tomorrow is Risk Management. The simple process of identifying your risks, planning your mitigations, and performing reviews puts your company squarely in the drivers seat when it comes to justifying its security expenditures in order to reduce risk. SimpleRisk is the only free and open source alternative to the bloated and expensive Governance, Risk, and Compliance (GRC) platforms out there and is being used by corporations of all sizes, around the world, to perform their risk management activities. During this seminar, Josh Sokol, the Creator of SimpleRisk, will walk attendees through the basics of risk management using hands-on activities and the SimpleRisk tool. By the end of the course, attendees will have the knowledge necessary in order to deploy SimpleRisk in their environment, use it to manage their risks, and have a firm grasp on the processes involved in managing risks.

SimpleRisk is free to download at http://www.simplerisk.org and is released under the Mozilla Public License (MPL) 2.0. This means that those who use it are free to use it, modify it, or even sell it at will. SimpleRisk does sell some additional enterprise functionality such as LDAP authentication, team separation, and e-mail notifications, but the tool is fully functional in performing risk management activities without these and they are completely out of scope for the class.

1) Installing SimpleRisk on a LAMP stack
2) Configuring SimpleRisk
3) Brainstorming risks and naming them
4) Submitting risks
5) Planning mitigations
6) Performing management reviews
7) Creating projects and assigning risks

Who Should Take This Course?
This course is designed to take a person with no prior experience in risk management and teach them how to perform risk management activities such as assessing risk, documenting risk, planning mitigations, and performing management reviews. Attendees will learn how to install and configure the free and open source SimpleRisk risk management framework and will leverage it to become risk management experts for their organization.

What Should Students Bring?
Students will need to bring a laptop running a virtual machine (VMWare, Virtualbox, or Parallels should work fine) containing Ubuntu 14.04 LTS. The installation of SimpleRisk will happen as part of an in-class activity and will be used for all in-class exercises.

Speakers
avatar for Josh Sokol

Josh Sokol

Information Security Program Owner, National Instruments
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Josh manages all compliance, security architecture, risk management, and vulnerability... Read More →


Wednesday September 23, 2015 11:00am - 12:30pm
Pacific A

11:00am

Training (1 day): Simple End-to-End App Security with AWS
As security consultants, developers, managers, and architects we are faced with not only delivering customer value but delivering customer value responsibly. Often times after a plethora of decisions have been made.

In this hands on workshop, a reference microservices application hosting environment will be instantiated including some sample services and applications. We will decompose the reference environment to examine how it leverages (or fails to leverage) some of security capabilities from AWS. Then we will decompose the applications themselves. During this bottom up and top down inspection we will identify common mistakes and point out opportunities to prevent and accidentally inject vulnerabilities.

This workshop will help security consultants, architects, and developers develop operational and design time checklists for their organizations or customers.   

Bring your laptop and AWS account since Cloud Formation templates will be provided so you can follow along. 

Speakers
avatar for Nicholas J. Parks

Nicholas J. Parks

Nicholas is a technology professional that started as a software engineer that developed commercial products to manage data centers. He then ventured into delivering Java PaaS solutions with a focus on providing application security as a service. This included delivering managed life cycle solutions to customers across various industries. As an Amazon Certified Solution Architect he has assisted customers improve operational delivery of... Read More →


Wednesday September 23, 2015 11:00am - 12:30pm
Pacific H

11:00am

Training (2 days): Advanced Android and iOS Hands-on Exploitation
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Advanced Android and iOS Hands-on Exploitation is a unique training which covers security and exploitation of the two dominant mobile platforms - Android and iOS. This is a three day action packed class, full of hands-on challenges and CTF labs, for both Android and iOS environment. The entire class will be based on a custom VM which has been prepared exclusively for the training. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms. 

Some of the topics that will be covered are Advanced Auditing of iOS and Android Applications, Reverse Engineering, Bypassing Obfuscations, Automating security analysis, Exploiting and patching apps, Advanced ARM Exploitation, API Hooking and a lot more. 

The 2-day class is designed in a CTF approach where each of the module is followed by a complete hands-on lab, giving the attendees a chance to apply the knowledge and skills learnt during the class in real life scenario. Students will also be provided with the author signed copy of the book "Learning Pentesting for Android Devices", printed reference materials and handouts to be used during and after the training class, and private scripts written by the trainer for Android and iOS app security analysis.

Since this is a hands-on class, almost most of the content will be hands-on and challenge based. The VM that will be distributed to the students will have a bunch of different real world applications, along with specific custom vulnerable apps made for the training. 

The students will be using a lot of different techniques and a few tools as well, to perform mobile exploitation. 

Some of the lab exercises include : 

[+] Cracking Android Applications by reversing and modifying the smali code
[+] Patching Drozer in order to perform automated exploitation for applications which are not directly vulnerable
[+] Network traffic analysis to identify traffic based vulns in android and iOS apps
[+] Runtime manipulation of Android apps and writing custom API hooks using Cydia Substrate and Dynamic Instrumentation frameworks. 
[+] Advanced Cycript usage to bypass security measures in iOS Applications
[+] Dynamic Library Injection in iOS apps 

These are just some of the labs that will be hands-on during the 2-day class. Obviously, there are more others as we will start from the ground basics, assuming the attendee hasn't done mobile security before.

Who Should Take This Course?
Security Researchers who want to get started into Mobile Security
Mobile Security Enthusiasts
Penetration Testers
Mobile Developers

What Should Students Bring?
Laptop with Administrative access
Atleast 20 GB of free disk space
4 GB RAM 
Genymotion installed and configured with Android v 4.1.1 and 5.0 images

Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile security firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation. | | He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also... Read More →


Wednesday September 23, 2015 11:00am - 12:30pm
Pacific G

11:00am

Training (2 days): Creating and automating your own AppSec Pipeline
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

Who Should Take This Course?
AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline.

What Should Students Bring?
A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Wednesday September 23, 2015 11:00am - 12:30pm
Pacific F

11:00am

Training (2 days): Hands-on Auditing of the OWASP Application Security Verification Standard
Speakers
avatar for David Hazar

David Hazar

Product Development Security Lead, Oracle Service Cloud
I am all about application security and the need to better secure our applications by not only identifying issues, but training developers to understand these issues and write more secure code. QA engineers also need to understand these issues so they can write meaningful test cases. Don't forget to sign up for my two-day training "Hands-on Auditing of the OWASP Application Security Verification Standard"!


Wednesday September 23, 2015 11:00am - 12:30pm
Pacific I

11:00am

Training (2 days): OWASP Top 10 – Exploitation and Effective Safeguards
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. 

The course will cover the following topics:
1. SSL Certificates
2. Password Management
3. Cryptography Concepts
4. OWASP Top 10 web application vulnerabilities:
A1 - Injection Attacks
a. Command Injection
b. File Injection
c. SQL Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
14. Securing AJAX and Web Services (REST and SOAP)
15. OWASP Application Security Verification Standard (ASVS)
16. Web Application Firewalls (WAF)
17. Using a Vulnerability Scanner (Zed Attack Proxy - ZAP)
18. Effective Code Review Techniques
19. OWASP Enterprise Security API
20. Secure Coding Best Practices
21. Effective Safeguards

Demos from the instructor:
1. SQL Injection Attack
2. Cross-Site Scripting Attack
3. Insecure Direct Object References
4. Sensitive Data Exposure
5. Cross-Site Request Forgery

Using their laptop and the provided virtual machines, participants will have 7 hands-on exercises:
1. Session Initialization and Client-Side Validation
• Part 1: Web Proxy and Session Initialization
• Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Using a Web Application Vulnerability Scanner
5. Sniffing Encrypted Traffic
6. Launching Command Injection Attacks
7. Create SSL certificates

In addition, each participant will receive a printed student guide containing all the slides and exercises.

Who Should Take This Course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

What Should Students Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.

Speakers
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →


Wednesday September 23, 2015 11:00am - 12:30pm
Pacific D & E

11:00am

Training (2 days): Securely Designing and Developing with Popular MVC Frameworks
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The Model-View-Controller (MVC) model is commonly adapted by many frameworks. These are used by many business applications today as they bring structure and maintainability to coding. This training will focus on introducing the following design flaws that are applicable to most of the standard and custom-designed MVC frameworks.

• Crash course on Application design and MVC
• Ignore design at your own peril!
• Insecure Invocation of Business Logic
• Data Binding Flaws and Backdoors parameters
• Incorrect implementation of security controls
• Incorrect Placement of Security Checks
• Insecure Configurations
• Control flow vulnerabilities

The first day of the training will cover the above-mentioned general design principles in custom-designed and Struts2 frameworks, and on the second day, Spring and ASP.NET MVC frameworks will be analyzed.

Majority of the code in today’s applications come from libraries. According to a recent study done by Contrast Security, 28% of library downloads have known vulnerabilities and the most downloaded vulnerable libraries were GWT, Xerces, Spring MVC and Struts.

Additionally, due to compatibility issues and lack of awareness many of the applications are not upgraded with the secure framework/library versions. This would pose a major risk to the applications. This training will help developers and security analysts in identifying framework specific security vulnerabilities in their applications. Considering these vulnerabilities in Frameworks/libraries are not usually considered in security assessments, this training is going to be a good start.

The hands-on lab exercises incorporate demo applications built using custom-designed frameworks and vulnerable versions of Struts, Spring MVC and ASP.NET MVC applications. Vulnerabilities in these applications are showcased by considering real-time scenarios. Some of the framework-specific vulnerabilities that are included in the demo applications are the following:

• Struts2 Prefixed Parameters OGNL Injection Vulnerability
• Spring Data Binding flaw in multi step operations
• XML External Entity Injection Vulnerability in Spring Framework

All the above-mentioned applications will be shared with the attendees in a VMware image. This will help in avoiding delays occurring due to unwanted installations and dependency issues.

Who Should Take This Course?
• Professional Pentesters - who are auditing business applications designed using standard frameworks
• Design architects and developers - who need to design and code web applications securely
• Anyone with knowledge of MVC frameworks

This training imparts knowledge on secure design principles. It would highlight what goes wrong in most of the custom MVC designs and while using standard MVC frameworks like Spring, Hibernate and Struts. The training will introduce different design related flaws, flaws associated with some vulnerable framework versions and their mitigations.

What Should Students Bring?
All the students will be provided with VMware images with pre-loaded applications and software for lab exercises. Hence, attendees are expected to carry laptops that are installed with VMware player/ workstation.

Speakers
avatar for Muhammed Noushad K

Muhammed Noushad K

Senior Analyst and Team Lead, Paladion Networks
Muhammed Noushad K. has been associated with information security for more than 6 years with rich experience in Application Security and Secure Code Reviews. He has performed code review of various applications built on diverse frameworks and platforms. He was instrumental in creating code review plans for Struts and Spring frameworks, which are pivotal in performing efficient code reviews. He is also a frequent blogger for Paladion on various... Read More →


Wednesday September 23, 2015 11:00am - 12:30pm
Pacific N

12:30pm

Lunch
Wednesday September 23, 2015 12:30pm - 1:30pm
TBA

1:30pm

Training (1 day): Hands-on Website Exploitation with Python
This training will teach students how to conduct website assessments with Python. Students will learn the essentials of the python language and learn to create useful algorithms that perform various exploits through "other" tools like Nmap and through "custom" tools that perform password cracking, DOM modification, injections, and more. The capstone of the class is the development of a python based web application scanner and using it to assess some various broken web applications.

Students will perform the following tasks:
>>Quickstart basics of Python programming
>>Development of various scripts to perform: Network sniffing and exploitation (including one than integrates Nmap functions), DOM modification, Searching an Analysis, plugin grabber which integrates with "Exploit DB" (this includes the ability to store information for future or automated exploitation), Password cracking, SQL Injection, CSRF, XSS (including the automation of XSS identification), root exploitation, porting of various other scripts into Python (focus on ruby scripts)
>>Development of a custom Web Application scanner
>>Use of these new tools to attack various intentionally broken web apps, including a vulnerable shell-shock server

Who Should Take This Course?
This class does not require python experience and is encouraged for the un-seasoned pen-testers who want to learn this language and integrate it into their professional security testing.

What Should Students Bring?
Students should bring a laptop with Oracle virtualbox or VMplayer installed. Lecture material and lab exercises will be provided in electronic form.

Speakers
avatar for Michael Born

Michael Born

Security Consultant, Solutionary
I enjoy breaking into things more than defending, I love Python, can tolerate Ruby, and am always trying to improve at C and Assembly. My current security testing focus is network penetration testing, application penetration testing, and mobile application penetration testing.
avatar for Fred Donovan

Fred Donovan

Professor and Director of an MSCS program | Enjoy discussions on "hacking back" | Friend and brother to many


Wednesday September 23, 2015 1:30pm - 3:00pm
Pacific B

1:30pm

Training (1 day): Risk Management Like a Boss: Making Your Risks Work for You
Arguably, the single most valuable skill that you can learn in Information Security today in order to improve your security posture for tomorrow is Risk Management. The simple process of identifying your risks, planning your mitigations, and performing reviews puts your company squarely in the drivers seat when it comes to justifying its security expenditures in order to reduce risk. SimpleRisk is the only free and open source alternative to the bloated and expensive Governance, Risk, and Compliance (GRC) platforms out there and is being used by corporations of all sizes, around the world, to perform their risk management activities. During this seminar, Josh Sokol, the Creator of SimpleRisk, will walk attendees through the basics of risk management using hands-on activities and the SimpleRisk tool. By the end of the course, attendees will have the knowledge necessary in order to deploy SimpleRisk in their environment, use it to manage their risks, and have a firm grasp on the processes involved in managing risks.

SimpleRisk is free to download at http://www.simplerisk.org and is released under the Mozilla Public License (MPL) 2.0. This means that those who use it are free to use it, modify it, or even sell it at will. SimpleRisk does sell some additional enterprise functionality such as LDAP authentication, team separation, and e-mail notifications, but the tool is fully functional in performing risk management activities without these and they are completely out of scope for the class.

1) Installing SimpleRisk on a LAMP stack
2) Configuring SimpleRisk
3) Brainstorming risks and naming them
4) Submitting risks
5) Planning mitigations
6) Performing management reviews
7) Creating projects and assigning risks

Who Should Take This Course?
This course is designed to take a person with no prior experience in risk management and teach them how to perform risk management activities such as assessing risk, documenting risk, planning mitigations, and performing management reviews. Attendees will learn how to install and configure the free and open source SimpleRisk risk management framework and will leverage it to become risk management experts for their organization.

What Should Students Bring?
Students will need to bring a laptop running a virtual machine (VMWare, Virtualbox, or Parallels should work fine) containing Ubuntu 14.04 LTS. The installation of SimpleRisk will happen as part of an in-class activity and will be used for all in-class exercises.

Speakers
avatar for Josh Sokol

Josh Sokol

Information Security Program Owner, National Instruments
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Josh manages all compliance, security architecture, risk management, and vulnerability... Read More →


Wednesday September 23, 2015 1:30pm - 3:00pm
Pacific A

1:30pm

Training (1 day): Simple End-to-End App Security with AWS
As security consultants, developers, managers, and architects we are faced with not only delivering customer value but delivering customer value responsibly. Often times after a plethora of decisions have been made.

In this hands on workshop, a reference microservices application hosting environment will be instantiated including some sample services and applications. We will decompose the reference environment to examine how it leverages (or fails to leverage) some of security capabilities from AWS. Then we will decompose the applications themselves. During this bottom up and top down inspection we will identify common mistakes and point out opportunities to prevent and accidentally inject vulnerabilities.

This workshop will help security consultants, architects, and developers develop operational and design time checklists for their organizations or customers.   

Bring your laptop and AWS account since Cloud Formation templates will be provided so you can follow along. 

Speakers
avatar for Nicholas J. Parks

Nicholas J. Parks

Nicholas is a technology professional that started as a software engineer that developed commercial products to manage data centers. He then ventured into delivering Java PaaS solutions with a focus on providing application security as a service. This included delivering managed life cycle solutions to customers across various industries. As an Amazon Certified Solution Architect he has assisted customers improve operational delivery of... Read More →


Wednesday September 23, 2015 1:30pm - 3:00pm
Pacific H

1:30pm

Training (2 days) : Malware Crash Course
This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. Students will learn how to extract host and network-based indicators from a malicious program. Students will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned.

What You Will Learn:

Hands-on malware dissection
How to create a safe malware analysis environment
How to quickly extract network and host-based indicators
How to perform dynamic analysis using system monitoring utilities to capture the file system, registry, and network activity generated by malware
How to debug malware and modify control flow and logic of software
To analyze assembly code after a crash course in the Intel x86 assembly language
Windows internals and APIs
How to use key analysis tools like IDA Pro and OllyDbg
What to look for when analyzing a piece of malware
The art of malware analysis - not just running tools

Labs are scheduled throughout the course and reinforce the concepts taught in each module. The estimate is that between 60% - 70% of class time is spent on lab work.

Who Should Take This Course?
Software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.

Students should have:
Excellent knowledge of computer and operating system fundamentals
Computer programming fundamentals and Windows Internals experience is highly recommended

What Should Students Bring?
Students must bring their own laptop with VMware Workstation, Server, or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.

A licensed copy of IDA Pro is highly recommended to participate in ALL labs, but the free version can be used in most cases.

Speakers
avatar for James “Tom” Bennett

James “Tom” Bennett

James T. Bennett is a seasoned malware analyst with over 10 years of experience working to improve technologies used to detect threats on the network and host levels. | Mr. Bennett is currently employed as a Staff Threat Research Engineer with FireEye where he analyzes malware used in targeted attacks in order to improve detection technologies and aid in incident response and threat intelligence gathering.
avatar for Peter Kacherginsky

Peter Kacherginsky

Reverse Engineer, FireEye
Peter Kacherginsky is a malware analyst, exploit developer, penetration tester, and incident responder with over 8 years of experience in the security industry. He is a big fan of IDA Pro and won last year's IDA Pro plugin contest. A number of Peter's open source security tools have been included in the Kali Linux/Backtrack security distribution. | | Mr. Kacherginsky works on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as... Read More →
avatar for Dominic Weber

Dominic Weber

Senior Manager, FireEye
Hi ! | I am Dominic Weber and I have 13 years of computer forensic experience researching NTFS, ExFAT and the Windows key management If you've used EnCase, you've used my C++/ Windows code. Before that I Worked in 3D full body motion capture / rendering and video games. | | I work on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as a Senior Manager and Malware Research Engineer with FireEye where I analyze malware and... Read More →


Wednesday September 23, 2015 1:30pm - 3:00pm
Pacific O

1:30pm

Training (2 days): Advanced Android and iOS Hands-on Exploitation
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Advanced Android and iOS Hands-on Exploitation is a unique training which covers security and exploitation of the two dominant mobile platforms - Android and iOS. This is a three day action packed class, full of hands-on challenges and CTF labs, for both Android and iOS environment. The entire class will be based on a custom VM which has been prepared exclusively for the training. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms. 

Some of the topics that will be covered are Advanced Auditing of iOS and Android Applications, Reverse Engineering, Bypassing Obfuscations, Automating security analysis, Exploiting and patching apps, Advanced ARM Exploitation, API Hooking and a lot more. 

The 2-day class is designed in a CTF approach where each of the module is followed by a complete hands-on lab, giving the attendees a chance to apply the knowledge and skills learnt during the class in real life scenario. Students will also be provided with the author signed copy of the book "Learning Pentesting for Android Devices", printed reference materials and handouts to be used during and after the training class, and private scripts written by the trainer for Android and iOS app security analysis.

Since this is a hands-on class, almost most of the content will be hands-on and challenge based. The VM that will be distributed to the students will have a bunch of different real world applications, along with specific custom vulnerable apps made for the training. 

The students will be using a lot of different techniques and a few tools as well, to perform mobile exploitation. 

Some of the lab exercises include : 

[+] Cracking Android Applications by reversing and modifying the smali code
[+] Patching Drozer in order to perform automated exploitation for applications which are not directly vulnerable
[+] Network traffic analysis to identify traffic based vulns in android and iOS apps
[+] Runtime manipulation of Android apps and writing custom API hooks using Cydia Substrate and Dynamic Instrumentation frameworks. 
[+] Advanced Cycript usage to bypass security measures in iOS Applications
[+] Dynamic Library Injection in iOS apps 

These are just some of the labs that will be hands-on during the 2-day class. Obviously, there are more others as we will start from the ground basics, assuming the attendee hasn't done mobile security before.

Who Should Take This Course?
Security Researchers who want to get started into Mobile Security
Mobile Security Enthusiasts
Penetration Testers
Mobile Developers

What Should Students Bring?
Laptop with Administrative access
Atleast 20 GB of free disk space
4 GB RAM 
Genymotion installed and configured with Android v 4.1.1 and 5.0 images

Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile security firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation. | | He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also... Read More →


Wednesday September 23, 2015 1:30pm - 3:00pm
Pacific G

1:30pm

Training (2 days): Creating and automating your own AppSec Pipeline
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

Who Should Take This Course?
AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline.

What Should Students Bring?
A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Wednesday September 23, 2015 1:30pm - 3:00pm
Pacific F

1:30pm

Training (2 days): Securely Designing and Developing with Popular MVC Frameworks
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The Model-View-Controller (MVC) model is commonly adapted by many frameworks. These are used by many business applications today as they bring structure and maintainability to coding. This training will focus on introducing the following design flaws that are applicable to most of the standard and custom-designed MVC frameworks.

• Crash course on Application design and MVC
• Ignore design at your own peril!
• Insecure Invocation of Business Logic
• Data Binding Flaws and Backdoors parameters
• Incorrect implementation of security controls
• Incorrect Placement of Security Checks
• Insecure Configurations
• Control flow vulnerabilities

The first day of the training will cover the above-mentioned general design principles in custom-designed and Struts2 frameworks, and on the second day, Spring and ASP.NET MVC frameworks will be analyzed.

Majority of the code in today’s applications come from libraries. According to a recent study done by Contrast Security, 28% of library downloads have known vulnerabilities and the most downloaded vulnerable libraries were GWT, Xerces, Spring MVC and Struts.

Additionally, due to compatibility issues and lack of awareness many of the applications are not upgraded with the secure framework/library versions. This would pose a major risk to the applications. This training will help developers and security analysts in identifying framework specific security vulnerabilities in their applications. Considering these vulnerabilities in Frameworks/libraries are not usually considered in security assessments, this training is going to be a good start.

The hands-on lab exercises incorporate demo applications built using custom-designed frameworks and vulnerable versions of Struts, Spring MVC and ASP.NET MVC applications. Vulnerabilities in these applications are showcased by considering real-time scenarios. Some of the framework-specific vulnerabilities that are included in the demo applications are the following:

• Struts2 Prefixed Parameters OGNL Injection Vulnerability
• Spring Data Binding flaw in multi step operations
• XML External Entity Injection Vulnerability in Spring Framework

All the above-mentioned applications will be shared with the attendees in a VMware image. This will help in avoiding delays occurring due to unwanted installations and dependency issues.

Who Should Take This Course?
• Professional Pentesters - who are auditing business applications designed using standard frameworks
• Design architects and developers - who need to design and code web applications securely
• Anyone with knowledge of MVC frameworks

This training imparts knowledge on secure design principles. It would highlight what goes wrong in most of the custom MVC designs and while using standard MVC frameworks like Spring, Hibernate and Struts. The training will introduce different design related flaws, flaws associated with some vulnerable framework versions and their mitigations.

What Should Students Bring?
All the students will be provided with VMware images with pre-loaded applications and software for lab exercises. Hence, attendees are expected to carry laptops that are installed with VMware player/ workstation.

Speakers
avatar for Muhammed Noushad K

Muhammed Noushad K

Senior Analyst and Team Lead, Paladion Networks
Muhammed Noushad K. has been associated with information security for more than 6 years with rich experience in Application Security and Secure Code Reviews. He has performed code review of various applications built on diverse frameworks and platforms. He was instrumental in creating code review plans for Struts and Spring frameworks, which are pivotal in performing efficient code reviews. He is also a frequent blogger for Paladion on various... Read More →


Wednesday September 23, 2015 1:30pm - 3:00pm
Pacific N

1:30pm

Training (2 days): Hands-on Auditing of the OWASP Application Security Verification Standard
Speakers
avatar for David Hazar

David Hazar

Product Development Security Lead, Oracle Service Cloud
I am all about application security and the need to better secure our applications by not only identifying issues, but training developers to understand these issues and write more secure code. QA engineers also need to understand these issues so they can write meaningful test cases. Don't forget to sign up for my two-day training "Hands-on Auditing of the OWASP Application Security Verification Standard"!


Wednesday September 23, 2015 1:30pm - 3:30pm
Pacific I

1:30pm

Training (2 days): OWASP Top 10 – Exploitation and Effective Safeguards
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. 

The course will cover the following topics:
1. SSL Certificates
2. Password Management
3. Cryptography Concepts
4. OWASP Top 10 web application vulnerabilities:
A1 - Injection Attacks
a. Command Injection
b. File Injection
c. SQL Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
14. Securing AJAX and Web Services (REST and SOAP)
15. OWASP Application Security Verification Standard (ASVS)
16. Web Application Firewalls (WAF)
17. Using a Vulnerability Scanner (Zed Attack Proxy - ZAP)
18. Effective Code Review Techniques
19. OWASP Enterprise Security API
20. Secure Coding Best Practices
21. Effective Safeguards

Demos from the instructor:
1. SQL Injection Attack
2. Cross-Site Scripting Attack
3. Insecure Direct Object References
4. Sensitive Data Exposure
5. Cross-Site Request Forgery

Using their laptop and the provided virtual machines, participants will have 7 hands-on exercises:
1. Session Initialization and Client-Side Validation
• Part 1: Web Proxy and Session Initialization
• Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Using a Web Application Vulnerability Scanner
5. Sniffing Encrypted Traffic
6. Launching Command Injection Attacks
7. Create SSL certificates

In addition, each participant will receive a printed student guide containing all the slides and exercises.

Who Should Take This Course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

What Should Students Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.

Speakers
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →


Wednesday September 23, 2015 1:30pm - 3:30pm
Pacific D & E

3:00pm

Coffee Break
Wednesday September 23, 2015 3:00pm - 3:30pm
TBA

3:30pm

Training (1 day): Hands-on Website Exploitation with Python
This training will teach students how to conduct website assessments with Python. Students will learn the essentials of the python language and learn to create useful algorithms that perform various exploits through "other" tools like Nmap and through "custom" tools that perform password cracking, DOM modification, injections, and more. The capstone of the class is the development of a python based web application scanner and using it to assess some various broken web applications.

Students will perform the following tasks:
>>Quickstart basics of Python programming
>>Development of various scripts to perform: Network sniffing and exploitation (including one than integrates Nmap functions), DOM modification, Searching an Analysis, plugin grabber which integrates with "Exploit DB" (this includes the ability to store information for future or automated exploitation), Password cracking, SQL Injection, CSRF, XSS (including the automation of XSS identification), root exploitation, porting of various other scripts into Python (focus on ruby scripts)
>>Development of a custom Web Application scanner
>>Use of these new tools to attack various intentionally broken web apps, including a vulnerable shell-shock server

Who Should Take This Course?
This class does not require python experience and is encouraged for the un-seasoned pen-testers who want to learn this language and integrate it into their professional security testing.

What Should Students Bring?
Students should bring a laptop with Oracle virtualbox or VMplayer installed. Lecture material and lab exercises will be provided in electronic form.

Speakers
avatar for Michael Born

Michael Born

Security Consultant, Solutionary
I enjoy breaking into things more than defending, I love Python, can tolerate Ruby, and am always trying to improve at C and Assembly. My current security testing focus is network penetration testing, application penetration testing, and mobile application penetration testing.
avatar for Fred Donovan

Fred Donovan

Professor and Director of an MSCS program | Enjoy discussions on "hacking back" | Friend and brother to many


Wednesday September 23, 2015 3:30pm - 5:00pm
Pacific B

3:30pm

Training (1 day): Risk Management Like a Boss: Making Your Risks Work for You
Arguably, the single most valuable skill that you can learn in Information Security today in order to improve your security posture for tomorrow is Risk Management. The simple process of identifying your risks, planning your mitigations, and performing reviews puts your company squarely in the drivers seat when it comes to justifying its security expenditures in order to reduce risk. SimpleRisk is the only free and open source alternative to the bloated and expensive Governance, Risk, and Compliance (GRC) platforms out there and is being used by corporations of all sizes, around the world, to perform their risk management activities. During this seminar, Josh Sokol, the Creator of SimpleRisk, will walk attendees through the basics of risk management using hands-on activities and the SimpleRisk tool. By the end of the course, attendees will have the knowledge necessary in order to deploy SimpleRisk in their environment, use it to manage their risks, and have a firm grasp on the processes involved in managing risks.

SimpleRisk is free to download at http://www.simplerisk.org and is released under the Mozilla Public License (MPL) 2.0. This means that those who use it are free to use it, modify it, or even sell it at will. SimpleRisk does sell some additional enterprise functionality such as LDAP authentication, team separation, and e-mail notifications, but the tool is fully functional in performing risk management activities without these and they are completely out of scope for the class.

1) Installing SimpleRisk on a LAMP stack
2) Configuring SimpleRisk
3) Brainstorming risks and naming them
4) Submitting risks
5) Planning mitigations
6) Performing management reviews
7) Creating projects and assigning risks

Who Should Take This Course?
This course is designed to take a person with no prior experience in risk management and teach them how to perform risk management activities such as assessing risk, documenting risk, planning mitigations, and performing management reviews. Attendees will learn how to install and configure the free and open source SimpleRisk risk management framework and will leverage it to become risk management experts for their organization.

What Should Students Bring?
Students will need to bring a laptop running a virtual machine (VMWare, Virtualbox, or Parallels should work fine) containing Ubuntu 14.04 LTS. The installation of SimpleRisk will happen as part of an in-class activity and will be used for all in-class exercises.

Speakers
avatar for Josh Sokol

Josh Sokol

Information Security Program Owner, National Instruments
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Josh manages all compliance, security architecture, risk management, and vulnerability... Read More →


Wednesday September 23, 2015 3:30pm - 5:00pm
Pacific A

3:30pm

Training (1 day): Simple End-to-End App Security with AWS
As security consultants, developers, managers, and architects we are faced with not only delivering customer value but delivering customer value responsibly. Often times after a plethora of decisions have been made.

In this hands on workshop, a reference microservices application hosting environment will be instantiated including some sample services and applications. We will decompose the reference environment to examine how it leverages (or fails to leverage) some of security capabilities from AWS. Then we will decompose the applications themselves. During this bottom up and top down inspection we will identify common mistakes and point out opportunities to prevent and accidentally inject vulnerabilities.

This workshop will help security consultants, architects, and developers develop operational and design time checklists for their organizations or customers.   

Bring your laptop and AWS account since Cloud Formation templates will be provided so you can follow along. 

Speakers
avatar for Nicholas J. Parks

Nicholas J. Parks

Nicholas is a technology professional that started as a software engineer that developed commercial products to manage data centers. He then ventured into delivering Java PaaS solutions with a focus on providing application security as a service. This included delivering managed life cycle solutions to customers across various industries. As an Amazon Certified Solution Architect he has assisted customers improve operational delivery of... Read More →


Wednesday September 23, 2015 3:30pm - 5:00pm
Pacific H

3:30pm

Training (2 days) : Malware Crash Course
This course provides a rapid introduction to the tools and methodologies used to perform malware analysis on executables found on Windows systems using a practical, hands-on approach. Students will learn how to find the functionality of a program by analyzing disassembly and by watching how it modifies a system and its resources as it runs in a debugger. Students will learn how to extract host and network-based indicators from a malicious program. Students will be taught about dynamic analysis and the Windows APIs most often used by malware authors. Each section is filled with in-class demonstrations and hands-on labs with real malware where the students practice what they have learned.

What You Will Learn:

Hands-on malware dissection
How to create a safe malware analysis environment
How to quickly extract network and host-based indicators
How to perform dynamic analysis using system monitoring utilities to capture the file system, registry, and network activity generated by malware
How to debug malware and modify control flow and logic of software
To analyze assembly code after a crash course in the Intel x86 assembly language
Windows internals and APIs
How to use key analysis tools like IDA Pro and OllyDbg
What to look for when analyzing a piece of malware
The art of malware analysis - not just running tools

Labs are scheduled throughout the course and reinforce the concepts taught in each module. The estimate is that between 60% - 70% of class time is spent on lab work.

Who Should Take This Course?
Software developers, information security professionals, incident responders, computer security researchers, puzzle lovers, corporate investigators, or others requiring an understanding of how malware works and the steps and processes involved in performing malware analysis.

Students should have:
Excellent knowledge of computer and operating system fundamentals
Computer programming fundamentals and Windows Internals experience is highly recommended

What Should Students Bring?
Students must bring their own laptop with VMware Workstation, Server, or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.

A licensed copy of IDA Pro is highly recommended to participate in ALL labs, but the free version can be used in most cases.

Speakers
avatar for James “Tom” Bennett

James “Tom” Bennett

James T. Bennett is a seasoned malware analyst with over 10 years of experience working to improve technologies used to detect threats on the network and host levels. | Mr. Bennett is currently employed as a Staff Threat Research Engineer with FireEye where he analyzes malware used in targeted attacks in order to improve detection technologies and aid in incident response and threat intelligence gathering.
avatar for Peter Kacherginsky

Peter Kacherginsky

Reverse Engineer, FireEye
Peter Kacherginsky is a malware analyst, exploit developer, penetration tester, and incident responder with over 8 years of experience in the security industry. He is a big fan of IDA Pro and won last year's IDA Pro plugin contest. A number of Peter's open source security tools have been included in the Kali Linux/Backtrack security distribution. | | Mr. Kacherginsky works on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as... Read More →
avatar for Dominic Weber

Dominic Weber

Senior Manager, FireEye
Hi ! | I am Dominic Weber and I have 13 years of computer forensic experience researching NTFS, ExFAT and the Windows key management If you've used EnCase, you've used my C++/ Windows code. Before that I Worked in 3D full body motion capture / rendering and video games. | | I work on the FireEye Labs Advanced Reverse Engineering (FLARE) Team as a Senior Manager and Malware Research Engineer with FireEye where I analyze malware and... Read More →


Wednesday September 23, 2015 3:30pm - 5:00pm
Pacific O

3:30pm

Training (2 days): Advanced Android and iOS Hands-on Exploitation
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Advanced Android and iOS Hands-on Exploitation is a unique training which covers security and exploitation of the two dominant mobile platforms - Android and iOS. This is a three day action packed class, full of hands-on challenges and CTF labs, for both Android and iOS environment. The entire class will be based on a custom VM which has been prepared exclusively for the training. The training will take the attendees from the ground level upwards to be able to audit any real world applications on the platforms. 

Some of the topics that will be covered are Advanced Auditing of iOS and Android Applications, Reverse Engineering, Bypassing Obfuscations, Automating security analysis, Exploiting and patching apps, Advanced ARM Exploitation, API Hooking and a lot more. 

The 2-day class is designed in a CTF approach where each of the module is followed by a complete hands-on lab, giving the attendees a chance to apply the knowledge and skills learnt during the class in real life scenario. Students will also be provided with the author signed copy of the book "Learning Pentesting for Android Devices", printed reference materials and handouts to be used during and after the training class, and private scripts written by the trainer for Android and iOS app security analysis.

Since this is a hands-on class, almost most of the content will be hands-on and challenge based. The VM that will be distributed to the students will have a bunch of different real world applications, along with specific custom vulnerable apps made for the training. 

The students will be using a lot of different techniques and a few tools as well, to perform mobile exploitation. 

Some of the lab exercises include : 

[+] Cracking Android Applications by reversing and modifying the smali code
[+] Patching Drozer in order to perform automated exploitation for applications which are not directly vulnerable
[+] Network traffic analysis to identify traffic based vulns in android and iOS apps
[+] Runtime manipulation of Android apps and writing custom API hooks using Cydia Substrate and Dynamic Instrumentation frameworks. 
[+] Advanced Cycript usage to bypass security measures in iOS Applications
[+] Dynamic Library Injection in iOS apps 

These are just some of the labs that will be hands-on during the 2-day class. Obviously, there are more others as we will start from the ground basics, assuming the attendee hasn't done mobile security before.

Who Should Take This Course?
Security Researchers who want to get started into Mobile Security
Mobile Security Enthusiasts
Penetration Testers
Mobile Developers

What Should Students Bring?
Laptop with Administrative access
Atleast 20 GB of free disk space
4 GB RAM 
Genymotion installed and configured with Android v 4.1.1 and 5.0 images

Speakers
avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile security firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation. | | He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also... Read More →


Wednesday September 23, 2015 3:30pm - 5:00pm
Pacific G

3:30pm

Training (2 days): Creating and automating your own AppSec Pipeline
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

Any optimization outside the critical constraint is an illusion. In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This training will provide an overview of key application security automation principles and provide hands-on experience with creating an Application Security Pipeline augmented with automation. Over the course of two days, the students will cover the crucial aspects of where and when to add automation to their application security practices and gain experience with integrating APIs, automating security scanning, consolidate and de-duplicate security issues, automating submission of issues to defect trackers and generating reports/metrics in an automated fashion. Students should leave with an firm understanding of how to apply DevOps and Agile concepts to optimize their security programs.

The labs consist of a series of exercises which build upon each other to construct an AppSec Pipeline. After discussing each fundamental part of the pipeline, the student will be provided a lab to construct that portion of their own AppSec Pipeline. While these will be somewhat scripted labs, they will provide working examples of all the key concepts needed in adding automation to an AppSec program allowing the student to have seen the concepts in action before returning to work and applying them to their particular situation.

Who Should Take This Course?
AppSec professionals who are running an internal AppSec program. This course is designed to demonstrate both the principals in theory and practice around the creation of an AppSec Pipeline, the benefits it brings and how it can help you do more with less. Multiple open source software packages will be used to setup an example AppSec Pipeline in a series of hands on labs. The concepts and techniques of this course can then be applied to their AppSec programs to build their own, custom AppSec Pipeline.

What Should Students Bring?
A laptop capable of running a VM in either VirtualBox, VMware Player/Workstation/Fusion or Parrallels. A custom VM will be provided to the students which contains all the necessary software for the labs.

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Wednesday September 23, 2015 3:30pm - 5:00pm
Pacific F

3:30pm

Training (2 days): Hands-on Auditing of the OWASP Application Security Verification Standard
Speakers
avatar for David Hazar

David Hazar

Product Development Security Lead, Oracle Service Cloud
I am all about application security and the need to better secure our applications by not only identifying issues, but training developers to understand these issues and write more secure code. QA engineers also need to understand these issues so they can write meaningful test cases. Don't forget to sign up for my two-day training "Hands-on Auditing of the OWASP Application Security Verification Standard"!


Wednesday September 23, 2015 3:30pm - 5:00pm
Pacific I

3:30pm

Training (2 days): OWASP Top 10 – Exploitation and Effective Safeguards
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The OWASP Top 10 web application vulnerabilities has done a great job promoting awareness for the developers. Along with many cheat sheets, they provide valuable tools and techniques to web developers. But such a great source of information could be overwhelming for the programmer who wants to learn about security.

To achieve this goal, participants will first learn the technical details about each OWASP Top 10 vulnerability. Then the instructor will give demos on how attacks are performed against each of them. After that, participants will use virtual machines and follow step by step procedures to launch attacks against a vulnerable web site. This step is key in understanding how exploitation works so they can later implement effective safeguards in their systems. 

The course will cover the following topics:
1. SSL Certificates
2. Password Management
3. Cryptography Concepts
4. OWASP Top 10 web application vulnerabilities:
A1 - Injection Attacks
a. Command Injection
b. File Injection
c. SQL Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Known Vulnerable Components
A10 - Unvalidated Redirects and Forwards
14. Securing AJAX and Web Services (REST and SOAP)
15. OWASP Application Security Verification Standard (ASVS)
16. Web Application Firewalls (WAF)
17. Using a Vulnerability Scanner (Zed Attack Proxy - ZAP)
18. Effective Code Review Techniques
19. OWASP Enterprise Security API
20. Secure Coding Best Practices
21. Effective Safeguards

Demos from the instructor:
1. SQL Injection Attack
2. Cross-Site Scripting Attack
3. Insecure Direct Object References
4. Sensitive Data Exposure
5. Cross-Site Request Forgery

Using their laptop and the provided virtual machines, participants will have 7 hands-on exercises:
1. Session Initialization and Client-Side Validation
• Part 1: Web Proxy and Session Initialization
• Part 2: Client-Side Validation
2. Online Password Guessing Attack
3. Account Harvesting
4. Using a Web Application Vulnerability Scanner
5. Sniffing Encrypted Traffic
6. Launching Command Injection Attacks
7. Create SSL certificates

In addition, each participant will receive a printed student guide containing all the slides and exercises.

Who Should Take This Course?
This course is designed to help intermediate to expert web developers and security professionals understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will benefit from this class.

What Should Students Bring?
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 3 GB of RAM, 20 GB of free disk space, a DVD reader and either VMWare Player (free), VMWare Workstation, VMWare Fusion or Oracle VirtualBox pre-installed. They must also have an administrator/root account on their laptop. At the beginning of the course, participants will receive a DVD containing two pre-configured virtual machines.

Speakers
avatar for David Caissy

David Caissy

Penetration Tester, TRM Technologies Inc.
David Caissy is a web application penetration tester with in-depth developer and IT Security background spanning over 16 years. He has extensive experience in conducting vulnerability assessments and penetration tests as well as providing training globally, amongst numerous other teaching engagements. He has worked for a central bank, the Department of National Defense, various government agencies and private companies. David has been teaching... Read More →


Wednesday September 23, 2015 3:30pm - 5:00pm
Pacific D & E

3:30pm

Training (2 days): Securely Designing and Developing with Popular MVC Frameworks
Note: This is a two day course from Tues 2015-09-22 - Wed 2015-09-23

The Model-View-Controller (MVC) model is commonly adapted by many frameworks. These are used by many business applications today as they bring structure and maintainability to coding. This training will focus on introducing the following design flaws that are applicable to most of the standard and custom-designed MVC frameworks.

• Crash course on Application design and MVC
• Ignore design at your own peril!
• Insecure Invocation of Business Logic
• Data Binding Flaws and Backdoors parameters
• Incorrect implementation of security controls
• Incorrect Placement of Security Checks
• Insecure Configurations
• Control flow vulnerabilities

The first day of the training will cover the above-mentioned general design principles in custom-designed and Struts2 frameworks, and on the second day, Spring and ASP.NET MVC frameworks will be analyzed.

Majority of the code in today’s applications come from libraries. According to a recent study done by Contrast Security, 28% of library downloads have known vulnerabilities and the most downloaded vulnerable libraries were GWT, Xerces, Spring MVC and Struts.

Additionally, due to compatibility issues and lack of awareness many of the applications are not upgraded with the secure framework/library versions. This would pose a major risk to the applications. This training will help developers and security analysts in identifying framework specific security vulnerabilities in their applications. Considering these vulnerabilities in Frameworks/libraries are not usually considered in security assessments, this training is going to be a good start.

The hands-on lab exercises incorporate demo applications built using custom-designed frameworks and vulnerable versions of Struts, Spring MVC and ASP.NET MVC applications. Vulnerabilities in these applications are showcased by considering real-time scenarios. Some of the framework-specific vulnerabilities that are included in the demo applications are the following:

• Struts2 Prefixed Parameters OGNL Injection Vulnerability
• Spring Data Binding flaw in multi step operations
• XML External Entity Injection Vulnerability in Spring Framework

All the above-mentioned applications will be shared with the attendees in a VMware image. This will help in avoiding delays occurring due to unwanted installations and dependency issues.

Who Should Take This Course?
• Professional Pentesters - who are auditing business applications designed using standard frameworks
• Design architects and developers - who need to design and code web applications securely
• Anyone with knowledge of MVC frameworks

This training imparts knowledge on secure design principles. It would highlight what goes wrong in most of the custom MVC designs and while using standard MVC frameworks like Spring, Hibernate and Struts. The training will introduce different design related flaws, flaws associated with some vulnerable framework versions and their mitigations.

What Should Students Bring?
All the students will be provided with VMware images with pre-loaded applications and software for lab exercises. Hence, attendees are expected to carry laptops that are installed with VMware player/ workstation.

Speakers
avatar for Muhammed Noushad K

Muhammed Noushad K

Senior Analyst and Team Lead, Paladion Networks
Muhammed Noushad K. has been associated with information security for more than 6 years with rich experience in Application Security and Secure Code Reviews. He has performed code review of various applications built on diverse frameworks and platforms. He was instrumental in creating code review plans for Struts and Spring frameworks, which are pivotal in performing efficient code reviews. He is also a frequent blogger for Paladion on various... Read More →


Wednesday September 23, 2015 3:30pm - 5:00pm
Pacific N

5:30pm

Registration
Wednesday September 23, 2015 5:30pm - 8:00pm
TBA

6:00pm

Pre-Conference reception and raffle sponsored by RiskIQ
Wednesday September 23, 2015 6:00pm - 8:00pm
TBA
 
Thursday, September 24
 

8:00am

Registration
Thursday September 24, 2015 8:00am - 6:00pm
TBA

9:00am

The Moral Imperatives and Challenges for Modern Application Security
It is becoming clear that the traditional methods of application security, such as the research-vuln-patch loop and developer education, are not scaling to the demands of the modern world. As more populations come onto the internet for the very first time, and as more aspects of our lives become dependent on software, we need to change our assumptions and adjust our security model to address networks, devices, and uses that may look very different than what we have protected in the past. The manner in which we respond to this shift will define the future of modern application security and the safety of billions online.

Speakers
avatar for Alex Stamos

Alex Stamos

CSO, Facebook
I am a security executive who is passionate about building an Internet that is safe and trustworthy for everyday users.


Thursday September 24, 2015 9:00am - 10:00am
Grand Ball Room

10:00am

Coffee Break
Thursday September 24, 2015 10:00am - 10:30am
TBA

10:00am

Birds of a Feather Networking Sessions, Hosted by the OWASP Women in AppSec Program

Have a security challenge you’d like to discuss with others? Interested in talking about a new tool or service you’re thinking about using? Want to talk with others in the field about recruiting efforts? Check the signup board at the room entrancenear the registration desk to suggest topics or sign up for a meetup that someone else has suggested. This is your opportunity to connect with colleagues about topics that interest you!



Thursday September 24, 2015 10:00am - 3:30pm
WIA Room

10:30am

Getting Started with ModSecurity
Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvsla2YxMUN2VU4yTDA&usp=sharing
Please download before arriving at the conference!

In one hour, we will teach you how to install, configure and protect your web application using ModSecurity. You will learn the basics, starting from configuring the WAF in detection mode, using the OWASP ModSecurity Core Rule Set to writing your own custom rules. We will also provide examples of negative and positive security models, create simple virtual patches to fix vulnerabilities and block confidential data from being leaked.

Speakers
avatar for Luca Carettoni

Luca Carettoni

LinkedIn
Luca Carettoni is a security researcher with over 10 years of experience in the application security field. At LinkedIn, he leads a team responsible for identifying new security vulnerabilities in applications, infrastructure and open source components. Prior to that, Luca worked as the Director of Information Security at Addepar, a company that is reinventing global wealth management. Proud to be a Matasano Security alumni, he was a... Read More →
avatar for Mukul Kullar

Mukul Kullar

Security, Linkedin
Mukul Khullar is a security researcher with over 7 years of experience in the application and network security fields. At LinkedIn, he works as a Senior Information Security Engineer responsible for identifying threats, vulnerabilities and design flaws that may impact Linkedin’s applications and infrastructure. Prior to that, Mukul worked as a Senior Security Analyst at Ernst & young’s Advanced Security Center, helping Fortune 500 companies... Read More →


Thursday September 24, 2015 10:30am - 11:25am
Room E

10:30am

Building your own large scale web security scanning infrastructure in 40 minutes
There exists a lot of web security scanners and many are doing a descent good job. Yet there are times and genuine reasons when you wished you had your own scanning infrastructure. You perhaps wished how great it would be if you could build your own in 40 minutes. That you had more control. That you can add your custom requirements. Or may be using an existing one was not an option, from cost, scale, speed or code reuse perspective.

In this talk we will demonstrate:
1. how to build a robust web security scanner that answers many questions you might have.
2. how to scale it up as an infrastructure,
3. how to integrate it into your own continuous delivery pipeline.

We will also discuss the difference in the nature of this project as compared to related works such as Mozilla Minion and Netflix Monterey.

Speakers
avatar for Bishan Kochar

Bishan Kochar

I am a security engineer at Yahoo, building automation wherever I can to make security transparent, proactive, effective and / or enabling. In the past I did pen testing, mostly web. Grew to actually trying to solve the problems. And that's what I keep doing today.
avatar for Albert Yu

Albert Yu

Security Engineer, Sr Principal, Yahoo
I works in the Yahoo Paranoid team, spending most of my time exploring how engineers build things and when stuff breaks. My current focus is to develop solutions that assure application security is kept intact regardless how fast we build and deliver.


Thursday September 24, 2015 10:30am - 11:25am
Room B

10:30am

Security as Code: A New Frontier
Companies are quickly racing towards DevOps and Agile to ensure they meet customer demands for automated solutions. And with this evolution, comes the need to further refine and innovate business processes that support product and service development. Along with other changes like migrations towards software defined environments and the Public Cloud, Security is fast becoming the new frontier for change because it plays a significant role in the deployment lifecycle for most applications, whether it be a gatekeeper or a partner in that process. New tools, products, and platform features are emerging within the security industry that requires a security professional to adapt their way of integrating with the software deployment process. Because of this, Security as Code is no longer just a dream of future nirvana, but a serious reality with a dramatic affect on how security professionals contribute value.

Security as Code is new and unchartered territory emerging from the integration of DevOps, Software Defined Environments, and Application Security practices. It is a foundational element for practicing DevSecOps and has inspired many within the security community to revisit the skills they have and the skills they will need for the future. We've been working with Ruby and developing APIs to support the security of a software defined stack and the domain applications deployed to the Public Cloud. This talk aims to bring the audience along on the experience of setting up for a Security as Code environment, the practices that have helped, the tools we use, and what we think is ahead of us.

A. Overview
We’ve been working in a mostly virtual environment for the past few years and have found that it has required a total shift in mindset, tooling, and operations to enable security within a software defined environment. With infrastructure and platforms rapidly being developed as APIs for developer and operator consumption, we’ve also realized that the job of security has grown in complexity, requires significant scale, and increased in speed. Meaning we haven’t been able to return to our checklists, manual controls, and assessments in a long time and now we can’t imagine going back. But mostly, we realized that the promise of getting better security by integrating with the Software Development Life Cycle and using automation to increase checks and tests as part of the deployment process is spot on.

B. Practicing Security as Code
Security as Code requires a program that supports organizing, mapping and testing policies, standards, and rules that secure infrastructure and applications within a software defined environment. Essentially, instead of developing perimeters, zones, and policies that get configured once to establish a data center driven by an applications purpose, software defined environments get created and assembled on an ongoing basis with security constantly changing and adapting to address new learnings, attack vectors, and remediation requirements. Security as Code is implemented by establishing a cross-between a Governance and Risk Management system and the Testing tools commonly deployed to support Application Security outcomes.

C. Tools of the Trade
We use a variety of tools to implement a resource based security controls program that helps with policy management, attack trees, and testing automation. We’ll talk about the tools we have developed in Ruby and some of the APIs we leverage from: Nessus, Burp, Maltego, Zap, Chef, and others to help reduce the time we spend automating for tests in our Security as Code pipeline. We’ll show how these tools come together to form the basis of our resource-oriented program and how we have developed a Grading system to provide for scaling remediation across our organization.

D. What’s Next?
We think we are at the forefront of change and that there are many new processes and tools to come. We’ve discovered many unsolved problems and few tools available to help with increasing the speed that security can be delivered when integrated with the Software Development Life Cycle. We’ll address the need for greater reconnaissance, some of the challenges of third parties, a lack of network controls, perimeter-less attack discovery, and auto-healing issues that arise from a shared responsibility model.

Speakers
avatar for Shannon Lietz

Shannon Lietz

Director, DevSecOps, Intuit
Award winning leader in security innovation with experience developing emerging security programs for Fortune 500 companies: Intuit, ServiceNow, Sony, Sempra Energy, Savvis, Cable and Wireless, 99 Cents Only, Exodus, Bank of America, among others internationally. Received the Scott Cook Innovation Award in 2014 for developing and cultivating a world class Cloud Security Program that allows for sensitive data to be protected in AWS. Ms. Lietz is... Read More →
avatar for Christian Price

Christian Price

Security Architect, Intuit | DevSecOps
Christian Price has over a decade of experience in various information security domains and is passionate about transforming how security teams contribute value and unlock innovation. Mr. Price is currently a security architect on the cloud security engineering team.


Thursday September 24, 2015 10:30am - 11:25am
Room C

10:30am

WebRTC, or how secure is p2p browser communication?
In this presentation, we will provide the OWASP audience the necessary insights in this emerging Web technology, and discuss the various security aspects of WebRTC. This content is based on a recent study of the Web Security specifications the author has been conducting together with researcher from W3C, IETF and SAP.
Firstly, the overall WebRTC architecture will be presented, and the enabling technologies (such as STUN, TURN, ICE and DTLS-SRTP) will be introduced. This architecture will be illustrated in multiple deployment scenarios. As part of this description, the basic security characteristics of WebRTC will be identified.
Secondly, we will discuss how the new WebRTC technology impacts the security model of the current Web. They will highlight some of the weaknesses they have spot during their security assessment, as well as discuss the open security challenges with the WebRTC technology.

Speakers
avatar for Lieven Desmet

Lieven Desmet

Research Manager, iMinds-DistriNet-KU Leuven
Lieven Desmet is Research Manager on Software Secure at the iMinds-DistriNet Research Group (KU Leuven, Belgium), where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in security of middleware and web-enabled technologies. Lieven is actively engaged in OWASP and is board member of the OWASP Chapter Belgium.
avatar for Martin Johns

Martin Johns

Research Expert, SAP SE
Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990ties and the early years of the new millennium he earned his living as a software engineer in... Read More →



Thursday September 24, 2015 10:30am - 11:25am
Room D

10:30am

Securing your application using Docker
In recent years applications have fundamentally changed, led largely by changing software development practices. These new applications not only behave differently but their architecture fundamentally changes how they are built, deployed, managed and secured over time. Instead of provisioning large servers to process a few large workloads in virtual machines or bare metal, collections of small applications are being run across a collection of commodity hardware. With more applications sharing the same OS, containers have risen as the appropriate model for packaging these smaller applications.

The best practices around security of applications have long recommended the use of multiple layers in order to increase the overall resilience of a system. Containers create exactly that: an additional layer of protection between applications and the host, and between the applications themselves.

This talk will go over how deploying your current applications using Docker containers makes your infrastructure safer by default. It will cover the topics of lifecycle management, best practices for Docker configuration and more advanced features, such as the use of Linux Security Modules (LSMs).

Speakers
avatar for Diogo Monica

Diogo Monica

Security Lead, Docker
Diogo Mónica is the Security Lead at Docker, an open platform for building, shipping and running distributed applications. He was an early employee at Square where he led the platform security team. He received his BSc and MSc degrees in Communication Networks Engineering and is currently a Security Researcher at the Technical University of Lisbon. Diogo also serves on the board of advisors of several security startups and is a long-time IEEE... Read More →


Thursday September 24, 2015 10:30am - 11:25am
Room A

10:30am

People & Capital - The Fire & Fuel for Chapter Activities
Meet the Staff - You've read our emails, chatted with us on Slack and heard us on podcasts and hangouts. Now it's your opportunity to meet the OWASP Staff and learn how they can help you get the resources you need for your chapter. No costumes or magic, just the power to get it done

Show me the Money - Funding. Where it is, What it can be spent on, How to get reimbursed ASAP. Executive Director Paul Ritchie will present a mini State of the Foundation to uncover how OWASP gets funding and how you can get access to the funding you need to run a successful event. We will also exchange ideas about hosting events like OWASP Days and trainings that help you connect with your community and raise funds for your chapter.

Moderators
avatar for Noreen Whysel

Noreen Whysel

Community Manager, OWASP Foundation

Thursday September 24, 2015 10:30am - 11:30am
Room F

11:30am

Blending the Automated and the Manual: Making Application Vulnerability Management Pay Dividends
DevOps puts an intense focus on automation – taking humans out of the loop whenever possible to allow frequent, incremental updates to production systems. However, thorough application testing often has multiple components – much of this can be automated, but manual testing is also required. This is inconvenient and not “DevOps-y,” but is unfortunately an unavoidable requirement in the real world. In addition, managing these multiple sources of application vulnerability intelligence often requires manual interaction – to clear false positives, de-duplicate repeated results, and make decisions about triage and remediation.

Axway has rolled out an application security program that incorporates automated static and dynamic testing, attack surface analysis, component analysis, as well as inputs from 3rd parties including manual penetration testing, automated and manual dynamic testing, automated and manual static testing, and test results from vendors providing test data on their products. Automation has allowed Axway to increase the frequency of web application testing, thus reducing the cycle time in the application vulnerability “OODA loop.” Moving beyond the identification of vulnerabilities, Axway has deployed ThreadFix to automatically aggregate the results of the automated testing and de-duplicate findings. 3rd party penetration testers are also finding vulnerabilities and reporting them in reasonably structured CSV files requiring Axway to convert this manual test data and incorporate it into the aggregated vulnerability model in ThreadFix. Centralizing this pipeline allows for metric tracking – both for the application security program as a whole as well as on a per-vulnerability-source basis. This automation and consolidation now covers 50% of Axway’s application vulnerability review process - with plans to extend further.

This presentation walks through Axway’s construction of their application security-testing pipeline and the decisions they were forced to make along the way to best maximize the use of automation while accommodating the reality of manual testing requirements. It then looks at how this testing regimen and the associated automation have allowed them to impact deployment practices as well as collect metrics on their assurance program. Finally, it looks at lessons learned along the way – the good and the bad – and identifies targeted next steps Axway plans to take to increase the depth and frequency of application security testing while dealing with the deployment realities placed on them to remain agile and responsive to business requirements.

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.
avatar for Steven Springett

Steven Springett

Principal Application Security Architect, Axway
Steve educates teams on the strategy and specifics of developing secure applications. He supports the security efforts of 600 engineers across 40 diverse teams in a global continuous security environment. | | He is an open source advocate and is active in the OWASP community supporting several open source projects including OWASP Dependency-Check and Dependency-Track.



Thursday September 24, 2015 11:30am - 12:25pm
Room B

11:30am

Customizing Burp Suite - Getting the Most out of Burp Extensions
This presentation will provide an overview of developing extensions for the Burp Suite intercepting proxy. Using examples from extensions developed by the author we will discuss a number of key areas for anyone wishing to develop extensions for Burp Suite:

- Request modification
- Passive scanning
- Active scanning
- Identifying insertion points
- Integrated graphical user interface tab

Speakers
avatar for August Detlefsen

August Detlefsen

Senior Application Security Consultant, CodeMagi, Inc.
August Detlefsen (California) is a Senior Security Consultant who has presented at JavaOne (2008, 2012) as well as AppSec USA (2014, 2015) and is the co‐author of Iron‐Clad Java: Building Secure Web Applications. August also teaches customized secure coding classes for large and small clients.
avatar for Monika Morrow

Monika Morrow

Senior Security Consultant, AppSec Consulting
Monika Morrow is a Senior Security Consultant at AppSec Consulting. She has four years of experience testing mobile and web applications built on top of a foundation of six years developing software. Having transitioned from a builder to a breaker she enjoys occasionally writing tools to automate tasks or add functionality. An active member of the community you can usually find Monika at monthly dc408 meetings or planning an event for DEF CON.


Thursday September 24, 2015 11:30am - 12:25pm
Room D

11:30am

The Inmates Are Running the Asylum – Why Some Multi-Factor Authentication Technology is Irresponsible
Outline:
- Define multi-factor authentication
- Describe the current state of the technology
- Describe key problems
o 2D fingerprints, other already-hacked biometrics
o QR codes
o SMS OTP (subject to MITM)
o JavaScript requirements
o Weak account recovery methods
o Lack of mobile device risk analysis, not using OWASP Mobile Top 10 Risks for mobile
o Encryption with backdoors
- Recipe for what you can do

As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked, even from photographs. Facial and other biometrics can also be hacked. Why, then, is biometric-based authentication so fashionable?

It is easy to reset a password. It is hard to reset fingerprints.

Why are there over 200 multi-factor authentication vendors? Why is multi-factor authentication so expensive? Are there open source alternatives? What is the FIDO Alliance? Is it marketing hype or great standards?

Unfortunately, the current multi-factor technology offerings reflect evolutionary slip-slide, not quantum leaps forward. However, one or two technologies show promise.

Speakers
avatar for Clare Nelson

Clare Nelson

Founder, CEO, ClearMark Consulting
Carnivorous, competitive yogi. | | Passionate about multi-factor authentication, IoT, mobile security. Over 30 years in industry. Worked on encrypted TCP/IP variants for NSA. System administration was the best schooling ever, beside a degree in math. Have done product management, sales, and alliances (so I can help you avoid bad sales experiences-- if a sales person is too pesky, just ask for the product's threat model). Was VP Business... Read More →


Thursday September 24, 2015 11:30am - 12:25pm
Room A

11:30am

Hack the Cloud Hack the Company: the Cloud Impact on Enterprise Security
iSEC Partners routinely carry out Attacker Modeled Penetration Tests that use any and all means possible to gain entry to a company. The goal is to test organizations against true-to-life attack and penetration activities that real attackers use in the breaches that make headline News (and the breaches that don't).

Organizations that use Cloud Services to provision an operating environment to support a product, or use Cloud Service Providers to outsource elements of traditional enterprise IT into the Cloud, can find those very aspects used against them in an attack. While the potential attack surface for a breach changes, in many ways the use of Cloud infrastructure can make it easier for an attacker to gain access to critical systems and data. In this session the speaker will describe methods of penetration used during recent tests, illustrating how Cloud Services are viable entry points that lead to significant compromises. The following areas will be discussed:

- Common mistakes in deploying Internet-facing Cloud infrastructure
- Replication and communication paths between Cloud and on-premises infrastructure
- Effective ways for attackers to gain access to the Cloud Service administration console
- How the use of Cloud Services is weakening enterprise IT security
- Methods for securing Cloud Services, closing vulnerabilities and protecting the company

This session is a must-see for enterprise security professionals, software developers, system administrators and penetration testers.

Speakers
avatar for Kevin Dunn

Kevin Dunn

Technical VP, NCC Group
Kevin Dunn is Technical Vice President for NCC Group in Austin, TX. Kevin has been a professional security consultant for over 14 years, working on diverse projects and challenging technologies for the world’s largest and most demanding companies. He has delivered technical training and spoken at security conferences all over the USA and Europe across the majority of his career. His current responsibilities include active delivery of security... Read More →


Thursday September 24, 2015 11:30am - 12:25pm
Room C

11:30am

I’m a Leader. Now What? - Basic Information for Jump Starting a Chapter
How to Get ‘em, How to Hold ‘em - Recruiting members and volunteers can be a challenge. Learn from other chapter leaders as we discuss ways to increase membership and provide opportunities to lead and to volunteer. What types of meetings draw the most engaged audience? How do you host a conference or training event? What jobs do you have for volunteers to participate? How do you reward them?

Chapter Leader Handbook - Sometimes it helps to read the instructions. The Chapter Leader Handbook, written by and for the community, is your path to a successful chapter. There are very few rules but lots of guidelines. We will discuss OWASP values and how and whether the current handbook helps you manage your chapter within those values. We will also look at what if anything needs to change.

Moderators
avatar for Noreen Whysel

Noreen Whysel

Community Manager, OWASP Foundation

Thursday September 24, 2015 11:30am - 12:30pm
Room F

12:30pm

Lunch
Thursday September 24, 2015 12:30pm - 1:00pm
TBA

1:00pm

Protecting your Web Application with Content Security Policy (CSP)
Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvslZUw1RDhXX0UwVVU&usp=sharing
Please download before arriving at the conference!

The basic problem of XSS has been known at least since the year 2000.
Nonetheless, XSS is as widespread as ever, even though an astonishing amount of thought, attention and education has been devoted to the topic. Apparently, the convoluted mess of server-side scripting, transport level rewriting and heterogeneous client-side processing (which is commonly know under the term "the Web") is too complex to allow a robust SDL-based solution to succeed.

Content Security Policy (CSP) is a highly promising, new way to address this old problem. The currently established approach to counter XSS is trying to identify untrusted data and attempting to prevent that this data influences the semantics of the application's JavaScript. CSP breaks away from this practice: Instead of spotting bad scripts, CSP allows the server to precisely tell the Web browser, which scripts are actually allowed to run, thus, enabling the browser to robustly stop all injection attempts. This way, by the means of a simple policy, the fast majority of XSS vulnerabilities can be efficiently

In this lightning training, the fundamental mechanisms of CSP are covered:

* Protection capabilities and surface of CSP
* How to design strong CSP policies
* How to build CSP compliant web applications
* Using CSP's reporting functionality

To do so, the students work with a insecure legacy Web application (which is provided in the form of a virtual box image). After the practical identification of several XSS problems, the students will first deploy a strong CSP policy to prevent exploitation. Then, subsequently the students will use CSP's reporting mode to iteratively adopt the policy (and parts of the application code) to match the application's functionality requirements. Finally, after deploying the policy, the students can test themselves, that the previously found vulnerabilities are indeed mitigated. 

Speakers
avatar for Martin Johns

Martin Johns

Research Expert, SAP SE
Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990ties and the early years of the new millennium he earned his living as a software engineer in... Read More →


Thursday September 24, 2015 1:00pm - 1:55pm
Room E

1:00pm

A New Ontology of Unwanted Web Automation
Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Some examples commonly referred to are:

* Account enumeration
* Click fraud
* Comment spam
* Content scraping
* Data aggregation
* Email address harvesting
* Fake account creation
* Password cracking
* Payment card testing
* Site crawling
* Transaction automation

Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.

This presentation for the first time describes the work undertaken earlier this year and the concrete outputs completed including a new ontology of web application automation threats. Additionally the talk describes the primary and secondary symptoms, and current efforts to document and map relevant mitigations and protections. Attendees who own or operate production web sites, web APIs and other web applications will gain knowledge gathered from research and their peers about these threats, attack vectors, detection methods and protections against the unwanted automations.

To develop the ontology, research was undertaken to identify prior work and existing information about the types of automated threats to web applications using academic papers, breach reports, security incidents, and existing attack and vulnerability taxonomies. This has been refined using insider knowledge from application security experts and using interviews with web application owners. The initial objective was to assess and define a shared vocabulary about these sorts of "attacks", so that the problem can be defined and addressed further. The analysis focused on real-world external threats and attack vectors, although the impacts on individuals, intermediaries, partners and third party organisations are also being considered. Common Misuse Scoring System (CMSS) has been used in the analysis. The generated web application-specific ontology has also been mapped to other relevant sources including Security Content Automation Protocol (SCAP) components and the relevant parts of Mitre's Common Weakness Enumeration and Common Attack Pattern Enumeration and Classification (CAPEC).

The ontology has been published by the "OWASP Automation Threats to Web Applications Project" and is free to download and use. This OWASP project is intended to be an information hub for web application owners, providing practical resources to help them to protect their systems against these automated processes. The project is also seeking input in the form of event data that can be used to rank the threats for sectors such as financial services, ecommerce, hotel, travel, government, social media, gaming and gambling.

Speakers
avatar for Colin Watson

Colin Watson

Technical Director, Watson Hall Ltd
Colin Watson is founder of Watson Hall Ltd, based in London, where his work involves the management of application risk, designing defensive measures, building security & privacy in to systems development and keeping abreast of relevant international legislation and standards. He holds a BSc in Chemical Engineering from Heriot-Watt University in Edinburgh, and an MSc in Computation from the University of Oxford.


Thursday September 24, 2015 1:00pm - 1:55pm
Room C

1:00pm

Practical Timing Attacks using Mathematical Amplification of Time Difference in == Operator
Timing attacks are usually undervalued by most web penetration testers. In this presentation, I’ll talk in details about timing attacks. I’ll focus specifically on the wrong use of the == operator and equals function which does byte by byte comparison in all modern programming language such as.NET, Java and Python. Using the == operator and equals functions in sensitive operations could lead to complete compromise of the system. The novelty of this talk is in the updated mathematical equation i used to increase the time difference response from the vulnerable server and hence improve the accuracy (the last equation in the the following section). The other important aspect is the real-world attacks examples that I'll present and finally I'll cover the challenges to timing attacks (like network delays) and how did I overcome it in my attacks.

Timing attacks are very tricky. The sources of noise are many. You can always fall in the trap that the data you gathered and analyzed mean something while actually it doesn't. Following the right approach (that I'll explain in this presentation), you can convert the non-feasible brute-force attack against a system to a feasible timing attack.

The main equation that drives this attack is as follows:
c := is the character set of the target string
n := is the total length of the target string

Brute Force:
c^n trials
(usually infeasible to perform. Sometimes you need the earth time to break the system)

Timing Attack in a perfect environment:
c * n
(usually infeasible also due to noise)

Realistic Timing attack:
c^t * n/t * l
where t << n and c^t can be generated in reasonable time
l is the number of trials needed to reduce the error of noise and distinguish between valid and invalid trial

By carefully selecting the t, a timing attack can be performed. t should be big enough to make statistical difference over the variance in network delay and small enough to execute the attack in reasonable time. Statistical approaches such as the null and alternative hypotheses are some of the means to analyze the timing attack results.

Speakers
avatar for Mostafa Siraj

Mostafa Siraj

Senior Security Analyst
Mostafa is an information security professional specializing in application security. He started his career as a freelance developer working in all major programming platforms (.NET, Java, Python, Lisp, C++) with clients from all over the world, shortly after, he admired the application security field and moved with passion to the ethical hacking world. With a thorough academic knowledge in math and cryptography, Mostafa likes to examine... Read More →


Thursday September 24, 2015 1:00pm - 1:55pm
Room D

1:00pm

Strengthening the Weakest Link: How to Manage Security Vulnerabilities in Third Party Libraries Used by Your Application
Organizations are increasingly incorporating open source software into their applications. Leveraging existing software to provide generic functionality results in reduced development costs as well as faster time to market.

However, along with these benefits, this freely available software also comes with an inherent problem – security vulnerabilities. While the advantages of using open source software are obvious, the negative impact on security brought on by their use is insidious.

While organizations spend enormous effort in securing their applications, most of this effort goes toward securing the part of the application that was developed in-house. A relatively small percentage of effort goes toward evaluating vulnerabilities in open source software, if they are considered at all. This makes open source libraries the weakest link in the security chain of an application.

We will present the current status of vulnerabilities in commonly used third party libraries and their impact on your application. We will then discuss an approach to holistically secure your application: a combination of securing in-house code and managing the security risk of third party libraries that are used.

Speakers
avatar for Krishnan Dhandapani

Krishnan Dhandapani

Information Security Professional, Wells Fargo
Krishnan is currently an information security professional at Wells Fargo, involved in research and implementation of security solutions. He combines his solutions with his quest for automation. | He graduated from The University of Kansas. What he learns from his profession, he loves to share as an adjunct professor. While not doing information security, he finds his moments of zen in travel, photography, and making kids laugh.


Thursday September 24, 2015 1:00pm - 1:55pm
Room B

1:00pm

Chimera: Securing a Cloud App Ecosystem with ZAP at Scale
One of the biggest challenges in maintaining a cloud application ecosystem with software developed by Independent Software Vendors (ISV's) and Developers is ensuring that data within that ecosystem stays secure. It's impossible for a centralized security team to be responsible for every ISV's product security, code maintenance, etc - yet in the eyes of the public responsibility for the ecosystem lies with that centralized team. With Chimera, we're trying to make that responsibility a little easier to share.

The Salesforce AppExchange has over 2,650 apps available and the majority of them connect to an external web service. Although these external systems are not under our control and are, to us, black boxes, we consider trust in the ecosystem of paramount importance and spend significant time and resources on ensuring the security of these apps. Even with rigorous security auditing and penetration testing by a large security team, that is a huge ecosystem to keep secure.

One of our main goals and missions is to be ambassadors and educators for good security practice to our ISV community as they develop on our platform. Many of these development teams are small groups if not individual developers. While none of them are trying to be insecure, relatively few of them have a security team or security experience.

The goal of Chimera is to make security scanning easier and more accessible for small developers and ISV's who don't have their own security engineers. Learn how we are using the Heroku platform to make ZAP and many other industry-standard tools available through the cloud at scale and at the consumer level with no security expertise required! We'll also discuss some of the tools we are building to make use of data collected by ZAP in the cloud to help predict where future vulnerabilities or exploits may occur within the scanned ecosystem.

Speakers
avatar for Tim Bach

Tim Bach

Senior Product Security Engineer, Salesforce
Tim Bach is a Senior Product Security Engineer at Salesforce, where he focuses on penetration tests of AppExchange partners and the research/development of security tools and automation. A firm believer that product security is a shared burden for all developers, engineers, and executives much of his work revolves around making security tools and instrumentation available to and consumable by those who do not specialize in security... Read More →


Thursday September 24, 2015 1:00pm - 1:55pm
Room A

2:00pm

Security Requirements Identification using the OWASP Cornucopia Card Game
Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvslT19XS2xPUWF2QnM&usp=sharing
Please download before arriving at the conference!

OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example ecommerce application to demonstrate how to utilise the card game. After a brief introduction, attendees will split into smaller groups to play the game. Participants of this session will gain insights into relevant web application threats, learn how to use the card game with their own colleagues subsequently, and find out the most important aspects to obtain the greatest benefits for security requirements definition, and/or threat modelling, and/or security training.

Speakers
avatar for Colin Watson

Colin Watson

Technical Director, Watson Hall Ltd
Colin Watson is founder of Watson Hall Ltd, based in London, where his work involves the management of application risk, designing defensive measures, building security & privacy in to systems development and keeping abreast of relevant international legislation and standards. He holds a BSc in Chemical Engineering from Heriot-Watt University in Edinburgh, and an MSc in Computation from the University of Oxford.


Thursday September 24, 2015 2:00pm - 2:55pm
Room E

2:00pm

Ah mom, why do I need to eat my vegetables?
Mom had a good reason for you to eat your vegetables; same thing goes with Application Security. It’s the good solid meat and potatoes (and broccoli) that help our programs grow up big and strong. The latest software development practices are out pacing traditional application security programs. Agile and DevOps are increasing the speed and frequency of development and deployments. Traditional application security is either slowing the process down or being bypassed; neither path is good for business. Security must be integrated into the process so that it is not an afterthought that inhibits the release of new features and fixes, but rather an expectation set up front.

Does your organization have unlimited resources? Of course not, you need to know where (and how) to spend the limited resources that are available to you. If you have an unknown number of applications with unknown levels of risk; how do you know which ones you should spend your limited time and resources on (and to what level of effort)? This critical understanding of the security stature of an application is not possible without a solid secure development program.

You hear the terms "proactive application security” or “earlier in the SDLC” often where someone is talking about how they managed to get pen testing or code review earlier in the testing cycle. This is an all too common pitfall in Secure Development and is often bypassed when seen as an impediment to delivery. There is a lot of time and money spent on the post-code activities: code review, functional testing, vulnerability assessments, and penetration testing. These are crucial activities for validating the current state of the application; but they are simply too late and too slow by themselves.

If you security team is only searching for vulnerabilities, they are not looking at the big picture; and they are doing your developers a disservice. Your developers are being held to security requirements that were not part of the original application design. Before you get to a security assessment, you need a line of sight from the potential threats to the application, through the resulting security requirements, the design/architecture, and how the design incorporated security controls at the right levels to help mitigate those identified threats.

Hear about what’s worked and not worked for different organizations in both the public and private sectors over several years of building secure development programs. There will be a focus on understanding the key components of a successful Secure Development Program, along with the critical differences when integrating with development life-cycles like Waterfall and Agile, and DevOps. See how secure development can feed your Risk Management Framework and other key initiatives and learn how a Secure Development Program may even justify its own existence.

Speakers
avatar for John Pavone

John Pavone

CEO, Aspect Security
As a proven leader and IT professional, John has concentrated solely on security for the last 20 years,  | holding various security leadership positions including VP of Application Security Program Services,  | Application Security Program Manager and Enterprise Security Architect. John is a frequent  | speaker/instructor at major conferences such as OWASP, BlackHat, FS-ISAC, and SecureGov. John’s key ... Read More →


Thursday September 24, 2015 2:00pm - 2:55pm
Room B

2:00pm

Efficient Context-sensitive Output Escaping for JavaScript Template Engines
Despite being known for more than a decade, Cross-Site Scripting (XSS) vulnerabilities are still very prevalent and frequently reported by security researchers. This partially explains why it is constantly ranked among Top 3 of the OWASP Web Application Security Risks since 2007. To defend against XSS, the most recommended approach is to apply output escaping based on the context (e.g., data, attribute, URL) that untrusted data will be placed into.

Nevertheless, realizing the context-sensitive escaping approach is a very complex process. For instance, the href attribute of an anchor tag is a compound context made up by a URI and attribute value context, for which secure escaping will involve using html entity encoding, percent-encoding, and a protocol validator to prohibit javascript: protocol.

Modern template engines only attempt to mitigate the vulnerabilities with a context-insensitive approach, therefore blindly escaping some special “XSS characters” (e.g., &, <, >, ', ") for all data that will replace the output expressions. Hence, malicious inputs known to be often injected through output expressions are encoded to their equivalent HTML entity representations that will not be rendered as executable scripts. Only a few large Internet corporations can afford to enhance the output expression escaping with a context-sensitive approach, but the solutions are specific to their own development and template frameworks (e.g., Closure). Other web applications, incapable of switching to those frameworks or lacking expert level of security supports, are remain vulnerable.

To address various needs of the majority, we propose a new set of solution, of which the components are loosely-coupled and readily available for extensions and standalone uses.

- Context Parser. Engineered from scratch, Context Parser is a heavily optimized HTML parser that is completely compliant to the latest HTML 5 standard. For instance, It eliminates unnecessary parsing rules and parsing tree construction. The processing speed is among the most efficient parsers of its type.

- Just Sufficient Escaping. We redesign a new set of context-sensitive XSS filters to escape only those characters that can possibly break out from the specific output contexts. Unlike other existing filters, the just sufficient escaping filters accurately avoid unnecessary escaping. Compared to the context insensitive filter, our filters are more secure, up to two times more efficient, and have also solved the age-old problem (such as those extra &lt;) of double/over-encoding.

- Template Compiler. Applying context-sensitive escaping manually is error-prone. Therefore, we need an automatic compiler capable of conducting contextual analysis. We build the first compiler for an open and popular template engine (i.e., the Handlebars JavaScript template engine) to facilitate immediate adoption.
a) Template Contextual Analysis. A standalone and handy tool is made available to perform automatic contextual analysis on the templates, and detect dangerous uses of output expressions and branching conditions.
b) Automatic Context-sensitive Escaping. The compiler analyzes a template and can automatically detect the contexts and insert the corresponding escaping filters. With the precompilation model, the analysis and filter insertion processes are completely offline, and thus require only the efficient escaping during runtime. All it requires from developers is only a few line of code changes to adopt the solution for both server or client-side rendering.

The solution is applied to one of the largest public-facing properties of Yahoo. The template compiler takes less than two and a half seconds to scan and process over 880 template files. Hence, it incurs insignificant performance overhead to incorporate the compiler into the regular build process. The template contextual analysis is able to flag output expressions that are placed in dangerous contexts such as script tag and attribute. We also verify that the context-sensitive filters are inserted in appropriate contexts. Most importantly, contexts such as unquoted attribute value and URI, that were unprotected by the context-insensitive approach, are now made invulnerable to XSS with the context-sensitive escaping.

Speakers
avatar for Adonis Fung

Adonis Fung

Yahoo!
Adonis Fung (Adon) joined Yahoo as a security paranoid. His recent research interests are in the areas of secure application development and web application scanning. He lectures an advanced undergraduate course - Web Programming and Security, for the Chinese University of Hong Kong. Adon obtained his PhD for web application security research, and was consulted about online banking vulnerabilities by the monetary authority and financial... Read More →
avatar for Nera Wing Chun Liu

Nera Wing Chun Liu

Information Security Engineer, Yahoo!
I am the information security engineer from the Yahoo! and my focus is on the web applications security.
avatar for Albert Yu

Albert Yu

Security Engineer, Sr Principal, Yahoo
I works in the Yahoo Paranoid team, spending most of my time exploring how engineers build things and when stuff breaks. My current focus is to develop solutions that assure application security is kept intact regardless how fast we build and deliver.


Thursday September 24, 2015 2:00pm - 2:55pm
Room D

2:00pm

Secure Authentication without the Need for Passwords
The recent major hacks at Sony, Target, Home Depot, Chase and Anthem all have something in common; they all gained access by stolen credentials. Hacking credit/debit cards is a growth industry, 66% CAGR. As more information and transactions are conducted online, the need for securing this information and these transactions is becoming paramount. There is increasing pressure to secure this information, customers wants it and shareholders are demanding it. Government regulations are good but they come slowly and the fraudsters seem to be gaining the upper hand.

There are a number of various biometric technologies being used with moderate success. Fingerprint, facial recognition, iris scan and voice recognition all provide a good level of security but are week in the area of usability.

Behavioral Biometrics is an area that offers ease of use, high level of security and does not require the need for passwords. An additional benefit is that there is nothing to remember, no special equipment and no personal identifiable information is used. Unlike the other biometric modes, the attributes are revocable which is useful in the corporate world.
How does it work? One scenario is authenticating login. It is a software-based second-factor biometric authentication solution. The technology compares, in real-time, users’ keying of known text against a previously-assembled cadence and habit library built using that known text. No keystroke character data is required for this comparison, only the keystroke timing data.

Some software algorithms function by comparing two chunks of independent typing samples (any text) and provides a statistical analysis of whether the same person typed it and how confident that is it the same person. Applications include, insider threat analysis, continuous monitoring, determining if it is still you after have successful login, and validating distance learning/certification.

These types of authentication are easliy configured and protect against MITM and MITB attacks.

Speakers
avatar for Don Malloy

Don Malloy

Chairman, OATH
Donald Malloy is the Chairman of OATH, The Initiative for Open Authentication. OATH is an industry alliance that has opened the authentication market from proprietary systems to an open source standard based architecture promoting ubiquitous strong authentication.Malloy has more than 20 years’ experience in the Security and Payment industry and is currently an technology consultant assisting companies with the development of their security... Read More →


Thursday September 24, 2015 2:00pm - 2:55pm
Room C

2:00pm

QARK: Android App Exploit and SCA Tool
Ever wonder why there isn't a metasploit-style framework for Android apps? We did!

Whether you're a developer trying to protect your insecure app from winding up on user devices, an Android n00b or a pentester trying to pwn all the things, QARK is just what you've been looking for!

This tool combines Static Code Analysis with source-sink mapping, teaching by detailing misconfigurations, citing research detailing the issues and automatic exploitation into one, simple to use application!

Our tool will review any Android app, either from source or APK, highlight version specific issues, detail your app's attack surface, inspect all your app components for misconfigurations and allow you to create on-demand proof-of-concept attack applications.

Speakers
avatar for Tushar Dalvi

Tushar Dalvi

Senior Information Security Engineer, Vulnerability Research & Assessment, LinkedIn
Tushar loves breaking web applications and ceramic bowls. Tushar Dalvi is a security enthusiast, a pool hustler and currently works as a Senior Information Security Engineer at LinkedIn. He specializes in the area of application security, with a strong focus on vulnerability research and assessment of mobile applications. Previously, Tushar has worked as a security consultant at Foundstone Professional Services (McAfee) and as a Senior... Read More →
avatar for Tony Trummer

Tony Trummer

Staff Information Security Engineer, LinkedIn
I am a security enthusiast and passionate about Android security in particular. You can talk to me about anything from skateboarding to cosmology.


Thursday September 24, 2015 2:00pm - 2:55pm
Room A

2:00pm

Career Fair
Join us at our 2 hour career fair during the OWASP AppSecUSA conference.
Admission into the career fair only with AppSecUSA ticket.

Thursday September 24, 2015 2:00pm - 4:00pm
Pacific H, I, J, K, L & M

3:00pm

Using the OWASP Benchmark to Assess Automated Vulnerability Analysis Tools
Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvslcEp4dGJKcV9xdG8&usp=sharing
Please download before arriving at the conference!

The OWASP Benchmark is a test suite designed to evaluate the speed, coverage, and accuracy of automated vulnerability detection tools. Without the ability to measure these tools, it is difficult to understand their value or interpret vendor claims. The OWASP Benchmark contains over 20,000 test cases that are fully runnable and exploitable.

This training class will provide attendees with details of how the Benchmark was developed, what the tests cover, and how to use it to evaluate tools. Students will be able to download a VM with the entire Benchmark fully installed and ready to go. They will be able to compile all the tests, run tools against the benchmark, and generate scorecards for all the tools they run. The scorecards describe how each tool did, as well as allow for quick comparisons between the tools. The VM will include numerous open source security vulnerability detection tools they can use in the class, and if they have access to commercial vulnerability detection tools, they can use those as well.

Speakers
avatar for Dave Wichers

Dave Wichers

COO, Aspect Security
Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a consulting company that specializes in application security services. He is also a long time contributor to OWASP, helping to establish the OWASP Foundation in 2004, serving on the OWASP Board since it was formed from 2004 through 2013, served as OWASP Conferences Chair from 2005 through 2008, is a coauthor of the OWASP Top 10 and has led the project since... Read More →


Thursday September 24, 2015 3:00pm - 3:55pm
Room E

3:00pm

Sinking Your Hooks in Applications
Attackers typically have more compute resources and can spend much more time breaking components of applications than the engineers that write them in the first place. Since the pressure is on developers to release new code, even at the expense of security best practices, expecting all application vulnerabilities to be detected and remediated in advance of an application’s release is unrealistic to say the least.

One approach to combat this is to automatically build more security into the applications themselves. In this talk, the speakers will demonstrate some techniques to leverage the hooking of potentially vulnerable code paths in production applications and injecting code to introduce additional layers of security without requiring developers to write any code or recompile the applications. Specific examples will be given of hooking Java, .NET and Ruby frameworks.

Speakers
avatar for Richard Meester

Richard Meester

Software Engineer, Prevoty
Richard's primary focus is developing solutions for XSS/SQLi detection and protection in the .NET framework.
avatar for Joe Rozner

Joe Rozner

Software Engineer, Prevoty
Joe Rozner is a software engineer at Prevoty where he has built semantic analysis tools, worked to develop new methods to more accurately detect SQL injection and Cross Site Scripting (XSS), and designed novel integration technology leveraging runtime patching. His focus on LangSec and formal languages has allowed him to develop novel approaches to traditionally difficult problems in the security space. In his spare time he’s developed custom... Read More →


Thursday September 24, 2015 3:00pm - 3:55pm
Room C

3:00pm

Continuous Cloud Security Automation
Security can be hard to get right. In many organizations, security teams can be relatively small and scaling such teams to tackle the world of continuous software delivery is a very practical challenge. Getting core security tools adopted can be difficult and, when they are, they are often run as just a checklist item. Automation can come to the rescue for this challenge.

We will be presenting a new distributed framework under development where adding any security tool is as easy as adding a plug-in, requiring minimal development effort. This framework can scale to help minimize false positives. One more advantaged of this approach is that it is a client-server based architecture that helps to scale security across teams and works perfectly in a cloud environment like Amazon AWS.

This framework works in client-server mode and is exposed via REST APIs. A few key principles of this framework are:
1 Scalable: Adding any tool to framework can be done using a simple driver file, no bigger than 15 lines of Javascript code. The popular Eclipse development tool inspired this model.
2 Secure: Every component of framework should be self-secured.
3 Cloud-ready: Architecture of framework must support cloud deployment.
4 Agnostic of tools: framework should be agnostic to any architecture and tools used by development teams.
5 Should be easy to update: Updates to framework should be automated using an easy, yet secure, protocol.

This will be live demo of the framework with testing on demo sites. This framework is specifically designed for devops and security team use.

Speakers
avatar for Rohit Pitke

Rohit Pitke

Security Engineer, Adobe Inc
Software Security Engineer with Adobe, I make sure that Adobe Document Cloud is reasonably secure by design, implementation and deployment. I enjoy building secure stuff that are hard to break. | I am offensive security certified professional(OSCP)


Thursday September 24, 2015 3:00pm - 3:55pm
Room A

3:00pm

Practical Application Security Management- How to Win an Economically one-sided War
Human human behavior can be reasonably measured by economic theory. Incentives and Penalties are huge drivers that motivate people to behave in certain and predictable ways. The larger the economic benefits, the more coercible is a person to behave in a desired way.When looked from this economic perspective, the security battle seems to be hard to win. due to the skew in economic for various stakeholders in this game
Opponents
1) Perception – Security benefits typically fly under the radar when it’s working well. A good security program prevents incidents and breaches which over time can lead to complacent attitudes by management and finance.
2) Budget - A security professional has a cost or expense budget that cannot be exceeded - hackers have no marginal cost
3) Time - A security assessment has a definite deadline for completion, usually release timelines, etc. No such artificial barriers for a hacker.
Collaborators - Developers, product management
1) Developers have a different goal that they are measured on, usually on delivery – and security issues interfere with their objectives.
2) Product managers are racing against deadlines and competitors to release the product - Any delays have an immediate financial impact, compared to a theoretical exploit scenario.
Application Security professionals
1) An enormous number of false positives in automation (code reviews specifically) due to context differences, wastes a lot of scarce bandwidth.
2) The effort needed on security is continuous, whereas a point in time insecurity can be easily exploited.
3) Application security is still heavy on manual effort- No commercial tools can find functional issues like indirect object reference, privilege escalation, etc.
4) Performing security assessments is expensive- usually billed by the hour. When an assessment doesn’t find anything to report, the cost can be perceived as “wasted”.
Solutions
I propose some practical and tested methods that increase the chances of success. I have listed a few here
1) Have a dedicated application security team. Developers doing security reviews will always have a conflict of interest.
2) The cost of fixing issues identified during Code reviews/penetration testing) is highly expensive , and may even be in feasible to correct without architectural changes. Avoiding bugs is better than fixing bugs. A few of the known techniques(which work) are
a. Developer Training - On Joining as well as on regular(annual) basis
b. Security should be integrated with SDLC - Involvement at the requirements and design review stage can preempt most architectural issues
3) Befriend Developers - relationships typically supersede economic considerations. – Some of our application security engineers (Ex developers) build a very cordial relationship with developers, often aiding them in non-security situations .
4) Incentivize developers, especially when a high severity issue is fixed with urgency, with Rewards, gift certificates, etc. Tap into your company’s incentive program – or start one.
5) Automation - While commercial/open source tools may not have the context to find functional issues, you may customize or build your own tools to reduce manual effort. For example, static analyzers like Fortify have custom rules that can automate human knowledge.
6) Continual Security - Track CVE/NVD for known issues. Tools like OWASP dependency checker can make your life easy.
7) Cost of vulnerability assessments/Penetration testing
a. If you are a B2C organization - Bug bounty programs can help keep costs in control.
b. If you are a B2B service - Encourage your clients to run their own penetration tests on your service. Never miss an opportunity to get free consulting.

Speakers
avatar for Dheeraj Bhat

Dheeraj Bhat

Director- Application Security, Yodlee Inc
Dheeraj Bhat has about 13 years of experience in various information security domains including Identity and Access management,Digital Rights management and Application Security. With experience in Security product management, development, consulting, code reviews and penetration testing, currently Dheeraj manages the Application Security Program at Yodlee Inc. Dheeraj is a Computer Science Engineer by education and holds the CISSP,CISM and... Read More →


Thursday September 24, 2015 3:00pm - 3:55pm
Room D

3:00pm

'SecureMe – Droid' Android Security Application
SecureMe – Droid is an Android security application that notifies the user of publicly known vulnerabilities found in the installed version of applications on the user’s device. The application has been built on a client-server model so that user’s device has to perform least CPU operations and the network traffic is also limited.

The current version of SecureMe – Droid uses only NVD CVE XML database to find vulnerabilities and security weaknesses in apps using its application name, package name and version number.

SecureMe – Droid has an easy to use interface which allows user to configure the scanning options, check installed applications for vulnerabilities along with other application behavior actions.

Android broadcast action "android.intent.action.PACKAGE_ADDED” is released when a new Android application package is installed and "android.intent.action.PACKAGE_REPLACED" is released when an existing Android application package is either upgraded or replaced. Do not that these broadcast actions are automatically generated and released by Android itself when a new Android app is installed/ upgraded/replaced.
SecureMe – Droid passively listens for these two broadcast actions to identify when a new application has been installed or an existing application is upgraded or replaced.

Settings allow to tweak the app notifications and search depth according to user's choice. The app allows the user to choose from Intense (2010-2014) to Low (only 2014) CVE database to search for vulnerabilities and weaknesses. Default search depth is Medium (2012-2014).

User can check single, multiple or all apps for vulnerabilities using an easy to use user-interface.

The Scheduled Scan feature allows the user to configure a scheduled scan of installed apps using SecureMe – Droid. At present scheduler can run weekly/monthly/yearly.

To avoid exploitation due to excessive Android permission, SecureMe – Droid requires only two permissions to run on an Android:
1. Internet Access (android.permission.INTERNET)
2. Run at startup (android.permission.RECEIVE_BOOT_COMPLETED


SecureMe – Droid does not access or transmit any sensitive user information and respects privacy at all times. The data that accessed from user's device are:
The only information which gets accessed and transmitted are listed below:
1. Application Name
2. Application Package Name
3. Application Version Number
4. Application Version Name
5. SecureMe – Droid Search Depth setting (1-5 only)
6. SecureMe – Droid Vulnerability Details settings (1 or 0)

Speakers
avatar for Vishal Asthana

Vishal Asthana

Director (India), Security Compass
Preventive side of AppSec appeals to me as a result of which, researching various aspects of SDLC Security and Agile Security will always be of interest. To that effect, was fortunate to have led a cross-org. 2012 SAFECode paper on Practical Software Security Guidance for Agile practitioners. Regarding my current employment, setup and manage the India operations and contribute as a tech. resource, as and when needed. Been in the industry for... Read More →
avatar for Abhineet Jayaraj

Abhineet Jayaraj

Security Consultant, Security Compass Inc.
Abhineet Jayaraj is a Security Consultant at Security Compass. Majorly works in the field of web application, mobile application and infrastructure security & spends time in research-n-development with skills of a quick-n-dirty coder. Like to automate tasks to ease some security testing.


Thursday September 24, 2015 3:00pm - 3:55pm
Room B

3:30pm

Encouraging Diversity and Advancing Cybersecurity Education

Even in male-dominated STEM fields, computer science and security careers stand out for having so few women. Join our panelists, the founders of InfoSec Girls, to discuss how they are advancing cybersecurity education in India while also encouraging women and girls to consider careers in the field. Then join the conversation and share your thoughts and suggestions on how to increase diversity in the security industry.



Moderators
avatar for Astha Singhal

Astha Singhal

Salesforce, Senior Product Security Engineer
Astha Singhal is a Senior Product Security Engineer at Salesforce, one of the leading enterprise cloud providers. As a part of the team, Astha works with product teams at Salesforce on building secure applications both from a design and implementation standpoint. She performs code reviews, application penetration tests and builds security trainings to better incorporate security as a part of the software development lifecycle. She is also an... Read More →

Speakers
avatar for Apoorva Giri

Apoorva Giri

Security Analyst with iViZ Security (a Cigital company) and Founder of InfoSec Girls
Apoorva has presented a workshop on “Cyber Security and Ethical Hacking for Women” at c0c0n 2014at Kochi, Kerala. Her interests lie in Web Application Security and Mobile Security. She’s an active member of Null/OWASP Bangalore Chapter. She has been listed on the Barracuda Hall of Fame for finding vulnerabilities on their application. @cedricfanapoo
avatar for Shruthi Kamath

Shruthi Kamath

Founder at InfosecGirls
Shruthi is the founder of InfoSec Girls. She holds a CEH from EC Council. She’s an active member of Null/OWASP Bangalore Chapter. Her area of interest is web application security. She has presented at c0c0n Conference 2013. She has been a part of Jailbreak NULLCON 2014. She has organized various events like workshops, talks & CTF events as part of InfoSec Girls initiative .She presented a talk on “Cybercrimes in India and its Mitigation” at... Read More →
avatar for Elissa Shevinsky

Elissa Shevinsky

CEO, Jekudo Privacy Company
Elissa Shevinsky is co-organizer of SecretCon, an enterprise security event in NYC. She is also CEO of Jekudo Privacy Company. Backed by Mach37, Jekudo is building security tools for the enterprise. Shevinsky is also a writer and speaker on issues security, privacy and innovation. She has most recently spoken at O'Reilly Solid, DefCon, Shmoocon, Computers Freedom and Privacy, and SXSW. Elissa has been building successful startups since she joined... Read More →


Thursday September 24, 2015 3:30pm - 5:00pm
Room F

4:00pm

Fireside Chat: Tech Companies Tackle AppSec: Successes, Challenges, Battle Scars
Submit your questions here:
http://goo.gl/forms/T5RGGDerLk 

Speakers
avatar for Scott Behrens

Scott Behrens

Ambassador of Application Security, Netflix
Scott Behrens is a senior application security engineer for Netflix. Prior to Netflix Scott worked as a senior security consultant at Neohapsis and an adjunct professor at DePaul University. Scott's expertise lies in application security, security automation, and penetration testing. An avid coder and researcher, he has contributed to a number of open source tools for both attack and defense. Scott has presented security research at DEF CON... Read More →
avatar for James Dolph

James Dolph

Salesforce
avatar for Reginaldo Silva

Reginaldo Silva

Facebook
Reginaldo Silva is a security engineer at Facebook. Before joining Facebook, he worked as a software engineer in multiple industries including embedded video systems and healthcare calendrical applications. Silva's ongoing mission is to answer the question, “what could possibly go wrong?” in twisted and creative ways. This generally leads to the discovery of numerous security bugs. He still holds the record for the highest payout on... Read More →


Thursday September 24, 2015 4:00pm - 5:00pm
Room A

4:00pm

Fireside Chat: The End of SW Security as We Know It; Why This Might be a Good Thing.
Submit your questions here:
http://goo.gl/forms/jochnqYmBZ

Speakers
avatar for Joshua Corman

Joshua Corman

CTO | Founder | Founder, Sonatype | I am The Cavalry | Rugged
Joshua Corman is a Founder of I am The Cavalry (dot org) and Director of the Cyber Statecraft Initiative for the Atlantic Council. Corman previously served as CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world’s increasing... Read More →
avatar for Jez Humble

Jez Humble

I am a vice president at Chef, a lecturer at UC Berkeley, and co-author of the Jolt Award winning Continuous Delivery, published in Martin Fowler’s Signature Series (Addison Wesley, 2010), and Lean Enterprise, in Eric Ries’ Lean series. I've worked as a software developer, product manager, consultant and trainer across a wide variety of domains and technologies. My focus is on helping organisations deliver valuable, high-quality... Read More →
avatar for Shannon Lietz

Shannon Lietz

Director, DevSecOps, Intuit
Award winning leader in security innovation with experience developing emerging security programs for Fortune 500 companies: Intuit, ServiceNow, Sony, Sempra Energy, Savvis, Cable and Wireless, 99 Cents Only, Exodus, Bank of America, among others internationally. Received the Scott Cook Innovation Award in 2014 for developing and cultivating a world class Cloud Security Program that allows for sensitive data to be protected in AWS. Ms. Lietz is... Read More →


Thursday September 24, 2015 4:00pm - 5:00pm
Room C

4:00pm

OWASP & More - State of OWASP
OWASP is the largest application security non-profit organization in the world. We have over 200 chapters in over 100 countries around the world. Join us to find out current events from the OWASP Global Board of Directors and the OWASP Executive Director. 

Submit your questions here:
http://goo.gl/forms/rKnluv9PSi

Speakers
avatar for Michael Coates

Michael Coates

Global Board, OWASP
OWASP Global Board Member | Trust & Information Security Officer @Twitter | Find me @_mwc
avatar for Tobias Gondrom

Tobias Gondrom

Global Board Member, OWASP
Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures... Read More →
avatar for Jim Manico

Jim Manico

Founder, Secure Coding Instructor, Manicode Security
Jim is the founder of Manicode Security where he trains software developers on secure coding and security engineering. Jim is a frequent speaker on secure software practices and is a member of the Java-One Rock Star speaker community. Jim is a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization  | and is the author of "Iron-Clad Java: Building Secure Web Applications" from... Read More →
avatar for Josh Sokol

Josh Sokol

Information Security Program Owner, National Instruments
Josh Sokol, CISSP, graduated from the University of Texas at Austin with a BS in Computer Science in 2002. Since that time, he has worked for several large companies including AMD and BearingPoint, spent some time as a military contractor, and is currently employed as the Information Security Program Owner at National Instruments. In his current role, Josh manages all compliance, security architecture, risk management, and vulnerability... Read More →


Thursday September 24, 2015 4:00pm - 5:00pm
Room B

5:00pm

Drinks in Vendor Area
Thursday September 24, 2015 5:00pm - 6:00pm
TBA

7:00pm

Conference Reception (Dinner Cruise)

When: 7:00PM - 9:30PM Thursday 09/24/2015.
What: Dinner cruise aboard the San Francisco Belle.
About the ship: The Belle is a San Francisco Bay landmark that evokes the city’s turn-of-the-century Barbary Coast energy. The 292-foot sternwheeler features Art Nouveau style on all three enclosed levels, plus a spacious sun deck and three full wrap-around decks. The crown jewel of San Francisco Bay.
What's being served: Full Bar (1 drink ticket per person, cash bar thereafter). Delicious Gourmet Dinner Buffet.
Where: Pier 3 (on the Embarcadero at Washington St.). 5 minute walk from Hyatt Regency (according to google maps)
Itinerary
6:00PM - 6:30PM, Boarding at SF - Pier 3, On the Embarcadero at Washington Street
6:30PM - 9:15PM, Cruising Around the Bay with dinner & drinks
9:15PM - 9:30PM, Dock and Disembark at SF - Pier 3, On the Embarcadero at Washington St.

Tickets are limited and will be distributed in-person on a first-come first-serve basis at the MERCHANDISE STORE during the conference.

IMPORTANT PLEASE READ: Guests must arrive no later than 7:00PM at Pier 3, on the Embarcadero at Washington St. If you arrive at 7:30 you'll miss the safety briefing and won't be able to go, so please arrive early or on-time. Plan to arrive at 6:30 please.

Interested? All you need to do is buy your ticket to AppSecUSA 2015 before they sell-out.



Thursday September 24, 2015 7:00pm - 10:30pm
Pier 3 Embarcadero at Washington St.
 
Friday, September 25
 

8:00am

Registration
Friday September 25, 2015 8:00am - 4:00pm
TBA

9:00am

Cybersecurity Partnership, Technology and Trust

The Department of Homeland Security is a critical leader in our nation’s cybersecurity. By helping enable industry to protect themselves and to build stronger cyber technologies and services, and fostering trust and partnership to create a robust environment for cyber threat information sharing, DHS is at the forefront of a rapidly evolving landscape of collaboration in cybersecurity.

 


Speakers
avatar for Dr. Phyllis Schneck

Dr. Phyllis Schneck

Deputy Under Secretary for Cybersecurity and Communications Phyllis Schneck, NPPD, DHS
Dr. Phyllis Schneck serves as the Deputy Under Secretary for Cybersecurity and Communications for the National Protection and Programs Directorate (NPPD).  She is the chief cybersecurity official for the Department of Homeland Security (DHS) and supports its mission of strengthening the security and resilience of the nation's critical infrastructure. Schneck came to DHS from McAfee, Inc., where she was Chief Technology Officer for Global... Read More →


Friday September 25, 2015 9:00am - 10:00am
Room A

10:00am

Coffee Break
Friday September 25, 2015 10:00am - 10:30am
TBA

10:30am

Security Shepherd Web App Lightning Training
Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvslRXhxUkZhNUJNYVU&usp=sharing
Please download before arriving at the conference!

Want to learn the basics of Web App pen testing? Or would you prefer to develop new advanced pen testing tricks? Join the us for the lightning Security Shepherd Web Application training session that will bring attendees up to speed on all the latest and greatest security testing techniques that are a concern in the industry today. Compete against other participants and solve increasingly complex security puzzles derived from real world security threats. Attendees will leave with a real familiarity of web application pen testing best practice, terminology, workflow's and commonly used tool kits.

Speakers
avatar for Mark Denihan

Mark Denihan

Ethical Hacking Technical Lead
Mark is currently working in the security space as a Technical Lead/Senior Test Engineer, is a Board Member of the Dublin OWASP Chapter and is the founder of the OWASP Security Shepherd Project. Mark got his MSc in Information Security and Digital Forensics from the Institute of Technology Blanchardstown. Mark is highly enthusiastic about all things AppSec, especially training platforms and pen testing tools. Mark also suffers from a love of... Read More →
avatar for Paul McCann

Paul McCann

Snr. Ethical Hacking Test Engineer
Paul has been working in the security space for over 5 years principally as a penetration tester. He is an active participant in the security community being a member of both OWASP and a past co-founding member of the Honeynet Ireland Chapter (Honeyn3t). He has been involved in the creation of numerous CTF and hands on security education platforms. Paul enjoys all things infosec from developing capture the flag challenges, appsec, honeypots... Read More →


Friday September 25, 2015 10:30am - 11:25am
Room E

10:30am

Detecting and managing bot activity more efficiently
Bots, also commonly referred to as scrapers or spiders, are omnipresent on the Internet. Studies show that bot activity represents a great percentage of the overall traffic on the Internet. Bots are built for different purposes from simple health check to ensure the site is up to site spidering for the purpose of indexing the content or collecting specific information en mass. Not all bots are bad:
- The ones operated by search engines, audience analytics, SEO companies, web site performance monitoring services or partners drive users to the site, are vital to its success and the business it supports. But like with any automated activity, sometimes with the best of intentions, bot activity can have a negative load impact on the web site infrastructure.
- Other bot activity, sometimes more difficult to detect, can have more questionable benefits, hurt the image of company that owns the targeted site or even have some impact on the company's revenue in the case of content theft or competitive scraping.

The amount of bot activity seen on a given web site is generally proportional to the value of the content hosted on the site. The value of the content is defined by the dollar amount that can be gained by exploiting the data collected.

Bots are usually part of botnets and come in all shapes and sizes. Some are very simplistic scripts that run on a single machine and can only support a single task. Others are highly distributed and have the same abilities as a web browser and support a wide variety of tasks.

In order to efficiently detect as much bot activity as possible, it is essential to implement many different techniques to match the different types of bots. In this talk, we’ll discuss different detection methods including evaluating the HTTP header signature, testing the ability of a client and evaluating the client behavior.

Detecting bots is however half of the trouble. Because a bot has a certain header signature or behavior doesn’t mean it has bad intentions and would have a negative impact on the business. Clearly identifying and categorizing the bots is key, this talk will provide some guidelines on how to identify and categorize bots.

Once detected and categorized, bots that are considered good for the business should be allowed access to the content. However, the one that do not appear to bring any benefits should be handled appropriately. Denying the traffic has the immediate effect of sending a signal to the bot operator, telling him that the activity was detected. Although such action may provide immediate relief, the bot operator may adapt, redeploy and resume its activity undetected. To conclude the session, we’ll go over some guidelines on how best to respond to “bad bot” activity.

Speakers
avatar for David Senecal

David Senecal

Product Architect, Akamai Technologies
I am a Security Product Architect at Akamai Technologies based in the San Francisco bay area (California). I have over 15 years of hands on experience and expertise in computer networking and security. I started my career in France as a Network Administrator followed by a few years in England as a presales / post-sales engineer focusing on network and security product for the enterprise. I moved to the US and joined Akamai Technologies over 8... Read More →


Friday September 25, 2015 10:30am - 11:25am
Room B

10:30am

Modern Malvertising and Malware web-based exploit campaigns
The purpose of this presentation will be to introduce the audience to
new techniques attackers are using to target users of web applications
for exploitation.

The first part of this presentation will be an introduction to the
modern Malware landscape, with a breakdown of the top 5 types of
malware being actively used in campaigns to target end users of web
applications. Of interest, though perhaps unsurprising - the top three
are not what we traditionally think of as "malware" in the sense of
exploitative code or remote backdoors - but aimed at direct
monetization of the user.

The second part of this presentation will be a technical walkthrough a
real-world modern malvertising & malware campaign, and break down each
step of the attack, and each distribution & obfuscation layer. This
walkthrough will be the bulk of the presentation (30 minutes), leaving
time for Q & A at the end.

Time permitting, we may provide more examples of modern campaigns/malware.

Speakers
avatar for James Pleger

James Pleger

Head of Research, RiskIQ
I am currently the Head of Research at RiskIQ, focusing our efforts on improving our customers lives by taking an outside-in approach to security. Part of this effort is ensuring that ad networks and exchanges are able to combat malware and other sources of malicious activities. Additionally, our team focuses on bringing new technologies and detection methodologies to help ensure that we are keeping up with the threat landscape as it evolves.


Friday September 25, 2015 10:30am - 11:25am
Room C

10:30am

Future Banks Live in The Cloud: Building a Usable Cloud with Uncompromising Security
Running today’s largest consumer Bitcoin startup comes with a target on your back and requires an uncompromising approach to security. This talk explores how Coinbase is learning from predecessors’ bitcoin breaches and pulling out all the stops to securely build the infrastructure behind an irreversibly transferrable digital good for millions of users. Topics include cloud architecture, account and network isolation in Amazon’s Cloud, Disaster Recovery, self-service consensus based deployment, realtime streaming insight and how Coinbase is leveraging practical DevOps to build the Bank of the Future.

Speakers
avatar for Rob Witoff

Rob Witoff

Director, Coinbase
Rob is a director at Coinbase and building systems that power the bank of the future. He previously developed, launched and integrated the United States' first Laser Communication system aboard the International Space Station before leading Data Science from the IT CTO's office at NASA's Jet Propulsion Laboratory. Rob is an entrepreneur, endurance runner and bitcoin explorer.


Friday September 25, 2015 10:30am - 11:25am
Room A

10:30am

OWASP Reverse Engineering and Code Modification Prevention Project (Mobile)
In this hands-on workshop session, Arxan Technical Director Jonathan Carter will show you how to reverse engineer and crack mobile apps and SDKs using freely available tools. Carter will highlight some of the key binary risks (reverse engineering, method swizzling, etc.). Participants will use jailbroken mobile devices / Mac workstations (provided by Carter) to perform actual binary attacks. This particular workshop was highly acclaimed at last year's AppSecUSA 2014 and will be delivered at this year's AppSecEU 2015. Very positive feedback from last year's 2014 workshop attendees has been captured and available for review here:
https://www.owasp.org/images/e/e3/OWASP_Mobile_App_Hacking_%28AppSecUSA_2014%29_Feedback.pdf

Speakers
avatar for Dave Bott

Dave Bott

Dave has been working in the software industry for over 20 years, firstly in Europe, then Asia and the USA. Initially focused on real time operating systems (RTOS), he worked extensively with major defense and telecom companies. As an application security sales engineer, he is passionate about educating customers on risk analysis and threat mitigation. Dave earned a Bachelors Degree in Computing and Information Systems from Manchester University... Read More →
avatar for Jonathan Carter

Jonathan Carter

Application Security Strategist, Lending Club
Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England.  As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other solutions requiring a high degree of application security. | | Jonathan’s technical background in artificial intelligence and static code analysis has lead... Read More →


Friday September 25, 2015 10:30am - 11:25am
Room D

10:30am

What's in Your Toolbox? - Resources for Engagement
Spreading the Word - You know about the wiki and the mailing lists. What other tools are getting the conversation going? Have you tried using Slack or Trello yet? Are you interested in using Meetup or Facebook to promote events? What are some of the advantages and traps of social media tools? How can we ensure they are open, inviting and secure?

More Resources - Someone's already done the dirty work. The OWASP wiki is filled with ideas for your chapter. We'll start with an overview of what is already available on your chapter page, then see what others have done with theirs. We'll also uncover tons of videos, games and activities. Have you tried Cornucopia? CTF? Screened an AppSec presentation or 24/7 Podcast? Let's see what we can find.

Moderators
avatar for Noreen Whysel

Noreen Whysel

Community Manager, OWASP Foundation

Friday September 25, 2015 10:30am - 11:30am
Room F

11:30am

Security Testing for Enterprise Messaging Applications
Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvslTVlzSXNYalVLX3c&usp=sharing
Please download before arriving at the conference!

The training will cover security testing concepts for enterprise messaging applications. An example JMS based application hosted on ActiveMQ messaging broker will be used to for the hands on training. Open source JMSDigger will also be used leveraged.
The training will cover the following concepts:
1. Enterprise messaging basics
2. Attacks on Queues and Topics
3. Testing authentication, authorization with JMS API
4. Discuss additional attack scenarios

Speakers
avatar for Gursev Singh Kalra

Gursev Singh Kalra

Sr Product Security Engineer, salesforce.com
Gursev Singh Kalra is a Sr. Product Security Engineer at Salesforce.com. Earlier he was working with McAfee as a Senior Principal Consultant and led multiple software security service lines. He loves to write security tools and has authored free tools, like JMSDigger, TesserCap, Oyedata, SSLSmart and clipcaptcha. He has performed security research on CAPTCHAs schemes and implementations, JMS based enterprise messaging applications, OData... Read More →


Friday September 25, 2015 11:30am - 12:25pm
Room E

11:30am

Game of Hacks: The Mother of All Honeypots
We created a “Game of Hacks” – a viral Web app marketed as a tool to train developers on secure coding – with the intention of building a honeypot. During a 6-month timeframe, we witnessed each attack that came at this game, secured the app against it and studied how attackers adapted to the mitigation measures. The lessons learnt can be applied to any Web app introduced into the organization.

-----

How do hackers adjust, in real-time, to various strengthening measures of Web apps? We set to answer this question through an interactive Web app honeypot. For the honeypot, we created a viral Web-based gaming application. However, the lessons learnt could be applied to any Web application.

Aptly called “The Game of Hacks”, our gaming app was marketed as a tool to train developers to write secure code. The app presented users a piece of vulnerable code and a set of multiple choice questions from which the user had to choose the correct vulnerability – in the minimal amount of time. Storing a central database, the app kept a scoreboard of all players, displaying the top winners. Additionally, the app was built on crowd-sourcing capabilities where users could contribute their own piece of code and questions.

Our “Game of Hacks” quickly became a popular game, boasting more than 200K users within 2 weeks. Consequently, it also garnered the desired hackers’ attention. We were set to analyze, planning a continued 6-month analysis.

With the list of vulnerabilities in hand (and some that we added as we adapted to the threat landscape), we witnessed each attack that came at this game. Against each attack, we secured the app and studied the attackers’ next move. One by one, we crossed off the different attacks and had a live look at the way that attackers adapted to our mitigation measures.

We start this session with a brief introduction to “Game of Hacks” and the included vulnerabilities. We then proceed to simulate the actual honeypot activity in an interactive session similar to the actual cat-and-mouse game that we witnessed: for each vulnerability, we show how it was exploited, the corresponding security measure and how it was bypassed.

We examine vulnerabilities/ attacks such as: A) Business logic attacks. Here, hackers tweaked the timer so that their scores – based on parameters such as time and accuracy - became unsurpassable. B) DDoS attacks through site scraping where an external database was built to correctly respond to each question automatically. C) Comment spam enabled through the crowd-sourcing of questions.

We finalize the session with a summary of the methodologies we took to strengthen our gaming honeypot and share with attendees our insights. It is our hopes that attendees learn from these measures and apply them to any Web app being introduced in the enterprise.

Speakers
avatar for Igor Matlin

Igor Matlin

Senior Solutions Architect, Checkmarx
Developer, traveler, mobile technology junkie...and over 20 years of technical experience in high-tech companies as a software engineer and technical lead. Prior to joining Checkmarx as a Senior Solutions Architect, I worked on mobile technologies at Myriad Group, a leading mobile software company, and mobile browser developer Novarra, acquired by Nokia in 2010.


Friday September 25, 2015 11:30am - 12:25pm
Room B

11:30am

PHP Security, Redefined
Let’s be honest, PHP has had a rocky history with security. Over the years the language has been highly criticized for it’s lack of a focus on security and secure development practices. In more recent years, however, a resurgence has happened in the language and community, bringing secure development back into focus. With PHP 7 on the horizon, the language is making even more strides to improve some of its wayward ways of the past and reinvent itself. I’ll share practical code examples, tools, libraries and best practices that are making it easier than ever to keep PHP applications safe.

Come along with me as I guide you through both the language improvements and community encouragement making PHP a more secure place.

Speakers
avatar for Chris Cornutt

Chris Cornutt

Application Security Engineer, Pardot
For the last 10+ years, Chris has been involved in the PHP community in one way or another. These days he's the Senior Editor of PHPDeveloper.org, lead author for Websec.io, a site dedicated to teaching developers about security and the Securing PHP ebook series. He's also written for several PHP publications and has spoken at conferences in both the U.S. and Europe on security-related topics. He's also an organizer of the DallasPHP User Group... Read More →


Friday September 25, 2015 11:30am - 12:25pm
Room C

11:30am

The State of Web Application Security in SCADA Web Human Machine Interfaces (HMIs) !
Human Machine Interfaces (HMIs) are the subsets of the Supervisory Control and Data Acquisition (SCADA) systems. HMIs are control panels that provide interfaces for humans to interact with machines and to manage operations of various types of SCADA systems. HMIs have direct access to SCADA databases including critical software programs. The majority of SCADA systems have web-based HMIs that allow the humans to control the SCADA operations remotely through Internet.
This talk discusses the insecure development practices followed by SCADA developers while designing web HMIs that lead to inherent application level vulnerabilities. This talk digs deeper into the design models of various SCADA systems to highlight security deficiencies in the existing SCADA HMI deployments from application security point of view. In this talk, several real time case studies will be discussed to highlight the state of application security in the field of SCADA. This talk unveils various flavors of vulnerabilities in web-based SCADA HMIs including but not limited to remote or local file inclusions, insecure authentication through clients, weak, insecure web-services, weak cryptographic design, cross-site request forgery, and many others. The research is driven with a motivation to secure SCADA devices and to build more intelligent solutions by hunting vulnerabilities in SCADA HMIs. A number of vulnerabilities will be demonstrated in SCADA web HMIs. In addition, this talk also discusses how OWASP standards can be used by SCADA developers as baselines to develop robust SCADA web HMIs to defend application layer attacks

Speakers
avatar for Aditya K Sood

Aditya K Sood

Architect - Cloud Threat Labs, Elastica Inc.
Aditya K Sood (Ph.D) works for Elastica as an Architect of Cloud Threat Labs. Dr. Sood has research interests in malware automation and analysis, application security, secure software design and cybercrime. He has worked on a number of projects pertaining to penetration testing specializing in product/appliance security, networks, mobile and web applications while serving Fortune 500 clients for IOActive, KPMG and others. He is also a founder of... Read More →


Friday September 25, 2015 11:30am - 12:25pm
Room D

11:30am

Going Bananas for Cloud Security - Auditing and Monitoring your AWS deployment with security_monkey
Engineers at Netflix enjoy great freedom to deploy their applications without much interference from the security team. This hands off approach works great to enable quick deployments, nimble experimentation, and allow the security team to be seen as enablers or “securitators”. Any change to our AWS environment is tracked and audited for security violations by a tool called security_monkey.

Security_monkey watches dozens of AWS accounts for modifications in a number of technologies such as IAM, S3, ELB, SSL, SES, SNS, SQS, and EIPs among others. Security_monkey also keeps a historical record of all changes and shows diffs, but in a JSON format which makes it easy to backup and restore. Security_monkey audits your environment for configurations which have security implications, but with a stronger focus on security instead of Trusted Advisor’s focus on cost savings. Security_monkey will help you understand interconnectivity and access rights between various AWS accounts. Security_monkey was open sourced in June of 2014 and continues to grow.

This talk will discuss how security_monkey is used to prove “the firewall” didn’t break your environment at 2am, how to keep an eye on all the changes occurring in your environment, and how to use security_monkey to audit your existing infrastructure.

Time permitting, this talk will also present a few cloud security best practices such as:
- Ridding your environment of IAM Users and why access keys are evil.
- Who owns this access key?
- Where is this security_group or s3 bucket referenced?
- Avoid allowing RFC-1918 IPs ingress permissions on your EC2-Classic security groups and RDS security groups, and why.
- Avoid S3 “AuthenticatedUsers” permission at all costs.
- How security_monkey can help you overcome AWS policy size limits.
- How security_monkey can expand wildcard policies to uncover all the permissions being occluded by the use of wildcards.
- How security_monkey can help you compare your deployment across regions (if this feature is complete by then).

Speakers
avatar for Patrick Kelley

Patrick Kelley

Super Senior Cloud Security Engineer, Netflix
I'm the author of security_monkey and a contributor to sleepy_puppy. I'm into building security tools, often specific to AWS, with python and angular. People should talk to me about making my code more pythonic, AWS security, and about the incredible and unique culture at Netflix.


Friday September 25, 2015 11:30am - 12:25pm
Room A

11:30am

If You Build It, They Will Come - The OWASP Wiki Edit-a-Thon
Wiki What? - Now that we've had a tour of the wiki, learn how you can edit and manage your chapter’s wiki page, add tabbed content and images and link to content on the wiki and elsewhere on the Internet. This is a deep dive, hands on session.

Bonus! - Learn about how AppSec is presented on Wikipedia, the world's online encyclopedia. OWASP’s wiki is great but a lot of people get their first glimpse of AppSec from Wikipedia. But is it good info? If you have ever wanted to add to the World's understanding of Web Application Security, this will be a great activity for you. 

Moderators
avatar for Noreen Whysel

Noreen Whysel

Community Manager, OWASP Foundation

Speakers
avatar for Jim Manico

Jim Manico

Founder, Secure Coding Instructor, Manicode Security
Jim is the founder of Manicode Security where he trains software developers on secure coding and security engineering. Jim is a frequent speaker on secure software practices and is a member of the Java-One Rock Star speaker community. Jim is a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization  | and is the author of "Iron-Clad Java: Building Secure Web Applications" from... Read More →


Friday September 25, 2015 11:30am - 12:30pm
Room F

12:30pm

Lunch & WASPY Awards
Friday September 25, 2015 12:30pm - 1:00pm
Atrium 1-5

1:00pm

The Bug Hunters Methodology
This is the live and hands on version of Jason's Defcon talk "How to Shot Web: Web and Mobile Hacking in 2015". Join Jason as he explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, scripts, and tips make you better at hacking websites and mobile apps. Whether you're trying to claim those bug bounty prizes or find high level vulnerabilities faster or more efficiently, this talk is for you! Convert edge-case vulnerabilities to practical pwnage even on presumably heavily tested sites. These are tips and tricks that the every-tester can take home and use. Jason will focus on philosophy, discovery, mapping, tactical fuzzing (XSS, SQLi, LFI, ++), CSRF, web services, and mobile vulnerabilities. In many cases we will explore these attacks down to the parameter, teaching the tester common places to look when searching for certain bugs. In addition he will cover common evasions to filters and as many time saving techniques he can fit in.

Speakers
avatar for Jason Haddix

Jason Haddix

Jason is the Director of Technical Operations at Bugcrowd. Jason trains and works with internal analysts to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the researchers. Jason’s interests and areas of expertise include mobile penetration testing, black box web application auditing, network/infrastructural security... Read More →


Friday September 25, 2015 1:00pm - 1:55pm
Room E

1:00pm

Cisco’s Security Dojo: Raising the Application Security Awareness of 20,000+
In two years, over twenty thousand Cisco employees and contractors worldwide invested hours over and above their assigned duties to improve their knowledge of application security. Why would they take action voluntarily? What made them care about security? The answer is we made application security awareness personal, professionally valuable, and fun.

In today’s chaotic environment, every company desires a more secure product or solution, and their customers demand it. To achieve this, every person involved in the product life cycle must be security aware. The challenge is teaching people in a way that sticks. This is how Cisco did it: how employees and contractors learned to love and own Cisco’s security story; and built security into our organizational DNA and our products and solutions.

The Cisco Application Security Awareness Program raises technical security awareness at all levels of the organization through the creative, fun, and humorous use of video. The content ranges from introductory to advanced learning, using belts to measure student achievement and provide recognition. As students progress, they migrate from knowledge acquisition using video into doing things to improve the security of their products. A system of tracking and recognizing achievement-based activities gets people fired up to make security improvements in their products. Sprinkled throughout the talk are examples of the videos and interfaces that draw users into this world. The audience will experience the Cisco Security Awareness Program and visually understand the abstract concepts described.

Approaching crescendo, it is time to address the elephant in the room: “So What”. What is the true impact to Cisco? Through the metrics and feedback collected, a case will be made that this program has had a huge positive impact for Cisco.

The grand finale is the “top ten secrets of success”. This is a discussion of the actions taken to achieve success, broken down into four categories: content, recognition, system, and marketing.

Content is the lessons learned about video and how to master it for success. Recognition is how to reward participants and lead them to want to grow as security people. System is how to set up for success. Marketing is the intentional causes for the viral nature of the program.

This advice applies to real life; this is how we did it, now how can you learn from us and apply this in your own organization.

Speakers
avatar for Chris Romeo

Chris Romeo

Chief Security Advocate, Cisco Systems
Chris Romeo is a Senior Technical Leader within the Cisco Secure Development Lifecycle (CSDL) program. He guides the Security Advocate program, encouraging engineers to "build security in" to all products at Cisco. He led the creation of Cisco’s product security awareness program (Cisco Security Ninja), which launched in 2012. Romeo has twenty years of experience in information security, holding positions across the security gamut, including... Read More →


Friday September 25, 2015 1:00pm - 1:55pm
Room B

1:00pm

Cipher Text Says “MIID8zCCAtugAwIBAgIBAT” - Enterprise-wide SSL Automation w/Lemur + CloudCA
Cipher Text Says “MIID8zCCAtugAwIBAgIBAT” - Enterprise-wide SSL Automation w/Lemur + CloudCA
Contact - Kevin Glisson, Netflix, kglisson@netflix.com

Abstract
At Netflix Security we try our best to enable developers by removing roadblocks and providing systems with “sane” defaults that keep everyone from shooting themselves in the foot. When dealing with SSL shooting yourself in the foot particularly important; self-signed, mismanaged or otherwise weak SSL certificates undermine SSL’s main purpose of providing confidentiality between systems.

How many times have you heard fellow engineers mutter “What openssl flag did I need again? -newkey? -newKey? rsa what?!” Lemur and CloudCA together provide a solution such that making and managing SSL certificates much easier for a normal developer. In both of these systems we guide developers toward making “good decisions” while enabling them to stand up SSL on more and more of their applications. More and stronger SSL?! Win!

Lemur and CloudCA are fully integrated with AWS. Lemur allows for certificate tracking of certificates already in AWS; uploading new CAs into AWS. Lemur event supports multiple AWS accounts!

This talk will focus on how Lemur + CloudCA helps Netflix increase and manage it’s use of SSL; how they enable developers and ultimately provide better security for Netflix as a whole.

Lemur and CloudCA are planned to be open sourced in Q2 of 2015.

About Me
Avid mountain biker
Food Waster
AngularJS Hacker
Interested in:
Security Automation
Incident Response
Malware

Current
Senior Cloud Security Engineer @ Netflix
Former
Cyber Intelligence Analyst @ J.P. Morgan Chase & Co.
Computer Security Incident Responder @ J.P. Morgan Chase & Co.

Speakers
avatar for Kevin Glisson

Kevin Glisson

Senior Cloud Security Engineer, Netflix
When Kevin Glisson is not playing with security automation, new languages and python libraries he is an avid mountain biker and backpacker enjoying all parts of the Sierra's. Kevin is currently a Security Engineer at Netflix writing tools to help streamline security operations and make the cloud more approachable and secure. Kevin has previously worked on the Cyber Intelligence and Incident Response teams at J.P. Morgan Chase, working to... Read More →


Friday September 25, 2015 1:00pm - 1:55pm
Room A

1:00pm

Doing AppSec at Scale: Taking the best of DevOps, Agile and CI/CD into AppSec.
How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in.

The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept which feels inevitable with more traditional AppSec program thinking.

Speakers
avatar for Aaron Weaver (Cengage Learning)

Aaron Weaver (Cengage Learning)

Application Security Manager, Cengage Learning
Aaron Weaver is the Application Security Manager at Cengage Learning. Prior to that he was at Protiviti where he built out their secure coding practice. Aaron has managed application security programs at large organizations and leads OWASP Philadelphia. Aaron speaks frequently at OWASP, AppSec USA/EU, Infragard, ISSA, ISACA, IIA and Velocity. When he has time Aaron likes to make sawdust in his workshop.


Friday September 25, 2015 1:00pm - 1:55pm
Room D

1:00pm

Wait, Wait! Don't pwn Me!
Test your wits and current AppSec news knowledge against our panel of distinguished guests. In the past, panelists have included Joshua Corman (Sonatype), Chris Eng (Veracode), Space Rogue (The Universe), Matt Tesauro (RackSpace), Ed Burns (Oracle), Justin Woo (PayPal), Jacob West (NetSuite) and Matthew McCullough (GitHub). "Wait Wait... Don't Pwn Me!" is patterned after the NPR news quiz show where we challenge the panel and the audience with "Bluff the Listener", "This Week's Security News", "The Security Limerick Challenge" and "Lightning Fill In the Blank".

Think you know your stuff? Get selected as an audience participant and prove it! Join us for a rollicking hour as we test the panel and the audience on recent security stories in the news. Who knows? Maybe you can pwn the panel.

Speakers
avatar for Joshua Corman

Joshua Corman

CTO | Founder | Founder, Sonatype | I am The Cavalry | Rugged
Joshua Corman is a Founder of I am The Cavalry (dot org) and Director of the Cyber Statecraft Initiative for the Atlantic Council. Corman previously served as CTO for Sonatype, Director of Security Intelligence for Akamai, and in senior research & strategy roles for The 451 Group and IBM Internet Security Systems. He co-founded @RuggedSoftware and @IamTheCavalry to encourage new security approaches in response to the world’s increasing... Read More →
avatar for Shannon Lietz

Shannon Lietz

Director, DevSecOps, Intuit
Award winning leader in security innovation with experience developing emerging security programs for Fortune 500 companies: Intuit, ServiceNow, Sony, Sempra Energy, Savvis, Cable and Wireless, 99 Cents Only, Exodus, Bank of America, among others internationally. Received the Scott Cook Innovation Award in 2014 for developing and cultivating a world class Cloud Security Program that allows for sensitive data to be protected in AWS. Ms. Lietz is... Read More →
avatar for Mark Miller

Mark Miller

Senior Storyteller, Sonatype
Mark Miller speaks and writes extensively on DevOps and Security, hosting panel discussions on tools and processes within the DevOps Software Supply Chain. He actively participates in the DevOps community by building DevOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. Mark's most recent project is "An Innovator's Journey to DevOps", a series of profiles and podcasts highlighting... Read More →
avatar for Jacob West

Jacob West

Chief Architect, Security Products, NetSuite
Jacob West is Chief Architect for Security Products at NetSuite. In his role, West leads research and development for technology to identify and mitigate security threats, particularly in cloud deployments and at the software layer. West has over a decade of experience developing, delivering, and monetizing innovative security solutions beginning with static analysis research at the University of California, Berkeley and as an early researcher at... Read More →


Friday September 25, 2015 1:00pm - 1:55pm
Room C

1:00pm

Birds of a Feather - Flex Sessions
We have Room F for the afternoon until 4pm. Feel free to suggest content for afternoon sessions. Is there a topic you would like to explore in more depth? Would you like a hands on training on any of the tools discussed. Is there a new tool that you discovered that you would like to present that might help other chapter leaders organize their activities? Do you just want a place to chill and chat with other chapter leaders? We will be taking ideas and scheduling them for three informal sessions after lunch.

Moderators
avatar for Noreen Whysel

Noreen Whysel

Community Manager, OWASP Foundation

Friday September 25, 2015 1:00pm - 3:00pm
Room F

2:00pm

Web Application Security Testing with Fiddler
Lab material available for download here: 
https://drive.google.com/folderview?id=0BxSfMVkfLvslUXVMSEt6aXlCUVk&usp=sharing
Please download before arriving at the conference!

Fiddler Web Debugging Tool is a free tool created by Eric Lawrence and it is great for troubleshooting issues and capture HTTP/HTTPS traffic. Due tot he extensible model it provides, and the features on top of it, Fiddler can be used as an excellent tool for Web Application Security Testing, some of the features are :

1. Capture HTTP/HTTPS traffic.
2.HTTP Parameter Tampering
3. Filters to setup breakpoints on HTTP POST
4.Autoresponders.
5. Modify the raw byte response
6. Extensible model to build inspector and create rules

Speakers
avatar for Michael Hidalgo

Michael Hidalgo

Software Developer Engineer, Security Innovation
Software Developer Engineer based on San José, Costa Rica. With more than 6 years of experience building financial applications and with his high sense of responsibility and quality, Michael always work hard to do things better. Currently Michael works as a Software Developer Engineer for one of the best Application Security company in the market. He also leads the OWASP Chapter in Costa Rica and he is always writing about software, testing... Read More →


Friday September 25, 2015 2:00pm - 2:55pm
Room E

2:00pm

AppSensor: Real-Time Event Detection and Response
AppSensor is a very active OWASP project that defines a conceptual framework, methodology, guidance and reference implementation to design and deploy malicious behavior detection and automated responses directly within software applications. The AppSensor idea was first conceived in 2008 and is the leading reference point in this area. More recently "application self-protection" has become a hot topic.

There are many security protections available to applications today. AppSensor builds on these by providing a mechanism that allows architects and developers to build into their applications a way to detect events and attacks, then automatically respond to them. Not only can this stop and/or reduce the impact of an attack, it gives you incredibly valuable visibility and security intelligence about the operational state of your applications.

The AppSensor project has released v2 this year. In this special presentation for AppSec USA, you will discover what AppSensor is and what it can offer you. The interesting features available in v2 will be covered along with upcoming features from the roadmap. In addition, you will learn how to cover different use cases with AppSensor by a walk-through of some sample applications. Lastly, you will receive information about the different components and integrations that make AppSensor enterprise-friendly.

Take-aways you will have from this presentation are:

* Knowledge about the benefits of proactive protection
* Information of the features in the new free-to-use reference implementation
* Guidance on implementing AppSensor in the real world
* Pointers to supporting materials specifically created for developers, architects, and senior management.
* Free copy of the 200-page v2 AppSensor Guide (also always available as a free PDF)

Additionally John and other members of the project team will be available after the presentation to continue discussion of the approach, and the AppSensor reference implementation.

Speakers
avatar for John Melton

John Melton

Principal Security Researcher, WhiteHat Security
John Melton: I'm the lead developer for OWASP AppSensor, which I discovered after building a nearly identical tool, and looking for prior art. | | For my day job, I am currently a principal security researcher at WhiteHat Security, where I do R&D work, particularly in the static analysis space. My previous positions have included technical and leadership roles in both software development and security, working in the financial and defense... Read More →


Friday September 25, 2015 2:00pm - 2:55pm
Room C

2:00pm

Turtles All the Way Down: Storing Secrets in the Cloud and the Data Center
Getting credential storage right is not easy. You may be using PKI correctly, you may be careful not to check passwords into your source code repository, but you need to put your secrets somewhere.

You can encrypt them, but where do you put the key to access them? You password-encrypt that key, but where do you put that password? You can encrypt it with a key and protect that key with a password! Oh wait…

Sometimes the development and QA teams need credentials to interact with a third party service to do their jobs. And, of course, your application can’t integrate without credentials of its own. Sometimes the credentials are API keys. Sometimes they are usernames and passwords (unfortunately). Sometimes you have private key for signing or encryption. Even when you are lucky enough to be able to reach multiple services through the a single SSO login, you still need somewhere to put the SSO credentials.

The available strategies and tools depend on the platform, the types of credentials you need to store, where you deploy, and the level of security you expect from your credentials and the assets they protect.

This talk will be a survey of the available tools, technologies, and strategies developers can utilize to improve how their secrets are managed throughout development, testing, and deployment. The talk will cover both data center and cloud-based deployments, paying special attention to open-source tools available for common enterprise platforms. Discussion will center around advantages and disadvantages of each option in order to help developers and operational teams find the solution or solutions most appropriate to their applications and organizations.

Speakers
avatar for Daniel Somerfield

Daniel Somerfield

Lead Consulting Developer, ThoughtWorks
Daniel Somerfield has been over 15 years experience developing software for retail sales, corporate communications, enterprise development, and IT security and compliance. In 1997 he co-founded ISNetworks, a company specializing in digital signature and encryption technologies. While at ISNetworks, Daniel and business partner Jess Garms co-wrote "Professional Java Security". | | After ISNetworks, Daniel worked for a number of companies on... Read More →



Friday September 25, 2015 2:00pm - 2:55pm
Room A

2:00pm

Threat Modeling the IoT Supply Chain
Internet of Things (IoT) invites different risks and attacks as we are in the process of living in a fully connected world. There are security and privacy concerns that have no regulations for the IoT industry. In short, it is the wild west. As the relevance of IoT devices continue to rise, traction for guidelines and standards are being created. However, these standards are missing a key factor when stating "secure by design" and "privacy by design". From an insider perspective in the IoT industry, we will threat model the supply chain and development lifecycle of these IoT devices to understand the vulnerabilities in each process.

Speakers
avatar for Aaron Guzman

Aaron Guzman

Principal Consultant, SecureWorks
Aaron is a Principal Security Consultant in the Los Angeles area with expertise in Application security, Mobile pentesting, Web pentesting, IoT research and Network Penetration testing. He volunteers his time as a Chapter Board Member for the Open Web Application Security Project (OWASP) Los Angeles, Technical Editor for Packt Publishing and the President for the Cloud Security Alliance SoCal. Aaron has held roles with companies such as Belkin... Read More →


Friday September 25, 2015 2:00pm - 2:55pm
Room D

3:00pm

Fireside Chat: How Universities Can Build the Next Generation of Security Engineers
Submit your questions here:
http://goo.gl/forms/mhRf570YxI

Speakers
avatar for Matt Bishop

Matt Bishop

Matt Bishop received his Ph.D. in computer science from Purdue University, where he specialized in computer security, in 1984. He was a research scientist at the Research Institute of Advanced Computer Science and was on the faculty at Dartmouth College before joining the Department of Computer Science at the University of California at Davis. | | His main research area is the analysis of vulnerabilities in computer systems, including modeling... Read More →
avatar for Sam Bowne

Sam Bowne

City College San Francisco, City College San Francisco
Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, HOPE, BayThreat, LayerOne, and Toorcon, and taught classes and many other schools and teaching conferences. He has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign. Industry certs: CISSP, CEH, CCENT, WCNA, and more.
avatar for Sid Stamm

Sid Stamm

Sid Stamm is Associate Professor of Computer Science and Software Engineering at Rose-Hulman Institute of Technology. His focus is on socio-technical security and privacy exploits and their protections, specifically how technology acts as an amplifier to make bad guys badder and defenses more complicated and interesting. Sid pioneered tools like Content Security Policy, Do Not Track, and various anti-phishing and anti-spam techniques... Read More →


Friday September 25, 2015 3:00pm - 3:55pm
Room A

3:00pm

Oh Yes, There is no more root detection for your Android App! - Reversing & Patching Binary”
Lab material available for download here: 
https://drive.google.com/folderview?id=0Bwov3aDFEjiETzBmTl9udlM1RU0&usp=sharing
Please download before arriving at the conference!

Android is the leading Operating system. It is used not just in Smartphones / Tablet but also is used as base for interactive Television, gaming console and lot more systems. The obvious resultant is that there is a large focus towards developing applications for this platform and to maintain its security. This is one hour crash course on “By passing root detection” on android based dummy internet banking app, This dummy internet banking application has features such as adding a beneficiary account, fund transfer, view statements, OTP, Pin sign-in, etc. to provide attendees a real world application scenario.

Android APK file architecture and Setting up the emulator.
Reversing the APK file package
Understanding, patching smali code (JAVA – Class – Dex – smali – APK)
Bypass the business logic for the root detection

Who Should Attend
- Security Professionals
- Mobile Application Developers
- People interested to start into Android security
- Web Application Pentesters
- Beginners mobile app malware auditor

What to expect :
- Getting started with Android Security
- Reversing and Auditing of Android applications
- Hands-on on Finding vulnerabilities and patching the binary

Speakers
avatar for Abhinav Sejpal

Abhinav Sejpal

Security Researcher, Accenture Digital
Fell in love with the power of software at age 17, and he is still in love. Assists organisations,Stakeholders & Customers in achieving real risk reduction by ensuring that they have the people, technologies, and processes in place to enable business operations while preventing, detecting, and responding to attacks by sophisticated cyber adversaries. Deeply skilled in Security Vision, Leadership & Pen-testing. | | He has reported... Read More →


Friday September 25, 2015 3:00pm - 3:55pm
Room E

3:00pm

New Methods in Automated XSS Detection: Dynamic XSS Testing without Using Static Payloads
For the past 15+ years all major automated XSS detection methods rely on payloads. Payloads are static exploit strings with previously known variations of exploits and exploit syntaxes. This presentation shows examples dynamic methods that do not rely on payloads to figure out if an XSS vulnerability exists. Furthermore these methods can be extended to provide, for the first time, accurate Stored XSS detection and generate dynamic custom XSS exploits. This presentation will show the current well-known automated XSS detection methods and the short comings of using a static payload methodology. It will then describe a number of methods and techniques that are used to provide dynamic XSS analysis. Finally, it will demonstrate how to create dynamic custom XSS exploits based on the dynamic detection XSS method described earlier in the presentation.

Speakers
avatar for Ken Belva

Ken Belva

Owner, XSS Warrior, LLC
I'm an almost 20 year cyber security veteran. AppSecUSA 2015 presenter. :) Please speak with me about opportunities for my XSS tool xssWarrior as well as Pen Testing services.


Friday September 25, 2015 3:00pm - 3:55pm
Room C

3:00pm

Providence: rapid vulnerability prevention
One challenging aspect of achieving software security is the struggle to catch up with the speed of development and deployment. We built Providence with the goal of preventing obvious bugs from ever being deployed into production.

Providence is a lightweight and scalable tool which finds bugs and anti-patterns of varying complexity from code commits, and we’ve used it to prevent vulnerabilities ranging from XSS, to access control issues, to XXE. It works by continuously monitoring and pulling commits from version control systems and scanning them for bugs with rules defined in plugins. Additional plugins are easy to create and deploy, which has allowed for quick reaction to new bugs or problems as they are discovered.

Providence is easily integrated with SDLC workflows or bug-tracking tools, and we will discuss how we have integrated it in-house in an unobtrusive manner. This model of addressing issues also provides relative immediacy of resolution; on average, potential problems found by Providence are resolved more quickly than other vulnerabilities because developers are presented the issues right after they commit the code, instead of weeks to months later.

We are currently in the process of open-sourcing Providence in order to share the tool with the DevOps/security community (or any interested parties). This talk will cover the internals of Providence, its engine and plugin architecture (including examples of plugins and their ease of creation), as well as its integration with our SDLC and the faster and more efficient responses we’ve achieved as a result. We’re continuing to build new plugins and features, and we’re excited see what ideas others may have in mind!

Speakers
avatar for Hormazd Billimoria

Hormazd Billimoria

Security Engineer, Salesforce
Hormazd Billimoria is a security engineer at Salesforce with an interest in web security. A long time code and security enthusiast from his high school days, he recently earned his master’s degree from Carnegie Mellon. His past research includes side channel attacks for encrypted traffic and cross VM side channel attacks. In his spare time he loves breaking and finding security vulnerabilities in software that he uses everyday.
avatar for Max Feldman

Max Feldman

Product Security Engineer, Salesforce.com
Max Feldman is a Product Security Engineer at Salesforce, where he focuses on penetration tests of AppExchange partners and security assessments of Salesforce features, as well as the development of security tools and automation. Max has a breadth of security interests and enjoys sharing this passion with others. Outside of work, Max enjoys learning new (human) languages, playing music, rock climbing, and dodgeball.
avatar for Xiaoran Wang

Xiaoran Wang

Senior Product Security Engineer, Salesforce
Xiaoran Wang is a Senior Product Security Engineer at Salesforce. He has spoken several times at conferences such as Black Hat USA, Black Hat Asia, ToorCon, HackerHalted, etc. He is passionate about security, especially web and application security. At work, he does architectural feature review for security, web penetration testing, security training and automations. In his personal time, he hunts for vulnerabilities and writes EDM musics.


Friday September 25, 2015 3:00pm - 3:55pm
Room D

3:00pm

ShadowOS: Modifying the Android OS for Mobile Application Testing
Most penetration testers know the headaches of testing mobile applications. Challenges like certificate pinning and wondering what files are being written to the device while the app is in use. Since Android is open source, you create your own custom OS that takes the guess work out of your assessment.

By doing this, you can monitor HTTP/HTTPS traffic, SQL Lite queries, file access and more. Since this is part of the OS, you can intercept web traffic before it is encrypted. And this works for all apps. No need to hook, inject or rebuild each app you test. This saves you time and helps you deliver accurate test results.

Outline of Presentation:
- Describe challenges with testing mobile applications and what is it we are solving
- Overview of the Android operating system - Identify key Android source code files for modification - Demonstrate the Android build process for the new modifications
- Demonstrate a custom Android OS showing data being intercepted and monitored from a remote application (this will be done using the Android Emulator and a PC) Takeaways:

Speakers
avatar for Ray Kelly

Ray Kelly

Researcher, HP Fortify On Demand
Ray Kelly has been developer and researcher for seventeen years, ten of which has focused on the internet security space. He was the lead developer and Business Unit Director for WebInspect with SPI Dynamics. SPI was acquired in 2008 by HP. Currently Ray is in the HP Fortify on Demand group where he focuses on research and innovation related to the mobile security space.


Friday September 25, 2015 3:00pm - 3:55pm
Room B

4:00pm

Coffee Break & Exhibitors Raffle
Friday September 25, 2015 4:00pm - 4:30pm
TBA

4:30pm

50 Shades of AppSec

The AppSec industry is enormously diverse and it only continues to diverge as we put more software into more things with more connections. It’s an industry that’s fluctuating between the sophisticated to the absurd, the intelligent to the primitive and the scary to the outright hilarious. There’s valuable lessons to be taken away from these events and applied in our future security efforts.

In this talk, Troy is going to cover a broad spectrum of what’s happening in our industry – an entire 50 shades of it in only 45 minutes – and you’ll get a sense of just how challenging it’s becoming for those of us working in AppSec to keep ahead of the attacks. Troy will cover everything from the social aspects of hacking through to some of the more obscure attacks and the increasing challenges we have as defenders.


Speakers
avatar for Troy Hunt

Troy Hunt

Author, Pluralsite
Troy Hunt is an Australian Microsoft Most Valuable Professional for Developer Security and Author for Pluralsight — a leader in online training for technology and creative professionals. Troy has been building software for browsers since the very early days of the web and possesses an exceptional ability to distil complex subjects into relatable explanations. This has lead Troy to become an industry thought leader in the security space... Read More →


Friday September 25, 2015 4:30pm - 5:30pm
Grand Ball Room