Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, June 23
 

08:00

Registration & Breakfast
Monday June 23, 2014 08:00 - 09:00
LAB001 Broad Street Entrance, Loed Ashcroft International Business Schoo

09:00

Room LAB215: Summit Session - OWASP Education Projects
This will be the OWASP Education Project's community gathering of academics in order to discuss what OWASP can do for the academic community.

Working Session Specifics:

  1. Re-thinking the concept of OWASP University Supporter
  2. Expand the concept of the OWASP Student Chapters.
  3. Establish and expand the OWASP University Challenge. 
  4. Suggested application security curriculum.
  5. Discuss and establish the concept of OWASP Academic Advocate.
  6. Promote participation of OWASP projects into the Google Summer of Code program
 Please check attached PDF file for location

Speakers
avatar for Konstantinos Papapanagiotou, Spryros Gastreratos

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE
Both trainers are Hackademic project leaders, long time OWASP members and application security professionals



Monday June 23, 2014 09:00 - 13:00
LAB215

09:00

ROOM LAB216: Summit Session - OWASP 24/7 Podcast Series
In the past 6 months, the OWASP 24/7 Podcast Series has been listened to over 30,000 times. In this session, Mark Miller, Executive Producer of the series, will talk about how the series was started, the equipment used to create the podcasts and the process of publication on SoundCloud for distribution to the iTunes channel. The session will include a live interview that will be recorded and published in real time.

Please check attache  Pdf fils for location 

Speakers
avatar for Mark Miller

Mark Miller

Senior Storyteller, Sonatype
Mark Miller speaks and writes extensively on DevOps and Security, hosting panel discussions on tools and processes within the DevOps Software Supply Chain. He actively participates in the DevOps community by building DevOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. Mark's most recent project is "An Innovator's Journey to DevOps", a series of profiles and podcasts highlighting... Read More →



Monday June 23, 2014 09:00 - 13:00
LAB216

09:00

Room LAB220: Summit Session - OWASP Python Security Project
Python Security is a free, open source, OWASP project that aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations.

Working Session Objectives: 

1. Presentation of the project. 

2. Project overview, goals and objectives.

3. Review of challenges faced by the team, case studies.

4. Brainstorming session on what should be the focus of our efforts.

5. Identify what needs to be secured.

 

Speakers
EB

Enrico Branca

Independent Consultant
Enrico Branca is an experienced researcher with specialist knowledge in Cyber security. He has been working in information security for over a decade with experience in software security, information security management, and cyber security R&D. He has been trained and worked in various roles during his career, including Senior Security Engineer, Security Architect, Disaster Recovery Specialist, Microsoft Security Specialist and others, and... Read More →


Monday June 23, 2014 09:00 - 13:00
LAB220

09:00

Training room 1 - WebHacking: Breaking, Building and Defence
Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API’s from various languages and frameworks that provide production quality and scalable security controls.

This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications or webservices will benefit.

This intensive 1-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2013) and the MITRE Top 25. Several other OWASP secure coding projects will be featured. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

Speakers
avatar for Eoin Keary

Eoin Keary

CTO and Founder, BCC Risk Advisory Ltd.
Eoin Keary is an international board member of OWASP. He leads the OWASP code review project. Eoin is the CTO and founder of BCC Risk Advisory Ltd. He has also led global security engagements for some of the world’s largest financial services and consumer products companies. Eoin is a well known technical leader in industry in the area of software security and penetration testing. Eoin lives in Dublin, Ireland. 
avatar for Jim Manico

Jim Manico

Author and Educator
Jim Manico is an author and educator of developer security awareness trainings. He is a frequent speaker on secure software practices and is a member of the JavaOne "rockstar hall of fame". He has a 17 year history building software as a developer and architect. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including... Read More →


Monday June 23, 2014 09:00 - 13:00
LAB111

09:00

Training room 2 - The Mobile App Security Boot Camp
The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7! The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.

Pre-requisite of Training Class:

1) Student.

A basic knowledge of programming and mobile security concepts.

2) Hardware.

All delegates will be provided with a suitable iOS device to perform the labs, it is not necessary to bring your own.

Administrative access to the laptop and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.

We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

A laptop with the capability to connect to wireless and wired networks. 3) Software.
Students require a player to run VMWare images.
Daily Class Outline:

Day 1: iOS App Hacking

The course syllabus provides an overview of iOS security features, jailbreaking and approaches to App security assessment. After an introduction to the subject, we delve in to common insecurities, including but not limited too:



  • Insecure file storage



  • Keychain attacks



  • Insecure transport security



  • Run-time attacks



  • Cycript



  • Injection attacks



  • IPC handlers



  • Man-in-the-middle attacks



  • Defeating jailbreak and other defensive detection and prevention routines

    Attendees will gain theoretical and practical experience of:





  • How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps



  • How to hack UIWebviews, IPC handlers, client-side SQL databases, the

    keychain and the App runtime



  • Real-world, 2014 techniques used to defeat real Apps on iOS7!


  • Knowledge of defensive and remedial advice



Day 2: Android App Hacking

Day two of the course will provide an introduction to the attack surface exposed by Android devices and their applications. The Android attack surface will be analysed to demonstrate how its weaknesses can be exploited from various vectors, such as from installed malicious software (malware), local attackers in a Man-in-The-Middle (MiTM) scenario and from attackers with local physical access (e.g. stolen device). Attendees will actively analyse applications, identify vulnerabilities within them and write their own exploits to compromise the application and/or device.

Attendees will gain hands on experience assessing and exploiting Android device and application vulnerabilities. The course will also teach how to defend against the latest Android platform and application threats. The experienced consultants delivering the course will guide attendees through an assessment of a range of applications; all of which are based on real world examples, following a structured methodology.

Course outline



  • Theory



  • Introduction to the Android security model



  • Black box assessment approach



  • Reverse engineering applications



  • Introduction to Android malware



  • Android Man-in-the-Middle



  • Stolen device reviews



  • Analysis/Assessment/Attack and Defence



  • IPC end points



  • JavaScript Bridges



  • Mobile Substrate



  • File permission attacks



  • Tap jacking



  • Android Sandbox 



Speakers
avatar for Dominic Chell

Dominic Chell

Director, MDSec
Dominic is a director of MDSec and a recognised expert in mobile security, having authored whitepapers, tools and presentations in this area. Dominic has delivered security consultancy and training on mobile security to leading global organisations in the financial, government and retail sectors for the past 9 years. Additionally, Dominic aided in the development of and is listed as a subject matter expert for, a secure iOS development... Read More →
RM

Robert Miller

MWR InfoSecurity
Robert has worked for MWR Infosecurity since 2011, with a strong focus on Android device and application security. He co-runs MWR's Android Secure Development training course, and works with major application developers and device manufacturers in producing security critical products and services. | | Robert has presented in both private corporate and public events in everything from teaching members of the public how to stay safe from... Read More →


Monday June 23, 2014 09:00 - 13:00
LAB112

09:00

Training room 3 - CISO training: Managing Web & Application Security - OWASP for senior managers
Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.

Topics:


  • OWASP Top-10 and OWASP projects - how to use within your organisation

  • Risk management and threat modelling methods (OWASP risk analysis, ISO-27005,...)

  • Benchmarking & Maturity Models

  • Security Strategy

  • Organisational Design and managing change for global information security programs

  • SDLC

  • Training: OWASP Secure Coding Practices - Quick Reference Guide, Development Guide, Training tools for developers

  • Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide

  • Development & Operation: Libraries and Frameworks (ESAPI (Enterprise Security API), AppSensor, ...), Threat assessments using OWASP Cornucopia


All discussion and issues raised by participants at the workshop will be under the confidentiality under the Chatham House Rule (http://en.wikipedia.org/wiki/Chatham_House_Rule).

Attendee takeaways and key learning objectives


  • how to effectively build and run a global information security function

  • strengthening web and application security using OWASP projects

  • improving web & application security for organisations from green-field level to very sophisticated security organisations 


Speakers
avatar for Tobias Gondrom

Tobias Gondrom

Global Board Member, OWASP
Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures... Read More →


Monday June 23, 2014 09:00 - 13:00
LAB113

09:00

Training room 4 - MDSec's Web Application Hacker's Handbook, Live Edition
The course follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:



  • Introduction to Web Application Security Assessment (Chapters 1-3)



  • Automating Bespoke Attacks: Practical hands-on experience with Burp

    Suite (Chapter 13)



  • Application mapping and bypassing client-side controls (Chapters 4-5)



  • Failures in Core Defense Mechanisms: Authentication, Session

    Management, Access Control, Input Validation (Chapters 6-8)



  • Injection and API flaws: (Chapters 9-10)


  • User-to-User Attacks (Chapters 12-13)



Attendees will gain theoretical and practical experience of:



  • How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications



  • How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI



  • Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL



  • The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise



  • Harnessing new technologies such as HTML5, NoSQL, and Ajax



  • New attack types and techniques: Bit Flipping, Padding Oracle, Automated

    Access Control checking


  • How to immediately recognise and exploit Logic Flaws



For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.

To see the practical exercises, in action, please visit:

http://www.mdsec.net/labs/demo.html 

Speakers
MP

Marcus Pinto

Marcus Pinto is a Director of MDSec and co-author of the Web Application Hacker’s Handbook, with over 13 years’ experience in technical security assessment and 8 years’ experience in delivering technical security training for global audiences such as Blackhat, Hack in the Box, Hacker Halted, Syscan and 44con.


Monday June 23, 2014 09:00 - 13:00
LAB027

09:00

Training room 5 - The Art of Exploiting Injection Flaws
OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project: https://www.owasp.org/index.php/Top_10_2013-A1-Injection 

This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are: 

SQL Injection 
XPATH Injection 
LDAP Injection 
Hibernate Query Language Injection 
Direct OS Code Injection 
XML Entity Injection 

During the two-days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course: 



  • Understand the problem of Injection Flaws 

  • Learn a variety of advanced exploitation techniques which hackers use 

  • learn how to fix these problems 


Speakers
avatar for Sumit Siddharth

Sumit Siddharth

Director, NotSoSecure Ltd.
Sumit “sid” Siddharth is the founder of NotSoSecure Ltd, a specialist IT security firm delivering high-end IT security consultancy and Training. Prior to NotSoSecure, he worked as Head of Penetration Testing for a leading IT security company in UK. He has more than 8 years of experience in Penetration Testing. Sid has authored a number of whitepapers and tools. He has been a Speaker/Trainer at many security conferences including numerous... Read More →


Monday June 23, 2014 09:00 - 13:00
LAB006

09:00

Training room 6 - Defensive Programming – JavaScript & HTML5
Understand JavaScript and HTML5 Features to Secure Your Client-side Code 

HTML5 is the fifth revision of the HTML standard. HTML5, and its integration with JavaScript, introduces new security risks that we need to carefully consider when writing web front-end code. Modern web-based software, including mobile web front-end applications, makes heavy use of innovative JavaScript and HTML5 browser support to deliver advanced user experiences. Front-end developers focus their efforts on creating this experience and are generally not aware of the security implications of the technologies they use. 

The Defensive Programming – JavaScript/HTML5 course helps web front-end developers understand the risks involved with manipulating the HTML Document Object Model (DOM) and using the advanced features of JavaScript and HTML 5 such as cross-domain requests and local storage. The course reinforces some important security aspects of modern browser architecture and presents the student with defensive programming techniques that can be immediately applied to prevent common vulnerabilities to be introduced. Additionally, the course provides a detailed description of typical JavaScript sources and sinks and explains how they can be used to detect problems in code. 

This course is structured into modules that cover the areas of concentration for defensive programming in JavaScript and HTML5 and includes code analysis and remediation exercises. The high-level topics for this course are: 

•The HTML5 and JavaScript Risk Landscape 
•Storage of Sensitive Data 
•Secure Cross-domain Communications 
•Implementing Secure Dataflow 
•JSON-related Techniques 

This course includes 2 labs with hands on exercises where students will learn to apply the defensive programming techniques learned in the course. Students are encouraged to bring laptops with VirtualBox installed to run the VM with the labs. 

Objectives 

After successfully completing this course, you will: 

•Apply HTML5 Defensive Programming Techniques. 
•Apply JavaScript Defensive Programming Techniques. 
•Apply JSON Defensive Programming Techniques. 
•Consider Common Assessment Approaches.

Speakers
TT

Tiago Teles

Consultant
Tiago Teles is a Technical Consultant with 7 years of experience in clients across different sectors and countries, including banking, insurance, telecommunications and commercial organizations in a variety of roles: Delivering Training, Development, Business Intelligence and Quality Assurance. For some of the talks already delivered please see: https://www.youtube.com/watch?v=CbeSXmAXBbU for more information please visit... Read More →


Monday June 23, 2014 09:00 - 13:00
LAB028

09:00

Training room 7 - TLS/SSL in Practice
SSL/TLS as used today has more and more problems and it's difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.

This training will give a brief introduction to SSL, how it works i. g., what problems are known according the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure SSL securely.

Topics

The course will be a hands-on-training showing by example how to check the established SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. A great amount of tools will be explained and it will be demonstrated how these tools can be used to detect weaknesses in the SSL connection and such.

The explained tools are for example: openssl, sslaudit, sslscan, ssltest.pl, o-saft, and some more, as well as some online checking tools like ssllabs.com. We show what are these tools useful for, what they can do and what they cannot.

Finally we show how the OWASP tool o-saft can be used to cover most of the previous shown techniques and how to use its advanced features like:



  • checking for special SSL settings



  • check multiple servers at a time



  • customizing the results



  • using private SSL-libraries



  • customizing o-saft itself


  • or simple debugging of various SSL connection problems.



The purpose of this course is to provide a tool set for checking SSL to the participants and teach the participants how and when to use which tool.

The course is intended to teach builders and defenders how to analyse SSL from a client-site view, in particular what an auditor or penetration tester does. It will not go into the details of fuzzing or even breaking SSL such as sslsniff, ssltrap and a like or exploiting vulnerabilities. Instead it should give developers an idea how to use SSL securely and give system architects, administrator or operational people hints how to set-up and configure SSL in a proper secure way. 



Technical Requirements

The participants should bring their own laptop with any operating system (recommended is Linux) and at least following tools installed:



  • openssl (1.0.1e or newer)



  • perl (5.8 or newer), on windows system Strawberry perl is recommended



  • Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)



python (2.7) optional

Optional, for smooth testing, a local SSL-enabled web server should be running on the laptop.

 

Others

All other used tools are open source and available during the course. The participants are reliable on their own for accepting and following the license rules of each tool. 



Speakers
AH

Achim Hoffmann

Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 12 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in different roles like penetration tester, doing SCA and giving security workshops.  | | He is author, co-author and maintainer of various... Read More →


Monday June 23, 2014 09:00 - 13:00
LAB109

13:00

14:00

Room LAB215: Summit Session - OWASP Code Review Guide
A gathering of software developers sharing good and bad coding examples, with the aim of educating everyone reading the code review guide on what to do and what not do do when coding web sites.

Working Session Proposed Outcomes:

  1. Collect a number of bad coding examples to show readers code they should avoid writing.
  2. Collect a number of good coding examples to show readers how security code should be written.
  3. Collect the above for Java, PHP and C# languages, plus possibly C/C++, Ruby, Python, Perl, etc.. 
  4. Raise awareness of the ongoing Code Review Guide and encourage OWASP members to participate in the project.
Please check attached PDF file for location

Moderators
avatar for Johanna Curiel

Johanna Curiel

Security Researcher, Banking Sector
Johanna has mainly worked in the area of C# and ASP.NET development, Testing and Quality Control. She is an experienced developer and understands different types of programming languages such as Java and PHP and different types of scripting languages. Johanna has ample experience in Microsoft Technologies and Security Engineering, and is also a Certified PCI -Professional... Read More →

Speakers


Monday June 23, 2014 14:00 - 18:00
LAB309

14:00

Training room 1 - WebHacking: Breaking, Building and Defence
Writing Secure code is the most effective method to securing your web applications. Writing secure code takes skill and know-how but results in a more stable and robust application and assists in protecting an organisations brand.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web solutions via defense-based code samples.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality API’s from various languages and frameworks that provide production quality and scalable security controls.

This course will include secure coding information for Java, PHP and .NET programmers, but any software developer building web applications or webservices will benefit.

This intensive 1-day course focuses on the most common web application security problems, including aspects of both the OWASP Top Ten (2013) and the MITRE Top 25. Several other OWASP secure coding projects will be featured. The course will introduce and demonstrate application assessment techniques, illustrating how application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities in their code.

Speakers
avatar for Eoin Keary

Eoin Keary

CTO and Founder, BCC Risk Advisory Ltd.
Eoin Keary is an international board member of OWASP. He leads the OWASP code review project. Eoin is the CTO and founder of BCC Risk Advisory Ltd. He has also led global security engagements for some of the world’s largest financial services and consumer products companies. Eoin is a well known technical leader in industry in the area of software security and penetration testing. Eoin lives in Dublin, Ireland. 
avatar for Jim Manico

Jim Manico

Author and Educator
Jim Manico is an author and educator of developer security awareness trainings. He is a frequent speaker on secure software practices and is a member of the JavaOne "rockstar hall of fame". He has a 17 year history building software as a developer and architect. Jim is also a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization. He manages and participates in several OWASP projects, including... Read More →


Monday June 23, 2014 14:00 - 18:00
LAB111

14:00

Training room 2 - The Mobile App Security Boot Camp
The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7! The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.

Pre-requisite of Training Class:

1) Student.

A basic knowledge of programming and mobile security concepts.

2) Hardware.

All delegates will be provided with a suitable iOS device to perform the labs, it is not necessary to bring your own.

Administrative access to the laptop and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.

We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

A laptop with the capability to connect to wireless and wired networks. 3) Software.
Students require a player to run VMWare images.
Daily Class Outline:

Day 1: iOS App Hacking

The course syllabus provides an overview of iOS security features, jailbreaking and approaches to App security assessment. After an introduction to the subject, we delve in to common insecurities, including but not limited too:



  • Insecure file storage



  • Keychain attacks



  • Insecure transport security



  • Run-time attacks



  • Cycript



  • Injection attacks



  • IPC handlers



  • Man-in-the-middle attacks



  • Defeating jailbreak and other defensive detection and prevention routines

    Attendees will gain theoretical and practical experience of:





  • How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps



  • How to hack UIWebviews, IPC handlers, client-side SQL databases, the

    keychain and the App runtime



  • Real-world, 2014 techniques used to defeat real Apps on iOS7!


  • Knowledge of defensive and remedial advice



Day 2: Android App Hacking

Day two of the course will provide an introduction to the attack surface exposed by Android devices and their applications. The Android attack surface will be analysed to demonstrate how its weaknesses can be exploited from various vectors, such as from installed malicious software (malware), local attackers in a Man-in-The-Middle (MiTM) scenario and from attackers with local physical access (e.g. stolen device). Attendees will actively analyse applications, identify vulnerabilities within them and write their own exploits to compromise the application and/or device.

Attendees will gain hands on experience assessing and exploiting Android device and application vulnerabilities. The course will also teach how to defend against the latest Android platform and application threats. The experienced consultants delivering the course will guide attendees through an assessment of a range of applications; all of which are based on real world examples, following a structured methodology.



Course outline



  • Theory



  • Introduction to the Android security model



  • Black box assessment approach



  • Reverse engineering applications



  • Introduction to Android malware



  • Android Man-in-the-Middle



  • Stolen device reviews



  • Analysis/Assessment/Attack and Defence



  • IPC end points



  • JavaScript Bridges



  • Mobile Substrate



  • File permission attacks



  • Tap jacking



  • Android Sandbox 



Speakers
avatar for Dominic Chell

Dominic Chell

Director, MDSec
Dominic is a director of MDSec and a recognised expert in mobile security, having authored whitepapers, tools and presentations in this area. Dominic has delivered security consultancy and training on mobile security to leading global organisations in the financial, government and retail sectors for the past 9 years. Additionally, Dominic aided in the development of and is listed as a subject matter expert for, a secure iOS development... Read More →
RM

Robert Miller

MWR InfoSecurity
Robert has worked for MWR Infosecurity since 2011, with a strong focus on Android device and application security. He co-runs MWR's Android Secure Development training course, and works with major application developers and device manufacturers in producing security critical products and services. | | Robert has presented in both private corporate and public events in everything from teaching members of the public how to stay safe from... Read More →


Monday June 23, 2014 14:00 - 18:00
LAB112

14:00

Training room 3 - CISO training: Managing Web & Application Security - OWASP for senior managers
Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.

Topics:


  • OWASP Top-10 and OWASP projects - how to use within your organisation

  • Risk management and threat modelling methods (OWASP risk analysis, ISO-27005,...)

  • Benchmarking & Maturity Models

  • Security Strategy

  • Organisational Design and managing change for global information security programs

  • SDLC

  • Training: OWASP Secure Coding Practices - Quick Reference Guide, Development Guide, Training tools for developers

  • Measuring & Verification: ASVS (Application Security Verification Standard) Project, Code Review Guide, Testing Guide

  • Development & Operation: Libraries and Frameworks (ESAPI (Enterprise Security API), AppSensor, ...), Threat assessments using OWASP Cornucopia


All discussion and issues raised by participants at the workshop will be under the confidentiality under the Chatham House Rule (http://en.wikipedia.org/wiki/Chatham_House_Rule).

Attendee takeaways and key learning objectives


  • how to effectively build and run a global information security function

  • strengthening web and application security using OWASP projects

  • improving web & application security for organisations from green-field level to very sophisticated security organisations 


Speakers
avatar for Tobias Gondrom

Tobias Gondrom

Global Board Member, OWASP
Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures... Read More →


Monday June 23, 2014 14:00 - 18:00
LAB113

14:00

Training room 4 - MDSec's Web Application Hacker's Handbook, Live Edition
The course follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:



  • Introduction to Web Application Security Assessment (Chapters 1-3)



  • Automating Bespoke Attacks: Practical hands-on experience with Burp

    Suite (Chapter 13)



  • Application mapping and bypassing client-side controls (Chapters 4-5)



  • Failures in Core Defense Mechanisms: Authentication, Session

    Management, Access Control, Input Validation (Chapters 6-8)



  • Injection and API flaws: (Chapters 9-10)


  • User-to-User Attacks (Chapters 12-13)



Attendees will gain theoretical and practical experience of:



  • How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications



  • How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI



  • Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL



  • The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise



  • Harnessing new technologies such as HTML5, NoSQL, and Ajax



  • New attack types and techniques: Bit Flipping, Padding Oracle, Automated

    Access Control checking


  • How to immediately recognise and exploit Logic Flaws



For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.

To see the practical exercises, in action, please visit:

http://www.mdsec.net/labs/demo.html 

Speakers
MP

Marcus Pinto

Marcus Pinto is a Director of MDSec and co-author of the Web Application Hacker’s Handbook, with over 13 years’ experience in technical security assessment and 8 years’ experience in delivering technical security training for global audiences such as Blackhat, Hack in the Box, Hacker Halted, Syscan and 44con.


Monday June 23, 2014 14:00 - 18:00
LAB027

14:00

Training room 5 - The Art of Exploiting Injection Flaws
OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project: https://www.owasp.org/index.php/Top_10_2013-A1-Injection 

This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are: 

SQL Injection 
XPATH Injection 
LDAP Injection 
Hibernate Query Language Injection 
Direct OS Code Injection 
XML Entity Injection 

During the two-days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course: 



  • Understand the problem of Injection Flaws 

  • Learn a variety of advanced exploitation techniques which hackers use 

  • learn how to fix these problems 


Speakers
avatar for Sumit Siddharth

Sumit Siddharth

Director, NotSoSecure Ltd.
Sumit “sid” Siddharth is the founder of NotSoSecure Ltd, a specialist IT security firm delivering high-end IT security consultancy and Training. Prior to NotSoSecure, he worked as Head of Penetration Testing for a leading IT security company in UK. He has more than 8 years of experience in Penetration Testing. Sid has authored a number of whitepapers and tools. He has been a Speaker/Trainer at many security conferences including numerous... Read More →


Monday June 23, 2014 14:00 - 18:00
LAB006

14:00

Training room 6 - Defensive Programming – JavaScript & HTML5
Understand JavaScript and HTML5 Features to Secure Your Client-side Code 

HTML5 is the fifth revision of the HTML standard. HTML5, and its integration with JavaScript, introduces new security risks that we need to carefully consider when writing web front-end code. Modern web-based software, including mobile web front-end applications, makes heavy use of innovative JavaScript and HTML5 browser support to deliver advanced user experiences. Front-end developers focus their efforts on creating this experience and are generally not aware of the security implications of the technologies they use. 

The Defensive Programming – JavaScript/HTML5 course helps web front-end developers understand the risks involved with manipulating the HTML Document Object Model (DOM) and using the advanced features of JavaScript and HTML 5 such as cross-domain requests and local storage. The course reinforces some important security aspects of modern browser architecture and presents the student with defensive programming techniques that can be immediately applied to prevent common vulnerabilities to be introduced. Additionally, the course provides a detailed description of typical JavaScript sources and sinks and explains how they can be used to detect problems in code. 

This course is structured into modules that cover the areas of concentration for defensive programming in JavaScript and HTML5 and includes code analysis and remediation exercises. The high-level topics for this course are: 

•The HTML5 and JavaScript Risk Landscape 
•Storage of Sensitive Data 
•Secure Cross-domain Communications 
•Implementing Secure Dataflow 
•JSON-related Techniques 

This course includes 2 labs with hands on exercises where students will learn to apply the defensive programming techniques learned in the course. Students are encouraged to bring laptops with VirtualBox installed to run the VM with the labs. 

Objectives 

After successfully completing this course, you will: 

•Apply HTML5 Defensive Programming Techniques. 
•Apply JavaScript Defensive Programming Techniques. 
•Apply JSON Defensive Programming Techniques. 
•Consider Common Assessment Approaches.

Speakers
TT

Tiago Teles

Consultant
Tiago Teles is a Technical Consultant with 7 years of experience in clients across different sectors and countries, including banking, insurance, telecommunications and commercial organizations in a variety of roles: Delivering Training, Development, Business Intelligence and Quality Assurance. For some of the talks already delivered please see: https://www.youtube.com/watch?v=CbeSXmAXBbU for more information please visit... Read More →


Monday June 23, 2014 14:00 - 18:00
LAB028

14:00

Training room 7 - TLS/SSL in Practice
SSL/TLS as used today has more and more problems and it's difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.

This training will give a brief introduction to SSL, how it works i. g., what problems are known according the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure SSL securely.

Topics

The course will be a hands-on-training showing by example how to check the established SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. A great amount of tools will be explained and it will be demonstrated how these tools can be used to detect weaknesses in the SSL connection and such.

The explained tools are for example: openssl, sslaudit, sslscan, ssltest.pl, o-saft, and some more, as well as some online checking tools like ssllabs.com. We show what are these tools useful for, what they can do and what they cannot.

Finally we show how the OWASP tool o-saft can be used to cover most of the previous shown techniques and how to use its advanced features like:



  • checking for special SSL settings



  • check multiple servers at a time



  • customizing the results



  • using private SSL-libraries



  • customizing o-saft itself


  • or simple debugging of various SSL connection problems.



The purpose of this course is to provide a tool set for checking SSL to the participants and teach the participants how and when to use which tool.

The course is intended to teach builders and defenders how to analyse SSL from a client-site view, in particular what an auditor or penetration tester does. It will not go into the details of fuzzing or even breaking SSL such as sslsniff, ssltrap and a like or exploiting vulnerabilities. Instead it should give developers an idea how to use SSL securely and give system architects, administrator or operational people hints how to set-up and configure SSL in a proper secure way. 



Technical Requirements

The participants should bring their own laptop with any operating system (recommended is Linux) and at least following tools installed:



  • openssl (1.0.1e or newer)



  • perl (5.8 or newer), on windows system Strawberry perl is recommended



  • Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)



python (2.7) optional

Optional, for smooth testing, a local SSL-enabled web server should be running on the laptop.

 

Others

All other used tools are open source and available during the course. The participants are reliable on their own for accepting and following the license rules of each tool. 

 

Speakers
AH

Achim Hoffmann

Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 12 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in different roles like penetration tester, doing SCA and giving security workshops.  | | He is author, co-author and maintainer of various... Read More →


Monday June 23, 2014 14:00 - 18:00
LAB109

16:00

Room LAB220: OWASP OpenSAMM
During the AppSec conferences, the SAMM project team organises workshops for you to influence the direction SAMM evolves. This is an excellent opportunity to exchange experiences with your peers.

Understanding of SAMM is a prerequisite for participation in this OWASP summit session.

Please check PDF file for location 


Speakers
avatar for Seba Deleersnyder

Seba Deleersnyder

managing partner application security, Toreon
Co-founder & managing partner application security at Toreon.com | As application security specialist for more than 10 years, Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, NationaleNederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. | Sebastien is the Belgian OWASP Chapter... Read More →



Monday June 23, 2014 16:00 - 18:00
LAB220
 
Tuesday, June 24
 

08:00

Registration & Breakfast
Tuesday June 24, 2014 08:00 - 09:00
LAB001 Broad Street Entrance, Loed Ashcroft International Business Schoo

09:00

Room LAB215: Summit Session - OWASP Development Guide
In this session, we will briefly take a short tour through the long and inter-twined history of OWASP and the Developer Guide, OWASP's first project. The Developer Guide has had various attempts to restart it over the years, and very nearly all of them failed. Let's have an interactive session on how to get the Developer Guide back on its feet, build community, and re-build a working project team.

Please check attached PDF file for location(MAP FLOOR) 

Speakers
avatar for Andrew van der Stock

Andrew van der Stock

Director, OWASP
Web application security and information security



Tuesday June 24, 2014 09:00 - 12:00
LAB215

09:00

Room LAB216: Summit Session - OWASP 24/7 Podcast Series
In the past 6 months, the OWASP 24/7 Podcast Series has been listened to over 30,000 times. In this session, Mark Miller, Executive Producer of the series, will talk about how the series was started, the equipment used to create the podcasts and the process of publication on SoundCloud for distribution to the iTunes channel. The session will include a live interview that will be recorded and published in real time.

Please check attached PDF file for location(MAP FLOOR)  

Moderators
ML

Martin Law

Director, First Defence Information Security
With over 25 years in the security industry Martin and involved in many initiatives, he's a well known and popular individual that helps to evolve the industry and its community. | | OWASP Leeds Chapter Leader, former CREST board member, ISF council member and UK Chapter Leader, White Hat Rally Director, Northern UK Security Group Leader... and more!

Speakers
avatar for Mark Miller

Mark Miller

Senior Storyteller, Sonatype
Mark Miller speaks and writes extensively on DevOps and Security, hosting panel discussions on tools and processes within the DevOps Software Supply Chain. He actively participates in the DevOps community by building DevOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. Mark's most recent project is "An Innovator's Journey to DevOps", a series of profiles and podcasts highlighting... Read More →



Tuesday June 24, 2014 09:00 - 13:00
LAB216

09:00

Room LAB220 :Summit Session - OWASP Media Project
To brief project leaders on video sharing and live streaming to they can promote their project.
  1. Present the official OWASP YouTube channel
  2. Involve project leaders to promote their content
Please join us at this year's working session so you can pitch in and help with the work we are doing during the conference. 

Please check attached PDF file for location (MAP FLOOR)  

Speakers
JM

Jonathan Marcil

Montreal Chapter Leader, OWASP
As the chapter leader of OWASP Montreal, Jonathan manages most of the events and do the online community management. He is filling up the chapter's agenda with continuous events. He teamed up with various student groups to be present in three universities. He also works to put most of the talks online using YouTube and Google Hangouts. | | Those implications leaded him to create OWASP Media Project, where we gather, consolidate and promote... Read More →



Tuesday June 24, 2014 09:00 - 13:00
LAB220

09:00

Training room 1 - Java Web Hacking & Hardening
This one day hands-on workshop focuses on securing Java web applications against malicious hacker attacks. During the workshop a Java web application (written specifically for this workshop) with lots of vulnerabilities is examined, exploited, and secured. We will start with common vulnerabilities found in web applications: Authentication bypasses, different flavours of XSS (reflected, stored, DOM-based), (blind) SQL-Injection, CSRF, Clickjacking, Command Injection, Path Traversals, SSRF, Session Attacks like Session Fixation, etc. and continue to more specialized security holes (covering XML like XXE Attacks and XPath Injections as well as REST-ful interfaces, JSON and WebSockets). Also prophylactic protection techniques are discussed like introducing protection tokens (e.g. OWASP’s CSRFGuard) as well as adding several security headers (CSP and more) and considering encryption techniques.

Speakers
avatar for Christian Schneider

Christian Schneider

Whitehat Hacker, Christian Schneider
Christian Schneider (@cschneider4711) writes software since the nineties, works as a freelance software developer since 1997, and focuses on Java since 1999. Aside from the traditional software engineering tasks he support clients in the field of IT security. This includes penetration testing, security audits, architectural reviews, and web application hardening. Christian enjoys writing articles about web application security (for the German... Read More →


Tuesday June 24, 2014 09:00 - 13:00
LAB111

09:00

Training room 2 - The Mobile App Security Boot Camp
The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7! The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.

Pre-requisite of Training Class:

1) Student.

A basic knowledge of programming and mobile security concepts.

2) Hardware.

All delegates will be provided with a suitable iOS device to perform the labs, it is not necessary to bring your own.

Administrative access to the laptop and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.

We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

A laptop with the capability to connect to wireless and wired networks. 3) Software.
Students require a player to run VMWare images.
Daily Class Outline:

Day 1: iOS App Hacking

The course syllabus provides an overview of iOS security features, jailbreaking and approaches to App security assessment. After an introduction to the subject, we delve in to common insecurities, including but not limited too:



  • Insecure file storage



  • Keychain attacks



  • Insecure transport security



  • Run-time attacks



  • Cycript



  • Injection attacks



  • IPC handlers



  • Man-in-the-middle attacks



  • Defeating jailbreak and other defensive detection and prevention routines

    Attendees will gain theoretical and practical experience of:





  • How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps



  • How to hack UIWebviews, IPC handlers, client-side SQL databases, the

    keychain and the App runtime



  • Real-world, 2014 techniques used to defeat real Apps on iOS7!


  • Knowledge of defensive and remedial advice



Day 2: Android App Hacking

Day two of the course will provide an introduction to the attack surface exposed by Android devices and their applications. The Android attack surface will be analysed to demonstrate how its weaknesses can be exploited from various vectors, such as from installed malicious software (malware), local attackers in a Man-in-The-Middle (MiTM) scenario and from attackers with local physical access (e.g. stolen device). Attendees will actively analyse applications, identify vulnerabilities within them and write their own exploits to compromise the application and/or device.

Attendees will gain hands on experience assessing and exploiting Android device and application vulnerabilities. The course will also teach how to defend against the latest Android platform and application threats. The experienced consultants delivering the course will guide attendees through an assessment of a range of applications; all of which are based on real world examples, following a structured methodology.

Course outline



  • Theory



  • Introduction to the Android security model



  • Black box assessment approach



  • Reverse engineering applications



  • Introduction to Android malware



  • Android Man-in-the-Middle



  • Stolen device reviews



  • Analysis/Assessment/Attack and Defence



  • IPC end points



  • JavaScript Bridges



  • Mobile Substrate



  • File permission attacks



  • Tap jacking



  • Android Sandbox 



Speakers
avatar for Dominic Chell

Dominic Chell

Director, MDSec
Dominic is a director of MDSec and a recognised expert in mobile security, having authored whitepapers, tools and presentations in this area. Dominic has delivered security consultancy and training on mobile security to leading global organisations in the financial, government and retail sectors for the past 9 years. Additionally, Dominic aided in the development of and is listed as a subject matter expert for, a secure iOS development... Read More →
RM

Robert Miller

MWR InfoSecurity
Robert has worked for MWR Infosecurity since 2011, with a strong focus on Android device and application security. He co-runs MWR's Android Secure Development training course, and works with major application developers and device manufacturers in producing security critical products and services. | | Robert has presented in both private corporate and public events in everything from teaching members of the public how to stay safe from... Read More →


Tuesday June 24, 2014 09:00 - 13:00
LAB112

09:00

Training room 3 - Bootstrap and improve your SDLC with OpenSAMM
Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance can have a significant impact on the organization. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP OpenSAMM gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization.

The goal of this one-day training, which is conceived as a mix of training and workshop, is for the participants to get a more in-depth view on and practical feeling of the OpenSAMM model. The training is setup in three different parts.

In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained. The different domains (governance, construction, verification, deployment), their activities and relations are explained. Furthermore, different constituent elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.

Next, approx. half a day will be spent on doing an actual OpenSAMM evaluation of your own organization (or one that you have worked for). We will go through an evaluation of all the OpenSAMM domains and discuss the results in group. This will give all participants a good indication of the organization’s maturity wrt. software assurance. In the same effort, we will define a target model for your organization and identify the most important challenges in getting there.

The final part of the training will be dedicated to specific questions or challenges that you are facing wrt. secure development in your organization. In this group discussion, experience between the different participants will be shared to address these questions.

In case you haven't started a secure software initiative in your organization yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for a highly effective and applicable treatment of this large domain ! And in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.

After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge. If you want to contribute to this flagship project, stay and join us at the summit. More details on www.opensamm.org.

Requirements

This training requires a good amount of interactivity and common-sense. No specific technical requirements are set forth. 

Speakers
avatar for Seba Deleersnyder

Seba Deleersnyder

managing partner application security, Toreon
Co-founder & managing partner application security at Toreon.com | As application security specialist for more than 10 years, Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, NationaleNederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. | Sebastien is the Belgian OWASP Chapter... Read More →
avatar for Bart De Win

Bart De Win

Bart De Win has over 15 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection.  Since 2009, Bart has been responsible for all application security services within Ascure & PwC Belgium.  He has extensive project experience in software testing and in assisting companies improving their secure software development... Read More →


Tuesday June 24, 2014 09:00 - 13:00
LAB113

09:00

Training room 4 - MDSec's Web Application Hacker's Handbook, Live Edition
The course follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:



  • Introduction to Web Application Security Assessment (Chapters 1-3)



  • Automating Bespoke Attacks: Practical hands-on experience with Burp

    Suite (Chapter 13)



  • Application mapping and bypassing client-side controls (Chapters 4-5)



  • Failures in Core Defense Mechanisms: Authentication, Session

    Management, Access Control, Input Validation (Chapters 6-8)



  • Injection and API flaws: (Chapters 9-10)


  • User-to-User Attacks (Chapters 12-13)



Attendees will gain theoretical and practical experience of:



  • How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications



  • How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI



  • Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL



  • The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise



  • Harnessing new technologies such as HTML5, NoSQL, and Ajax



  • New attack types and techniques: Bit Flipping, Padding Oracle, Automated

    Access Control checking


  • How to immediately recognise and exploit Logic Flaws



For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.

To see the practical exercises, in action, please visit:

http://www.mdsec.net/labs/demo.html 

Speakers
MP

Marcus Pinto

Marcus Pinto is a Director of MDSec and co-author of the Web Application Hacker’s Handbook, with over 13 years’ experience in technical security assessment and 8 years’ experience in delivering technical security training for global audiences such as Blackhat, Hack in the Box, Hacker Halted, Syscan and 44con.


Tuesday June 24, 2014 09:00 - 13:00
LAB027

09:00

Training room 5 - The Art of Exploiting Injection Flaws
OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project: https://www.owasp.org/index.php/Top_10_2013-A1-Injection 

This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are: 

SQL Injection 
XPATH Injection 
LDAP Injection 
Hibernate Query Language Injection 
Direct OS Code Injection 
XML Entity Injection 

During the two-days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course: 



  • Understand the problem of Injection Flaws 

  • Learn a variety of advanced exploitation techniques which hackers use 

  • learn how to fix these problems 


Speakers
avatar for Sumit Siddharth

Sumit Siddharth

Director, NotSoSecure Ltd.
Sumit “sid” Siddharth is the founder of NotSoSecure Ltd, a specialist IT security firm delivering high-end IT security consultancy and Training. Prior to NotSoSecure, he worked as Head of Penetration Testing for a leading IT security company in UK. He has more than 8 years of experience in Penetration Testing. Sid has authored a number of whitepapers and tools. He has been a Speaker/Trainer at many security conferences including numerous... Read More →


Tuesday June 24, 2014 09:00 - 13:00
LAB006

09:00

Training room 6 - Security of XML-based Web Services and Single Sign-On
Web Services and Single Sign-On belong to the group of the most important Internet technologies. They are used in many fields such as automotive, healthcare, e-government, or military infrastructures. In recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data.

In this training, we will give an overview of the most important XML-specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed. 

Contents

The course will contain the following topics. In each topic, the attendants will get the opportunity to execute practical evaluations using soapUI, WS-Attacker, or a different applications:

• XML and SOAP-based Web Services



  • XML Schema and WS-Policy



  • WS-Addressing und WS-Addressing Spoofing



  • XML Parsing (DOM vs SAX)



  • XML-specific Denial-of-Service Attacks



  • XML Security and WS-Security

    ◦ Why not SSL/TLS?



  • XML Signature

    ◦ ID-based and XPath-based XML Signatures

    ◦ XMLSignatureWrappingAttacks



  • XML Encryption

    ◦ Attacks on symmetric encryption

    ◦ Attacks on asymmetric encryption



  • WS-Attacker



  • SAML-based Single-Sign On

    ◦ Attacks 




Requirements



  • A laptop with a recent version of “Virtual Box“ (the virtual machine will be provided). VMWare and other virtualization software should also work but cannot be supported. 



Speakers
avatar for Christian Mainka

Christian Mainka

Security Consultant, Hackmanit GmbH
Christian Mainka is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security related topics on scientific workshops and conferences. Nowadays, the tool contains a large collection of specific attacks, which can be automatically applied to SOAP-based... Read More →
avatar for Juraj Somorovsky

Juraj Somorovsky

Security Consultant, Hackmanit GmbH
Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP Germany. Currently... Read More →


Tuesday June 24, 2014 09:00 - 13:00
LAB028

09:00

Training room 7 - Defensive Programming in PHP
This course explores measures that developers can take both from a coding and configuration perspective to secure their PHP applications.

PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.

This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.

This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:



  • PHP Platform Security



  • The PHP Application Risk Landscape



  • Secure Design Principles



  • Defensive Programming Techniques in PHP


  • Secure PHP Architecture and Configuration



Objectives

After successfully completing this course, students will:



  • Comprehend the PHP Platform



  • Appreciate the Risks Affecting PHP Applications



  • Write Secure Web Applications Using PHP



  • Design and Architect Secure PHP Applications


  • Configure Your PHP Applications Securely



Labs and Demonstrations

If students bring their own laptops with VirtualBox software installed, they can install an Ubuntu VM (provided by the instructor) with a vulnerable PHP application on it and participate in two interactive lab sessions. There are also two interactive demonstrations during which the PHP application is ex- ploited to show directory traversal, information leakage, and SQL injection. The labs are not compulso- ry to get the full value of the course. 

Speakers
avatar for Paco Hope

Paco Hope

Principal Consultant, Cigital
Author of two security books and frequent conference speaker, Paco Hope is a Principal Consultant with Cigital Ltd and has been working in the field of software security for over 12 years. The oldest PHP code he could find on his systems was dated 3 November 1999. Paco helps clients in the financial, retail, and online gaming industries build secure software by performing source code review and architectural risk analysis. He is also a member... Read More →


Tuesday June 24, 2014 09:00 - 13:00
LAB109

09:00

University Challenge
University Challenge

Tuesday June 24, 2014 09:00 - 18:00
OPT101

13:00

14:00

Room LAB216: OWASP Cyber Security Startup Initiative
The initiative is a pre-startup accelerator that will leverage academia and startup communitys to build next generation cyber security startups

Please check attached PDF file for location(MAP FLOOR) .

Moderators
ML

Martin Law

Director, First Defence Information Security
With over 25 years in the security industry Martin and involved in many initiatives, he's a well known and popular individual that helps to evolve the industry and its community. | | OWASP Leeds Chapter Leader, former CREST board member, ISF council member and UK Chapter Leader, White Hat Rally Director, Northern UK Security Group Leader... and more!

Speakers
avatar for Neill Gernon

Neill Gernon

Lead for Cyber Security Startup Initiative, at OWASP
Business Innovation & Growth Strategist. Currently leading the Cyber Security Startup Initiative with OWASP.



Tuesday June 24, 2014 14:00 - 18:00
LAB216

14:00

Room LAB220: Summit Session - OWASP Development Guide
In this session, we will briefly take a short tour through the long and inter-twined history of OWASP and the Developer Guide, OWASP's first project. The Developer Guide has had various attempts to restart it over the years, and very nearly all of them failed. Let's have an interactive session on how to get the Developer Guide back on its feet, build community, and re-build a working project team.

Please check attached PDF file for location(MAP FLOOR)  

Speakers
avatar for Eoin Keary

Eoin Keary

CTO and Founder, BCC Risk Advisory Ltd.
Eoin Keary is an international board member of OWASP. He leads the OWASP code review project. Eoin is the CTO and founder of BCC Risk Advisory Ltd. He has also led global security engagements for some of the world’s largest financial services and consumer products companies. Eoin is a well known technical leader in industry in the area of software security and penetration testing. Eoin lives in Dublin, Ireland. 



Tuesday June 24, 2014 14:00 - 18:00
LAB220

14:00

Training room 1 - Java Web Hacking & Hardening
This one day hands-on workshop focuses on securing Java web applications against malicious hacker attacks. During the workshop a Java web application (written specifically for this workshop) with lots of vulnerabilities is examined, exploited, and secured. We will start with common vulnerabilities found in web applications: Authentication bypasses, different flavours of XSS (reflected, stored, DOM-based), (blind) SQL-Injection, CSRF, Clickjacking, Command Injection, Path Traversals, SSRF, Session Attacks like Session Fixation, etc. and continue to more specialized security holes (covering XML like XXE Attacks and XPath Injections as well as REST-ful interfaces, JSON and WebSockets). Also prophylactic protection techniques are discussed like introducing protection tokens (e.g. OWASP’s CSRFGuard) as well as adding several security headers (CSP and more) and considering encryption techniques.

Speakers
avatar for Christian Schneider

Christian Schneider

Whitehat Hacker, Christian Schneider
Christian Schneider (@cschneider4711) writes software since the nineties, works as a freelance software developer since 1997, and focuses on Java since 1999. Aside from the traditional software engineering tasks he support clients in the field of IT security. This includes penetration testing, security audits, architectural reviews, and web application hardening. Christian enjoys writing articles about web application security (for the German... Read More →


Tuesday June 24, 2014 14:00 - 18:00
LAB111

14:00

Training room 2 - The Mobile App Security Boot Camp
The Mobile App Security Boot Camp is a 2-day training course covering both Android and iOS App security. As a new course for 2014, we provide the most comprehensive and cutting edge guide to mobile App security that is currently available, including in depth coverage of iOS 7! The course is provided as a partnership between MDSec and MWR InfoSecurity, pioneers in mobile security.

Pre-requisite of Training Class:

1) Student.

A basic knowledge of programming and mobile security concepts.

2) Hardware.

All delegates will be provided with a suitable iOS device to perform the labs, it is not necessary to bring your own.

Administrative access to the laptop and the ability to install a few tools, and disable personal firewalls or virus scanners should they get in the way of the lab exercises.

We strongly recommend a personal laptop – if your corporate laptop build is too restrictive this may affect your ability to participate in the course fully.

A laptop with the capability to connect to wireless and wired networks. 3) Software.
Students require a player to run VMWare images.
Daily Class Outline:

Day 1: iOS App Hacking

The course syllabus provides an overview of iOS security features, jailbreaking and approaches to App security assessment. After an introduction to the subject, we delve in to common insecurities, including but not limited too:



  • Insecure file storage



  • Keychain attacks



  • Insecure transport security



  • Run-time attacks



  • Cycript



  • Injection attacks



  • IPC handlers



  • Man-in-the-middle attacks



  • Defeating jailbreak and other defensive detection and prevention routines

    Attendees will gain theoretical and practical experience of:





  • How to quickly and efficiently pinpoint and exploit vulnerabilities in iOS Apps



  • How to hack UIWebviews, IPC handlers, client-side SQL databases, the

    keychain and the App runtime



  • Real-world, 2014 techniques used to defeat real Apps on iOS7!


  • Knowledge of defensive and remedial advice



Day 2: Android App Hacking

Day two of the course will provide an introduction to the attack surface exposed by Android devices and their applications. The Android attack surface will be analysed to demonstrate how its weaknesses can be exploited from various vectors, such as from installed malicious software (malware), local attackers in a Man-in-The-Middle (MiTM) scenario and from attackers with local physical access (e.g. stolen device). Attendees will actively analyse applications, identify vulnerabilities within them and write their own exploits to compromise the application and/or device.

Attendees will gain hands on experience assessing and exploiting Android device and application vulnerabilities. The course will also teach how to defend against the latest Android platform and application threats. The experienced consultants delivering the course will guide attendees through an assessment of a range of applications; all of which are based on real world examples, following a structured methodology.



Course outline



  • Theory



  • Introduction to the Android security model



  • Black box assessment approach



  • Reverse engineering applications



  • Introduction to Android malware



  • Android Man-in-the-Middle



  • Stolen device reviews



  • Analysis/Assessment/Attack and Defence



  • IPC end points



  • JavaScript Bridges



  • Mobile Substrate



  • File permission attacks



  • Tap jacking



  • Android Sandbox 



Speakers
avatar for Dominic Chell

Dominic Chell

Director, MDSec
Dominic is a director of MDSec and a recognised expert in mobile security, having authored whitepapers, tools and presentations in this area. Dominic has delivered security consultancy and training on mobile security to leading global organisations in the financial, government and retail sectors for the past 9 years. Additionally, Dominic aided in the development of and is listed as a subject matter expert for, a secure iOS development... Read More →
RM

Robert Miller

MWR InfoSecurity
Robert has worked for MWR Infosecurity since 2011, with a strong focus on Android device and application security. He co-runs MWR's Android Secure Development training course, and works with major application developers and device manufacturers in producing security critical products and services. | | Robert has presented in both private corporate and public events in everything from teaching members of the public how to stay safe from... Read More →


Tuesday June 24, 2014 14:00 - 18:00
LAB112

14:00

Training room 3 - Bootstrap and improve your SDLC with OpenSAMM
Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance can have a significant impact on the organization. Yet, trying to achieve this without a good framework is most likely leading to just marginal and unsustainable improvements. OWASP OpenSAMM gives you a structural and measurable framework to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization.

The goal of this one-day training, which is conceived as a mix of training and workshop, is for the participants to get a more in-depth view on and practical feeling of the OpenSAMM model. The training is setup in three different parts.

In a first part, an overview is presented of the OpenSAMM model and similarities and differences with other similar models are explained. The different domains (governance, construction, verification, deployment), their activities and relations are explained. Furthermore, different constituent elements (e.g., metrics) are discussed and the overall usage scenarios of the model are explained.

Next, approx. half a day will be spent on doing an actual OpenSAMM evaluation of your own organization (or one that you have worked for). We will go through an evaluation of all the OpenSAMM domains and discuss the results in group. This will give all participants a good indication of the organization’s maturity wrt. software assurance. In the same effort, we will define a target model for your organization and identify the most important challenges in getting there.

The final part of the training will be dedicated to specific questions or challenges that you are facing wrt. secure development in your organization. In this group discussion, experience between the different participants will be shared to address these questions.

In case you haven't started a secure software initiative in your organization yet, this training should provide you with the necessary foundations and ideas to do so. Be prepared for a highly effective and applicable treatment of this large domain ! And in case you would be concerned about confidentiality issues, we adhere to the Chatham House Rule.

After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge. If you want to contribute to this flagship project, stay and join us at the summit. More details on www.opensamm.org.

Requirements

This training requires a good amount of interactivity and common-sense. No specific technical requirements are set forth. 

Speakers
avatar for Seba Deleersnyder

Seba Deleersnyder

managing partner application security, Toreon
Co-founder & managing partner application security at Toreon.com | As application security specialist for more than 10 years, Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, NationaleNederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. | Sebastien is the Belgian OWASP Chapter... Read More →
avatar for Bart De Win

Bart De Win

Bart De Win has over 15 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection.  Since 2009, Bart has been responsible for all application security services within Ascure & PwC Belgium.  He has extensive project experience in software testing and in assisting companies improving their secure software development... Read More →


Tuesday June 24, 2014 14:00 - 18:00
LAB113

14:00

Training room 4 - MDSec's Web Application Hacker's Handbook, Live Edition
The course follows the chapters of the Second Edition of The Web Application Hacker's Handbook, with strong focus on practical attacks (there are only 136 slides in either of the 2 or 3 day courses). After a short introduction to the subject we delve into common insecurities in logical order:



  • Introduction to Web Application Security Assessment (Chapters 1-3)



  • Automating Bespoke Attacks: Practical hands-on experience with Burp

    Suite (Chapter 13)



  • Application mapping and bypassing client-side controls (Chapters 4-5)



  • Failures in Core Defense Mechanisms: Authentication, Session

    Management, Access Control, Input Validation (Chapters 6-8)



  • Injection and API flaws: (Chapters 9-10)


  • User-to-User Attacks (Chapters 12-13)



Attendees will gain theoretical and practical experience of:





  • How to quickly and efficiently pinpoint and exploit vulnerabilities in web applications



  • How to hack using LDAP, XPath, SOAP, HTTP Parameter Pollution (HPP), and HPI



  • Real-world, 2012 techniques in SQL Injection against Oracle, MySQL and MSSQL



  • The real risk: how to turn XSS/CSRF vulnerabilities into full account compromise



  • Harnessing new technologies such as HTML5, NoSQL, and Ajax



  • New attack types and techniques: Bit Flipping, Padding Oracle, Automated

    Access Control checking


  • How to immediately recognise and exploit Logic Flaws



For more detailed information about the course's practical structure, see the Web Application Hacker's Methodology chapter from the original version of the book.

To see the practical exercises, in action, please visit:

http://www.mdsec.net/labs/demo.html 

Speakers
MP

Marcus Pinto

Marcus Pinto is a Director of MDSec and co-author of the Web Application Hacker’s Handbook, with over 13 years’ experience in technical security assessment and 8 years’ experience in delivering technical security training for global audiences such as Blackhat, Hack in the Box, Hacker Halted, Syscan and 44con.


Tuesday June 24, 2014 14:00 - 18:00
LAB027

14:00

Training room 5 - The Art of Exploiting Injection Flaws
OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project: https://www.owasp.org/index.php/Top_10_2013-A1-Injection 

This hands-on session will only focus on the injection flaws and the attendees will get an in-depth understanding of the flaws arising from this vulnerability. The topics covered in the class are: 

SQL Injection 
XPATH Injection 
LDAP Injection 
Hibernate Query Language Injection 
Direct OS Code Injection 
XML Entity Injection 

During the two-days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered. The following are the objectives of the course: 



  • Understand the problem of Injection Flaws 

  • Learn a variety of advanced exploitation techniques which hackers use 

  • learn how to fix these problems 


Speakers
avatar for Sumit Siddharth

Sumit Siddharth

Director, NotSoSecure Ltd.
Sumit “sid” Siddharth is the founder of NotSoSecure Ltd, a specialist IT security firm delivering high-end IT security consultancy and Training. Prior to NotSoSecure, he worked as Head of Penetration Testing for a leading IT security company in UK. He has more than 8 years of experience in Penetration Testing. Sid has authored a number of whitepapers and tools. He has been a Speaker/Trainer at many security conferences including numerous... Read More →


Tuesday June 24, 2014 14:00 - 18:00
LAB006

14:00

Training room 6 - Security of XML-based Web Services and Single Sign-On
Web Services and Single Sign-On belong to the group of the most important Internet technologies. They are used in many fields such as automotive, healthcare, e-government, or military infrastructures. In recent years, it has been shown that these technologies allow for serious attacks. The attacks take advantage of the XML complexity and make it possible to read data from secured servers, authenticate as an arbitrary user in Single Sign-On scenarios, or decrypt confidential data.

In this training, we will give an overview of the most important XML-specific attacks. Participants will get the opportunity to carry out these attacks in a prepared virtual machine. The attacks will be first tested manually (e.g., with soapUI), in order to get a feeling for the attacks. Subsequently, we will present our penetration testing tool WS-Attacker, which will be used to execute the presented attacks automatically. For each of the attacks, countermeasures will be discussed. 

Contents

The course will contain the following topics. In each topic, the attendants will get the opportunity to execute practical evaluations using soapUI, WS-Attacker, or a different applications:


• XML and SOAP-based Web Services



  • XML Schema and WS-Policy



  • WS-Addressing und WS-Addressing Spoofing



  • XML Parsing (DOM vs SAX)



  • XML-specific Denial-of-Service Attacks



  • XML Security and WS-Security

    ◦ Why not SSL/TLS?



  • XML Signature

    ◦ ID-based and XPath-based XML Signatures

    ◦ XMLSignatureWrappingAttacks



  • XML Encryption

    ◦ Attacks on symmetric encryption

    ◦ Attacks on asymmetric encryption



  • WS-Attacker



  • SAML-based Single-Sign On

    ◦ Attacks 




Requirements





  • A laptop with a recent version of “Virtual Box“ (the virtual machine will be provided). VMWare and other virtualization software should also work but cannot be supported. 



Speakers
avatar for Christian Mainka

Christian Mainka

Security Consultant, Hackmanit GmbH
Christian Mainka is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML security related topics on scientific workshops and conferences. Nowadays, the tool contains a large collection of specific attacks, which can be automatically applied to SOAP-based... Read More →
avatar for Juraj Somorovsky

Juraj Somorovsky

Security Consultant, Hackmanit GmbH
Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP Germany. Currently... Read More →


Tuesday June 24, 2014 14:00 - 18:00
LAB028

14:00

Training room 7 - Defensive Programming in PHP
This course explores measures that developers can take both from a coding and configuration perspective to secure their PHP applications.

PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.

This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.

This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:



  • PHP Platform Security



  • The PHP Application Risk Landscape



  • Secure Design Principles



  • Defensive Programming Techniques in PHP


  • Secure PHP Architecture and Configuration



Objectives

After successfully completing this course, students will:





  • Comprehend the PHP Platform



  • Appreciate the Risks Affecting PHP Applications



  • Write Secure Web Applications Using PHP



  • Design and Architect Secure PHP Applications


  • Configure Your PHP Applications Securely



Labs and Demonstrations

If students bring their own laptops with VirtualBox software installed, they can install an Ubuntu VM (provided by the instructor) with a vulnerable PHP application on it and participate in two interactive lab sessions. There are also two interactive demonstrations during which the PHP application is ex- ploited to show directory traversal, information leakage, and SQL injection. The labs are not compulso- ry to get the full value of the course. 

Speakers
avatar for Paco Hope

Paco Hope

Principal Consultant, Cigital
Author of two security books and frequent conference speaker, Paco Hope is a Principal Consultant with Cigital Ltd and has been working in the field of software security for over 12 years. The oldest PHP code he could find on his systems was dated 3 November 1999. Paco helps clients in the financial, retail, and online gaming industries build secure software by performing source code review and architectural risk analysis. He is also a member... Read More →


Tuesday June 24, 2014 14:00 - 18:00
LAB109

14:30

Room LAB215 -Understanding PCI-DSS and using OWASP PCI Toolkit
The PCI toolkit is based on a decision tree assessment methodology, which helps you identify if your web applications are part of the PCI-DSS scope and how to apply the PCI-DSS requirements. By decomposing , one by one , you will be able to create an assessment and a final report of your scope delimitation and which OWASP guidelines must be used

Please check attached PDF file for location(MAP FLOOR)  

Speakers
avatar for Johanna Curiel

Johanna Curiel

Security Researcher, Banking Sector
Johanna has mainly worked in the area of C# and ASP.NET development, Testing and Quality Control. She is an experienced developer and understands different types of programming languages such as Java and PHP and different types of scripting languages. Johanna has ample experience in Microsoft Technologies and Security Engineering, and is also a Certified PCI -Professional... Read More →



Tuesday June 24, 2014 14:30 - 17:00
LAB215
 
Wednesday, June 25
 

08:00

Registration & Breakfast
Wednesday June 25, 2014 08:00 - 09:00
LAB001 Broad Street Entrance, Loed Ashcroft International Business Schoo

09:00

Open Source Showcase
The Open Source Showcase (OSS) is an event module that takes open source projects, and gives project leaders or contributors an opportunity to showcase their work in a demo type of environment. It is an event module where open source project leaders have an opportunity to demo their projects, and speak to attendees about what their project is about.

This year’s Open Source Showcase features nine open source projects over a variety of specialities. These nine projects will be demoing in their own room within the conference hall all day Wednesday, June 25. The projects below will be demoing in the morning. 

OWASP NINJA-PingU is a high performance network scanner tool for large scale analyses. It has been designed with performance as its primary goal and developed as a framework to allow easy plugin integration. For more information on OWASP NINJA-PingU, check out the project’s wiki page here: https://www.owasp.org/index.php/OWASP_NINJA_PingU_Project


OWASP PCI Toolkit is a c# Windows form project, that will help you to scope the PCI-DSS requirements for your System Components. Beta version of this tool will be released May 2014. The OWASP PCI Toolkit page can be found here: https://www.owasp.org/index.php/Category:OWASP_PCI_Project
 

Hackademic Challenges Project implements realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective. Currently, there are 10 web application security scenarios available. https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project


OWASP WTE is an enhancement of the original OWASP Live CD Project and expands the offering from a static Live CD ISO image to a collection of sub-projects. Its primary goal is to make application security tools and documentation easily available and easy to use. More information on the OWASP WTE project can be found here: https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project

OWASP ZAP, or Zed Attack Proxy is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. More information on OWASP ZAP can be found on the project page here: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

OWASP Bywaf, a web application penetration testing framework (WAPTF). It consists of a command-line interpreter and a set of plugins. More information on OWASP Bywaf can be found on the project’s wiki page here: https://www.owasp.org/index.php/OWASP_Bywaf_Project

WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. In each challenge the user must exploit the real vulnerability to demonstrate their understanding. The application is a realistic teaching environment and supports four different modes.This projetc is part of the PHP security framework, sponsored by Google Summer of Code 2014.

 http://webgoatphp.com/  

https://www.owasp.org/index.php/OWASP_PHP_Security_Project

 


 

Moderators
ML

Martin Law

Director, First Defence Information Security
With over 25 years in the security industry Martin and involved in many initiatives, he's a well known and popular individual that helps to evolve the industry and its community. | | OWASP Leeds Chapter Leader, former CREST board member, ISF council member and UK Chapter Leader, White Hat Rally Director, Northern UK Security Group Leader... and more!

Speakers
avatar for Simon Bennetts

Simon Bennetts

Security, Mozilla
Simon Bennetts has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He is the OWASP Zed Attack Proxy Project Leader and works for Mozilla as part of the Cloud Security Team.
avatar for Johanna Curiel

Johanna Curiel

Security Researcher, Banking Sector
Johanna has mainly worked in the area of C# and ASP.NET development, Testing and Quality Control. She is an experienced developer and understands different types of programming languages such as Java and PHP and different types of scripting languages. Johanna has ample experience in Microsoft Technologies and Security Engineering, and is also a Certified PCI -Professional... Read More →
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Wednesday June 25, 2014 09:00 - 13:00
LAB111 LAB112

09:15

Keynote - Fighting Next-Generation Adversaries with Shared Threat Intelligence

Adversaries today are technically advanced, structured around an underground governed by market forces, and using paradigm shifts in technology to compromise more victims. We examine techniques for identifying, anonymizing, and sharing threat intelligence and discuss use cases ranging from DDOS to malware where this approach can speed response times and prevent breaches.


Speakers
avatar for Jacob West

Jacob West

Jacob West is Chief Technology Officer for Enterprise Security Products (ESP) at HP. In his role, West influences the security roadmap for the ESP portfolio and leads HP Security Research (HPSR), which drives innovation with research publications, threat briefings, and actionable security intelligence delivered through HP security products. A world-recognised expert on software security, West co-authored the book, “Secure Programming... Read More →


Wednesday June 25, 2014 09:15 - 10:00
LAB026

10:00

OWASP Board Presentation
Wednesday June 25, 2014 10:00 - 10:30
LAB026

10:00

Capture the Flag (Day 1 AM)
Volunteers

Wednesday June 25, 2014 10:00 - 13:30
LAB027

10:30

Morning Coffee
Wednesday June 25, 2014 10:30 - 11:00
LAB005 and LAB006

11:00

Cloud-based Detection Techniques for Botnets and Other Malware
Traditional techniques for detecting malware, such as viruses, worms and rootkits, rely on identifying virus-specific signature definitions within network traffic, applications or memory. Because a sample of malware is required to define an attack signature, signature detection has drawbacks when accounting for morphism, has limited use in Zero-Day protection and is a post-infection technique requiring malware to be present on a network, or device, in order to be detected. 

Botnets are ideally suited for launching mass Distributed Denial of Services (DDoS) attacks against the ever increasing number of networked devices that are starting to form the Internet of Things, and ultimately Smart Cities. Regardless of topology; centralised with Command & Control servers (C&C), or distributed peer-to-peer (P2P), Bots must communicate with the other Bots in the Botnet, as well as their overall commanding Botmaster. This communication traffic can be used to detect malware activity in the cloud well before it has been able to evade network perimeter defences, and to determine a route back to source to take down the threat. 

This presentation highlights the main drawbacks of traditional signature based detection methods. It discusses the alternative techniques of cloud based traffic analysis for pre-infection detection of malware, in particular Botnets, which can be performed on Big Data being generated by Service Providers, and demonstrates how cloud centric traffic based detection techniques can be used to complement traditional signature based anti-malware and overcome some of its drawbacks. 

Finally, this presentation identifies a lack of techniques for detecting malicious Bot activity within virtual environments, which now form the backbone of data centre infrastructure, and provide a new, as of yet untapped, attack vector for future malware. This identification of a lack of techniques works as a pre-cursor to my PhD research which is to detect malware behaviour within virtual environments. 

Speakers
MG

Mark Graham

PhD Student, Anglia Ruskin
Mark has spent 15 years in the IT Industry, wearing various hats, working for Kingston Communication, C&W (formerly Energis), Nortel Networks and Signify. 3 years ago, Mark completed an MSc in Network Security, at Anglia Ruskin University. Mark is currently studying a PhD at Anglia Ruskin University, on the topic of “The Behaviour of Botnets, and other Malware, in the Cloud and Virtual Environments”


Wednesday June 25, 2014 11:00 - 11:50
LAB003

11:00

eXtend Security on Xcode
The mobile industry is now booming. According to Apple, the number of iOS apps in App Store reached 1,000,000 as of October 2013. In this highly competitive market, mobile app developers are required to develop a high-value, high-quality and high-performance app with a short time-to-market. Implementing security into earlier phases of such rapid pace agile development life cycle can be considered as one of the key success factors for organizations. 

We believe that adding an automated security measure into the Xcode IDE itself is essential and can help facilitate secure agile development cycles for iOS developers. Therefore, we are implementing our own security features on top of Xcode.

During the coding phase, developers will be able to automatically spot general security issues in iOS apps and thus prevent them from creating those issues. This can also help security testers to conduct white-box security testing in a shorter amount of time. We will also share the difficulties and problems we faced and how we overcame them during our research.

Speakers
avatar for Tokuji Akamine

Tokuji Akamine

Lead Security Engineer, Rakuten, Inc.
Tokuji Akamine is a Lead Security Engineer at Rakuten, where he conducts security testing, security training and security research. Before joining Rakuten, he was a senior security consultant at Symantec and provided application security consulting to a variety of enterprise customers. He has totally 8 years experience in application security.


Wednesday June 25, 2014 11:00 - 11:50
LAB002
  • Company 48

11:00

Biting into the Forbidden Fruit. Lessons from Trusting JavaScript Crypto.
We all know JS crypto is flawed, right? Over the years, security community has pointed out its multiple fundamental problems. Several arguments were made and "JavaScript cryptography is bound to fail" became a mantra. Of course, despite all this JS crypto WAS used all over the place. Theory met practice - it was about time to dig into this!

In recent months, we tested various high-profile, in the wild crypto libraries, applications and systems. We saw code from home-grown cryptography to full-blown TLS or OpenPGP implementations. Hilarious bugs were spotted, protections were bypassed and systems were pwned. But was it really that different from what we all had already seen in OpenSSL, BouncyCastle or GnuPGP? Can we actually fix all those bugs? Does it mean that Javascript cryptography can be, pardon us saying, secure like any other?

Come and listen. During the talk vulns will be shown, authorities - questioned, myths - debunked, and browsers cursed upon. You'll see the full picture - from XSS, to man-in-the-middle, to PRNGs and timing side-channels, even snippets in C. No stone will be left unturned, nothing will be taken for granted. You'll be left with an updated, solid and heavily opinionated view of JavaScript cryptography.

Speakers
KK

Krzysztof Kotowicz

Web security researcher specialized in Javascript and HTML5 security. Author of multiple open-source pentesting tools, and recognized HTML5/UI redressing attack vectors. Speaker at international IT security conferences & meetings (Black Hat, BruCON, Hack In Paris, CONFidence, SecurityByte, HackPra, OWASP AppSec, Insomni'Hack). Recently joined Google as Information Security Engineer. 


Wednesday June 25, 2014 11:00 - 11:50
LAB026
  • Company 34

11:50

Monitoring Web Sites for Malware Injection with WebDetector
It’s estimated that 86% of all websites had at least a serious vulnerability during 2012. Attackers either manually or automatically (via botnets) deploy C&C servers and malware droppers within exploited websites to infect clients. When such an intrusion is not detected by the owner, the website can deliver malware for long periods until somebody either privately or publicly notices it and maybe an investigation starts. 

To tackle this, we have developed a web monitoring tool called WebDetector, that can be scheduled to run periodically over a list of domain names and to produce a score that indicates how malicious a page is. 

The tool is currently written in python and relies on several open source components for mirroring, file tracking and indexing plus a set of heuristics to detect harmful components like javascripts, PDF, shockwaves, form spoofing and link redirection. The framework can be expanded with modular signatures to detect in future more types of attacks with the help of the community. 

We have tested the efficacy of WebDetector by deliberately adding common malicious behaviour in a controlled Wordpress installation. More sophisticated malware strategies needs refined heuristics for detection that will be addressed in future. 

Speakers
avatar for Paolo Di Prodi

Paolo Di Prodi

Machine Learning Engineer, Microsoft
I love control systems and robotics.


Wednesday June 25, 2014 11:50 - 12:35
LAB003
  • Company 95

11:50

Intent on Being a Good Android Citizen?
Has Android achieved the impossible? Do intents enable interprocess communications and inter-process collaboration that is actually securable? The answer, as in many platforms, is a definite ‘maybe’. Firstly, intents invite "new" attacks - attacks more traditionally associated with distributed systems - such as spoofing, hijacking, out of order execution and theft of data. Secondly, all is not always as it seems. Like so many things in in life, it is possible to do things right and still get it wrong. Securing intents properly requires a defensive approach of some old techniques plus an added step of validating some assumptions. This talk is aimed mainly at app developers - learn how intents work under the hood, how to secure your intents and how to secure your assumptions to achieve your goal of secure apps. 

Speakers
avatar for Andrew Lee-Thorp

Andrew Lee-Thorp

Senior Consultant, Cigital
Coder, tester, architect, mobile, and all round nice guy.


Wednesday June 25, 2014 11:50 - 12:35
LAB002
  • Company 65

11:50

OWASP Security Shepherd - Mobile/Web Security Awareness and Education
What is this all about?

The OWASP Security Shepherd project has been designed and implemented with the aim of fostering and improving security awareness among a varied skill­set demographic.This project enables users to learn or to improve upon existing manual penetration testing skills. This is accomplished through lesson and challenge techniques. A lesson provides a user with a lot of help in completing that module, where a challenge puts what the user learned in the lesson to use.

Security Shepherd covers the OWASP Top Ten web app risks and has recently been injected with totally new content to cover the OWASP Top Ten Mobile risks as well. Using these risks as a challenge test bed, common security vulnerabilities can be explored and their impact on a system understood. Many of these levels include insufficient mitigations and protections to these risks, such as blacklist filters, atrocious encoding schemes, barbaric security mechanisms and poor security configuration. The modules have been crafted to provide not only a challenge for a security novice, but security professionals as well.

Over the last year the OWASP Security Shepherd has proven itself to be a resilient platform in which CTF (Capture the Flag) events can be deployed upon. Examples include



  1. The OWASP Global CTF 2013



  2. IRISScon 2013 Cyber Security Challenge



  3. The OWASP EU Tour 2013 Online CTF



  4. Source Conference CTF



  5. The OWASP LATAM 2013 Tour Online CTF



  6. The OWASP Ireland AppSec 2012 CTF



One of the biggest concerns that organisers of CTF competitions have is that their system or scoreboard may be compromised. There are few open source projects that offer a secure CTF platform to utilise. With the Shepherd platform been subject to the playful prods and less playful assaults from five continents, it is a candidate to fill this gap. The OWASP Security Shepherd is in the process of been forked to provide the OWASP Shepherd CTF Platform. 

Speakers
MD

Mark Denihan

Ethical Hacking Test Engineer, IBM
I'm currently working on the IBM Ethical Hacking Team, OWASP Ireland Board Member and founded of the OWASP Security Shepherd Project. I got my BSc in Computing in the Dublin Institute of Technology and I'm working on a MSc in Information Security and Digital Forensics in the Institute of Technology Blanchardstown. I also suffer from a love of caffeine and deep paranoia thanks to my extreme security enthusiasm. 
avatar for Seán Duggan

Seán Duggan

Security Analyst, Ward Solutions
Sean is a Security Analyst with Ward Solutions. Currently holding an Honors BSc Computer Science and studying for a Masters in Information Security and Digital Forensics. passionate about Android App Security and Development. Sean developed an interest in Mobile Application Security after reading about the OWASP Mobile Top Ten Risks in 2012 and has since been keeping up to date with Mobile App Issues through development on Security Shepherd. |


Wednesday June 25, 2014 11:50 - 12:35
LAB026
  • Company 54

12:35

13:30

Capture the Flag (Day 1 PM)
Volunteers

Wednesday June 25, 2014 13:30 - 20:30
LAB027

13:50

Defending TCP Against DoS Attacks
On the global Internet, the main function of TCP is to provide a reliable byte stream process to process communication. Today, TCP is the most widespread protocol used for exchanging data in the Internet and almost responsible for more than 90 percent of the world's total data traffic on the Internet. Despite its widespread usage, many of the TCP protocols were designed with little consideration given to the security implications. For example, the TCP protocol stack could be vulnerable to a variety of attacks ranging from IP spoofing to denial of service.

This paper classifies a range of known TCP attack methods focusing in particular on password sniffing, SYN flooding, IP spoofing, TCP sequence number attack, TCP session hijacking, RST/FIN attacks and the low rate TCP targeted denial of service attack. . The paper will also examine the vulnerability points of these TCP protocols in attempting to provide solutions to such attacks. Finally, a real time network simulation infrastructure will be provided along with detail experiments analysis to validate the efficiency of our security approaches. 

Speakers
HE

Hesham El Zouka

Arab Academy for Science & Technology and Maritime Transport


Wednesday June 25, 2014 13:50 - 14:40
LAB003
  • Company 88

13:50

OWASP Mobile Top Ten 2014 – The New “Lack of Binary Protection” Category
Recently, there has been a new addition to the OWASP Mobile Top Ten; a lack of binary protections. At AppSec California, OWASP debuted it and briefly highlighted examples of the threats to mobile devices in this category. In this talk I will discuss the new category in much more depth, exploring reasons why this risk category has now been included in OWASP’s Top Ten Mobile Security Risks.

In 2013, consumers downloaded more than 83 billion applications from app stores worldwide, with revenues totalling $25 billion. According to Portio research, this is expected to grow to over 200 billion downloads per year by 2017. It is clear that the App Economy is not only thriving, but is driving new app-centric products and services across multiple industries and with the continued adoption of mobile computing, the threats to mobile and applications is continuing to grow.

Based on research conducted by Arxan, we found that over half of the top 100 iOS apps had been hacked or tampered with and made available for download on third party app stores. This included 53 percent of Android, and 23 percent of mobile banking and payment applications.

The talk will specifically highlight the risks that a lack of binary protections poses to mobile applications on both iOS and Android platforms. The speaker will discuss how to leverage specific OWASP projects to solve these issues and secure apps from tampering. By the end of the talk, attendees will have a solid understanding of the risks associated with lack of binary protections and how to begin thinking about incorporating app risk mitigation solutions to protect their applications. Risk mitigation approaches discussed will include how to incorporate processes that harden an app against binary-level integrity and reverse-engineering attacks launched at rest and run-time. 

Speakers
avatar for Jonathan Carter

Jonathan Carter

Application Security Strategist, Lending Club
Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England.  As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other solutions requiring a high degree of application security. | | Jonathan’s technical background in artificial intelligence and static code analysis has lead... Read More →


Wednesday June 25, 2014 13:50 - 14:40
LAB002
  • Company 61

13:50

OWASP Hackademic: Towards an Educational Ecosystem for Application Security
Teachers of Application Security in higher education institutions and universities are presented with some unique challenges, especially when compared to other scientific or even computer science fields. This is mainly because students have to learn how to design, implement and protect applications against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system.

The OWASP Hackademic Challenges Project introduces the "attacker's perspective" in higher education by implementing realistic scenarios with known vulnerabilities in a safe, controllable environment. Students can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.

Its main difference from other projects that implement vulnerable applications for educational purposes, is that it is has been created mainly for use in a classroom environment, while most other solutions take a more self-learning approach. The OWASP Hackademic Challenges are not just another set of vulnerable applications but a complete teaching environment. In this manner, students can be organized in classes with different set of challenges per class. A sophisticated grading system allows the assessment of students according to their effort and performance and not just the ability to solve the challenge, while several forms of cheating can also be detected.

The OWASP Hackademic Challenges are currently being used by more than a dozen universities around the world and are also part of the "Hacking Lab" and "OWASP University Challenge". In addition, we have received contributions to the project by several researchers, including the New Jersey Institute of Technology.

The OWASP Hackademic Challenges simulate real-world scenarios that application security consultants and penetration testers encounter during their day-to-day engagements, combined with the academic requirements of a related module. These exercises can be used to complement the respective theoretical lectures. Statistical analysis of the feedback we received from students through questionnaires, shows that the students embraced this approach and have benefited significantly from going through these exercises. In practice, the OWASP Hackademic Challenges help students become more enthusiastic about application security by gaining a realistic, hands-on experience on some real-world vulnerabilities.

In this presentation we will give an overview of the Hackademic Challenges and analyze its scientific background. In addition, we will present new features introduced to the interface that was developed during the Google Summer of Code 2013 which include a plugin API. Moreover, as the project is still under development, we expect a bunch of new features to be ready by the conference dates.

We will introduce the new concept of training modules, a significant addition whose aim is to integrate entire teaching modules. A training module refers to a bundle of reading material and challenges with specific scoring rules. This allows the users/professors to manage complete logical entities and allows for better modularity of the courses. Also, in our experience there is a significant number of students who once they finish a security course, they wish to write challenges and improve the course in general. This concept will allow them, and anyone wishing to contribute course material, to provide entire logical modules in a bundle. Also, this method allows for easier integration of other useful features which are being developed, such as gamification.

Our goal is to create an educational ecosystem around Hackademic that includes teachers, students and professionals who contribute and consume teaching material and realistic challenges in an open way.

Finally, we will introduce an open id integration module. This showcases a good security practice and allows the users to login with many popular open-id providers, simplifying the registration process.

A demo of the new Hackademic portal and challenges will also be delivered, emphasizing on how it can be used in a real classroom and giving the chance to attendees to get their hands on it. 

Speakers
SG

Spyros Gasteratos

Spyros Gasteratos is a software engineer at Telesto Technologies Ltd. He has undertaken numerous projects in several fields of IT, such as Linux administration, web server hardening and web development. He is the project leader and the main developer of the OWASP Hackademic Challenges project. His involvement with OWASP began almost 3 years ago. During this time he has worked as a volunteer in a variety of projects, including being part of the... Read More →
avatar for Konstantinos Papapanagiotou, Spryros Gastreratos

Konstantinos Papapanagiotou, Spryros Gastreratos

Information Security Services Team Lead, OTE
Both trainers are Hackademic project leaders, long time OWASP members and application security professionals


Wednesday June 25, 2014 13:50 - 14:40
LAB026
  • Company 53

14:00

Open Source Showcase
The Open Source Showcase (OSS) is an event module that takes open source projects, and gives project leaders or contributors an opportunity to showcase their work in a demo type of environment. It is an event module where open source project leaders have an opportunity to demo their projects, and speak to attendees about what their project is about.

This year’s Open Source Showcase features nine open source projects over a variety of specialities. These nine projects will be demoing in their own room within the conference hall all day Wednesday, June 25. The projects below will be demoing in the afternoon. 

OWASP NINJA-PingU is a high performance network scanner tool for large scale analyses. It has been designed with performance as its primary goal and developed as a framework to allow easy plugin integration. For more information on OWASP NINJA-PingU, check out the project’s wiki page here:https://www.owasp.org/index.php/OWASP_NINJA_PingU_Project

OWASP PCI Toolkit is a c# Windows form project, that will help you to scope the PCI-DSS requirements for your System Components. Beta version of this tool will be released May 2014. The OWASP PCI Toolkit page can be found here: https://www.owasp.org/index.php/Category:OWASP_PCI_Project

OWASP WTE is an enhancement of the original OWASP Live CD Project and expands the offering from a static Live CD ISO image to a collection of sub-projects. Its primary goal is to make application security tools and documentation easily available and easy to use. More information on the OWASP WTE project can be found here: https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project

OWASP ZAP, or Zed Attack Proxy is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. More information on OWASP ZAP can be found on the project page here:https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. More information on the ThreadFix project can be found here: https://github.com/denimgroup/threadfix/

OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient. For more information about the OWASP OWTF Project, check out the project’s wiki page here: https://www.owasp.org/index.php/OWASP_OWTF

OWASP Python Security Project aims at creating a hardened version of python that makes it easier for security professionals and developers to write applications more resilient to attacks and manipulations. More information about the OWASP Python Security Project can be found here:https://www.owasp.org/index.php/OWASP_Python_Security_Project

WebGoatPHP is a deliberately insecure web application developed using PHP to teach web application security. It offers a set of challenges based on various vulnerabilities listed in OWASP. In each challenge the user must exploit the real vulnerability to demonstrate their understanding. The application is a realistic teaching environment and supports four different modes.This projetc is part of the PHP security framework, sponsored by Google Summer of Code 2014.Websites:


Moderators
ML

Martin Law

Director, First Defence Information Security
With over 25 years in the security industry Martin and involved in many initiatives, he's a well known and popular individual that helps to evolve the industry and its community. | | OWASP Leeds Chapter Leader, former CREST board member, ISF council member and UK Chapter Leader, White Hat Rally Director, Northern UK Security Group Leader... and more!

Speakers
avatar for Simon Bennetts

Simon Bennetts

Security, Mozilla
Simon Bennetts has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He is the OWASP Zed Attack Proxy Project Leader and works for Mozilla as part of the Cloud Security Team.
avatar for Johanna Curiel

Johanna Curiel

Security Researcher, Banking Sector
Johanna has mainly worked in the area of C# and ASP.NET development, Testing and Quality Control. She is an experienced developer and understands different types of programming languages such as Java and PHP and different types of scripting languages. Johanna has ample experience in Microsoft Technologies and Security Engineering, and is also a Certified PCI -Professional... Read More →
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Wednesday June 25, 2014 14:00 - 18:00
LAB111 LAB112

14:40

OWASP ZAP: Advanced Features
The Zed Attack Proxy (ZAP) is an OWASP Flagship project and the largest open source web application security tool measured by active contributors. While it is an ideal tool for people new to appsec it also has many features specifically intended for advanced penetration testing. 

In this talk Simon will give a quick introduction to ZAP and then dive into some of these features, including: 
* Handling single page and other ‘non standard’ apps 
* Client side testing with Plug-n-Hack 
* Advanced scanning options 
* Contexts 
* Fuzzing 
* Scripting 
* Zest - ZAP’s macro language 
* Changing the source code 

Speakers
avatar for Simon Bennetts

Simon Bennetts

Security, Mozilla
Simon Bennetts has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He is the OWASP Zed Attack Proxy Project Leader and works for Mozilla as part of the Cloud Security Team.


Wednesday June 25, 2014 14:40 - 15:30
LAB003
  • Company 91

14:40

Smart Storage Scanning for Mobile Apps - Attacks and Exploit
Mobile application hacking and its security is becoming a major concern in today’s world specially with BYOD and user’s jailbreaking/rooting their devices. Scanning and vulnerabilities detections are two major areas for mobile applications in current state. Attacking techniques and exploit delivery on different platform are evolving, protection is even tougher as code base are different. The frequency of release for the mobile application is significantly higher than the web application. It is imperative to scan these applications before loading and launching for different platforms. 

Amongst the mobile attacks described in OWASP Mobile Top 10 project, Local storage being the key attack which affects the security and privacy of the user. Need for an hour is to have automated program to penetrate local storage in most widely used mobile platform (android and iOS). Interestingly, Android SDK provides an API which can be used to monitor file system. On the iOS, one needs to use jailbreak device to attack local storage. Along with presentation, new version of the free tools (Separate for android and iOS) will be released. Android tool uses API to monitor android file system where iOS tool relies on OS features. Methodology to perform application penetration testing using the tools will be demonstrated along with several different demonstrations on attacking local storage for both platforms along with defense strategies.

Speakers
avatar for Hemil Shah

Hemil Shah

Hemil Shah, CISSP, CSSLP, ACP is the founder and Director of eSphere Security, a company that provides Professional services in Security Arena. He has worked with HBO, KPMG, IL&FS and Net-Square in security space. He has published several advisories, tools, and Whitepapers, and has presented at numerous conferences. Hemil is expert in Mobile Application Security, Application Security, researching new methodologies and training designs. He has... Read More →


Wednesday June 25, 2014 14:40 - 15:30
LAB002
  • Company 43

14:40

Relax everybody, HTML5 is much securer than you think
Many, many conferences nowadays come with "HTML5 is insecure" or "Hacking with HTML5" talks. This has lead to a general perception that HTML5 itself (whatever the term actually stands for) is insecure and, thus, should be avoided for security reasons. This is highly unfortunate, as the current generation of new Web APIs expose a level of security sophistication, which is unparalleled in the Web's history. In fact, new browser features such as CORS or PostMessage allow, for the first time, to securely realize usecases which, up to now, required the programmers to resort to insecure programming practices. 

In this talk, we will systematically explore security relevant HTML5 APIs. To do so, we discuss their respective security architecture and, more importantly, show how they compare to currently established techniques which were designed to realize similar use cases. 

Plainly speaking you can consider this talk as a "information security deathmatch - HTML5 vs. its alternative" (spoiler: HTML5 wins). 

More specifically, the talk will cover: 

# Client-side cross-domain communication: 

- CORS (HTML5) vs. JSONP and/or crossdomain.xml 

# Client-side persistence 

- LocalStorage (HTML5) vs. Cookie-hacks 

# In-browser communication 

- PostMessage (HTML5) vs. 
-- hash-identifier passing and/or 
-- window.name setting and/or 
-- domain relaxation 

# ClickJacking protection 

- X-Frames-Options (HTML5) vs. JavaScript framebusters 

# Bonus track: The browser's new security capabilities 

A quick overview of new browser features that can be used to secure Web sites: 

- Content Security Policies 
- Sandboxed iFrames 
- Strict-transport Security 

The session's content is based on the experiences and lessons learned of a international academic research project on modern Web security (WebSand, http://websand.eu) of which the speaker is the technical lead. All given details will be backed with empirical data (when applicable). Furthermore, all discussed technologies can be accompanied with proof-of-concept code or practical demonstrations (if time permits). 

Speakers
avatar for Martin Johns

Martin Johns

Research Expert, SAP SE
Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990ties and the early years of the new millennium he earned his living as a software engineer in... Read More →
SL

Sebastian Lekies

Sebastian Lekies is a PhD candidate at SAP and the University of Bochum. His main field of research is Web application security.  Thereby, he mainly focuses on client-side Web attacks such as Cross-Site Scripting, ClickJacking, DNS-Rebinding, Cross-Site Request Forgery, etc.  He regularly publishes his work at academic and non-academic security conferences such as CCS, Usenix Security, Blackhat, OWASP Appsec, Deepsec, etc.


Wednesday June 25, 2014 14:40 - 15:30
LAB026

15:30

Afternoon Coffee
Wednesday June 25, 2014 15:30 - 15:55
LAB005 and LAB006

15:55

Getting New Actionable Insights by Analyzing Web Application Firewall Triggers
ModSecurity Web Application Firewall was first released more than a decade ago, available as open source software that gives the ability to protect web applications. Over the years ModSecurity has matured significantly, and is the most widely deployed WAF, protecting millions of websites. A long side ModSecurity engine we can also find OWASP ModSecurity Core Rule Set (CRS), which is a library of generic application security signatures that provide a base level of protection for any web application.

In this presentation I will show an advanced technique for post processing of ModSecurity Core Rule Set WAF triggers in order to generate actionable defenses that are derived from WAF triggers. The objective of the post processing is to improve security controls. Based on the collected malicious HTTP traffic we can produce new insights on our attackers and the techniques they use and as a result we can harden defenses that will improve our mitigations.

The presentation will include detailed description of several techniques with case studies based on real traffic from Akamai's security big data platform (Cloud Security Intelligence).

Example for analysis on remote file inclusion attack:

When analyzing the payload of a remote file inclusion attack we will find a link to a remote source code file the attackers are trying to inject into the vulnerable application.
The injected remote source file is in many cases a static "anchor" in a continues attack campaign that uses various RFI vulnerabilities with the same remote file.

Generating signature that matches attacks based on the attack "anchor" can improve the detection capabilities for ModSecurity CRS and at the same time give better insight on the threat landscape.
More than that, this "anchor" can be used as enrichment for other security controls that monitor URL and domain reputation.

RFI attack:

http://www.target.com/vuln_page.php?file=http://www.attacker.com/malicous.php

In the attack above we can see remote source file located on “www.attacker.com/malicous.php”, using this malicious file can be valuable when:



  • Looking for the same link on HTTP traffic (complementary to ModSecurity CRS rules)



  • Blocking traffic from within the organization to the attacker web application



  • Correlating similar attacks as same distributed attack campaign 



Speakers
avatar for Or Katz

Or Katz

Principal Security Researcher, Akamai
Or is an application security veteran, with years of experience at industry leading vendors, currently serves as principal security researcher for Akamai's Cloud Security Intelligence platform. Or is a frequent speaker in conferences such as RSA, AppSec and CSA. Or has published several innovative articles and white papers on web applications threat intelligence and defensive techniques.


Wednesday June 25, 2014 15:55 - 16:45
LAB003
  • Company 64

15:55

Getting a Handle on Mobile Security
Mobile development is one of the largest growth areas in all of software. The last decade has seen an explosion of mobile devices, operating systems, development environments, libraries, toolkits and app stores. Organizations are racing to construct mobile applications that harness the power of the mobile paradigm. 

However, like in the early days of web development, security may be being overlooked or under-emphasized. In this talk, we will go through the array of mobile platforms available to developers, and discuss common security concerns that all platforms have in common. The talk will focuses on securing sensitive data on the phone, proper use of encryption, and proper use of TLS, along with several other security areas critical to writing secure mobile applications. A discussion of hybrid web apps, using frameworks like PhoneGap and the security concerns there, will also be discussed in detail. 

Participants will gain an understanding of the key differences between web and mobile security, and learn what they must do to ensure they are architecting and constructing secure mobile applications. 

Speakers
avatar for Jerry Hoff

Jerry Hoff

VP, Static Code Analysis Division, WhiteHat Security
Jerry Hoff is the VP of the Static Code Analysis Division at WhiteHat Security. In addition to WhiteHat, he is a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where he specialized in manual code review, web application penetration testing, and architecture reviews. Jerry also has years of development and teaching experience. He... Read More →


Wednesday June 25, 2014 15:55 - 16:45
LAB002
  • Company 86

15:55

OWASP - CISO Survey Report 2013 – Tactical Insights for Managers
Among application security stakeholders, Chief Information Security Officers (CISOs),are responsible for application security from governance, compliance and risk perspectives. The recently released OWASP CISO Survey provides tactical intelligence about security risks and best practices to help CISOs manage application security programs according to their own roles, responsibilities, perspectives and needs.

Speakers
avatar for Tobias Gondrom

Tobias Gondrom

Global Board Member, OWASP
Tobias Gondrom is a global board member of OWASP (Open Web Application Security Project) and former chairman until December 2015. And until April 2015, he was leading a boutique Global CISO and Information Security & Risk Management Advisory based in Hong Kong, United Kingdom and Germany. He has over 15 years of experience leading global teams in information security, software development, application security, cryptography, electronic signatures... Read More →


Wednesday June 25, 2014 15:55 - 16:45
LAB026
  • Company 97

16:45

Use of Netflow/IPFix Botnet Detection Tools to Determine Placement for Autonomous VM’s
This paper describes a novel method of autonomously detecting malicious Botnet behaviour within a Cloud datacentre, while at the same time managing Virtual Machine (VM) placement in accordance to its findings, and it presents its implementation with the Scala programming language. A key feature of this method, using output from Netflow/IPFix, both of which are capable of producing detailed network traffic logs, is its capability of detecting unusual Client behaviour through the analysis of individual data packet information.

It has been implemented as a module of an Autonomous Management Distributed System (AMDS) presented in [Dinita, R. I., Wilson, G., Winckles, A., Cirstea, M., Rowsell, T. (2013)], giving it direct access to all the VMs and Hypervisors on the Cloud network. As such, another key feature is that it can have an immediate and effective impact on network security in a Botnet attack context by issuing lockout commands to every networked VM through the AMDS. A proof of concept has been developed and is currently running successfully on the authors’ test bed. 

Speakers
RD

Razvan-Ioan Dinita

PhD research student and Lecturer, Anglia Ruskin University
Razvan-Ioan Dinita has received a degree in Computer Science and Internet Technology from Anglia Ruskin University of Cambridge, UK. He is currently a PhD research student in Cloud Computing and a Lecturer in Computer Science and Cloud Computing at Anglia Ruskin University. His research is focused on the optimisation of cloud computing energy efficiency management. Mr. Dinita has co-authored several peer reviewed research papers and is... Read More →


Wednesday June 25, 2014 16:45 - 17:35
LAB003
  • Company 96

16:45

Wait, Wait! Don't pwn Me!
"Wait, wait! Don't pwn Me!" is a live, security news game show that pits three security experts (Josh Corman, Chris Eng and Space Rogue) against each other in a game of wits. Host Mark Miller, selects topics from the week's security news, posing the news items as limericks, fill-in-the-blank, and audience participation questions. The panel competes against each other, and the audience, for speed and accuracy when answering the questions.

During the AppSec USA 2013 Conference, this was a rollicking, high spirited session, exposing the prevalence of security issues highlighted in the main stream news. It demonstrates how hard it is to keep up to date with security updates, even for the experts. Audience members should come prepared as we test their knowledge against the panel, trying to determine what is real news and what is fake. 

This is a fun filled session where panelists and audience members compete for prizes from the OWASP store. It is sure to put you in a good mood for the rest of the conference.

Speakers
avatar for Mark Miller

Mark Miller

Senior Storyteller, Sonatype
Mark Miller speaks and writes extensively on DevOps and Security, hosting panel discussions on tools and processes within the DevOps Software Supply Chain. He actively participates in the DevOps community by building DevOps tracks at security conferences such as RSA Conference, InfoSec Europe, CD Summit, AppSec USA and AppSec EU. Mark's most recent project is "An Innovator's Journey to DevOps", a series of profiles and podcasts highlighting... Read More →


Wednesday June 25, 2014 16:45 - 17:35
LAB002
  • Company 22

16:45

PCI DSS and Secure Applications
The Payment Card Industry Data Security Standard (PCI DSS) applies to whether cardholder data is stored, processed or transmitted. This presentation will examine the best practices in development of bespoke or custom written applications to be used within the cardholder data environment of the Payment Card Industry Data Security Standard (PCI DSS) to ensure the applications meet the compliance requirements of the standard. 

The objective of the talk is to inform those who are developing applications of the PCI DSS requirements, review the testing procedures that an auditor would use to examine compliance with the requirements and highlight the evidence the auditor will be expecting to collect to prove the requirements are being met continually. The purpose is to help them develop applications securely to the requirements. 

The presentation starts with an explanation of the applicability of the PCI DSS and how organisations may not be aware that they need to comply with the requirements, as they may not be directly involved with payment card transactions. Often, payment card details can be captured on expense tracking systems, corporate card management and other systems. Anywhere the PAN is captured, stored, processed or transmitted, even when not directly involved in a payment transaction, the PCI DSS still applies. For web applications such as shopping carts, although the checkout may redirect to a 3rd party, the application performing the redirect needs to be secure to prevent the redirection mechanism being manipulated to point to a malicious 3rd party site. 

Version 3 of the PCI DSS standard mandates a number of key best practices to ensure applications used provide the minimal level of protection of cardholder data during processing, storing and transmission of cardholder data. 

The key practices that will be covered are:- 
• Secure software development lifecycle practices that ensure the inclusion of security during the requirements definition, design, analysis, and testing phases of software development. 
• Requiring developers to understand how cardholder data is handled in memory, and how modern malware will scrape memory to retrieve sensitive data. 
• The use of separate development, testing and production environments; including separation of duties for developers, testers and production administrators. 
• The need to remove test account credentials and test data from application before it is released to the production environment. 
• Prohibition of the use of ‘live’ data for testing or development purposes. 
• The use of change control mechanisms to ensure all changes to system components are reviewed and authorised. 
• Software developers are trained in secure coding techniques and develop applications on secure coding guidelines. 
• The testing of applications to ensure they do not suffer from known vulnerabilities. 
• Public facing web applications are protected against known attacks. 

Each of these key practices will be examined from the point of view of a PCI Qualified Security Assessor. The author, who is a QSA, will look at how industry standards, such as those developed by OWASP, can be used by developers, testers and managers as part of the process of implementing a secure development lifecycle and used as evidence in meeting the PCI DSS requirements. 

The authors view on the key practices will be given, including interpretation of the requirements and how a QSA could expect to see them implemented to meet the testing requirements of the PCI DSS. 

The result should be that developers will understand when the PCI DSS could apply to applications they are developing and the best practices they will need to follow to ensure those application meet the requirements of the PCI DSS. This will enable those merchants and service providers using the applications in their operations to achieve compliance. 

Speakers
avatar for Geraint Williams

Geraint Williams

Senior Consultant & QSA, IT Governance


Wednesday June 25, 2014 16:45 - 17:35
LAB026
  • Company 51

17:35

Keynote - CopperDroid: On the Reconstruction of Android Malware Behaviors
Today mobile devices and their application marketplaces drive the entire economy of the mobile landscape. For instance, Android platforms alone have produced staggering revenues exceeding 9 billion USD, which unfortunately attracts cybercriminals with malware now hitting the Android markets at an alarmingly rising pace.

To better understand this slew of threats, in this talk I present CopperDroid, an automatic VMI-based dynamic analysis system to reconstruct the behavior of Android malware.  Based on the key observation that all interesting behaviors are eventually expressed through system calls, CopperDroid presents a novel unified analysis able to capture both low-level OS-specific and high-level Android-specific behaviors. 

Extensive evaluation on more than 2,900 Android malware samples, show that CopperDroid faithfully describes OS- and Android-specific behaviors and, through the use of a simple yet effective app stimulation technique, successfully triggers and discloses additional behaviors on more than 60% (on average) of the analyzed malware samples, qualitatively improving code coverage of dynamic-based analyses.

Speakers
avatar for Lorenzo Cavallaro

Lorenzo Cavallaro

Senior Lecturer (~Associate Professor), Royal Holloway University of London
Lorenzo Cavallaro is a Senior Lecturer of Information Security in theInformation Security Group at Royal Holloway University of London.His research interests focus on systems security, and malware analysisand detection. | | Lorenzo is Principal Investigator on the 4-year EPSRC-funded BACCHUSgrant EP/L022710/1 "MobSec: Malware and Security in the Mobile Age"(Jun 2014--Jun 2018), Principal Investigator on the 3-yearEPSRC-funded CEReS grant... Read More →


Wednesday June 25, 2014 17:35 - 18:20
LAB026
 
Thursday, June 26
 

08:00

Registration & Breakfast
Thursday June 26, 2014 08:00 - 09:00
LAB001 Broad Street Entrance, Loed Ashcroft International Business Schoo

08:00

Capture the Flag (Day 2 AM)
Volunteers

Thursday June 26, 2014 08:00 - 13:30
LAB027

09:15

Keynote - Anonymous Communications and Tor: History and Future Challenges

The history of anonymous communications on the Internet dates back to the early 80's but since then there have been dramatic changes in how anonymous communication systems have been built and how they have been used. In this talk I will describe some of these key changes, and what has motivated them. These include the web taking over from email as the major means of communications, and users of anonymous communication systems prioritising censorship-resistance over privacy. The growing popularity of anonymous communication systems has also led to commercial and political realities effecting how projects are run and software is designed. In particular, I will discuss how the Tor software has changed, and the Tor project evolved in this environment. I will conclude by summarising what might be the future for anonymous communication systems and how they may have to adapt themselves to changing circumstances.


Speakers
avatar for Steven Murdoch

Steven Murdoch

Royal Society University Research Fellow, University of Cambridge
Dr. Steven J. Murdoch is a Royal Society University Research Fellow in the Security Group of the University of Cambridge Computer Laboratory, working on developing metrics for security and privacy. His research interests include covert channels, banking security, anonymous communications, and censorship resistance. Following his PhD studies on anonymous communications, he worked with the OpenNet Initiative, investigating Internet censorship. He... Read More →


Thursday June 26, 2014 09:15 - 10:00
LAB026

10:00

Morning Coffee
Thursday June 26, 2014 10:00 - 10:25
LAB005 and LAB006

10:25

Chapter Leader Workshop 1
Join our newly appointed Community Manager, GK Southwick, as she talks you through the various concerns and questions you have regarding running your chapters. As the questions posed so far have been wide and varied, this will be an open format conversation, so bring your best and most baffling to the table and what GK can't answer straight, we'll discuss in the round.
Please bring your laptops, so we can walk through various steps and pages of the Wiki together, to ensure that everything is as clear as it can be.

Thursday June 26, 2014 10:25 - 11:15
LAB109

10:25

DevOps, CI, APIs, Oh My!: Security Gone Agile
As the world of system and application deployment continues to change, the sys admins and security community are having to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. After adding in Dev/Ops and cloud, the traditional sys admin and security processes just don’t work anymore. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. When you are deploying multiple times a day, there is no time to fit in your traditional week long security assessment. 

A new concept of Test Driven Security, which is loosely based on the tenants of Test Driven Development, is beginning to emerge in the application security community. This talk will cover how Matt is putting the practices in place currently at Rackspace and how you can architect your security work to be agile enough to keep up with the pace of change today. The talk will cover agile methods for securing infrastructure, apps & APIs and source code. Even if you are not there today, you will be soon enough. Its time to embrace the change and say "Challenge Accepted".

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Thursday June 26, 2014 10:25 - 11:15
LAB002
  • Company 78

10:25

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together
Developers want to write code and security testers want to break it and both groups have specialized tools supporting these goals. The problem is – security testers need to know more about application code to do better testing and developers need to be able to quickly address problems found by security testers. This presentation looks at both groups and their respective toolsets and explores ways they can help each other out. 

Two different interactions are examined: 
• How can knowledge of code make application scanning better? 
• How can application scan results be mapped back to specific lines of code? 

Using open source examples built on OWASP ZAP, ThreadFix and Eclipse, the presentation walks through the process of seeding web applications scans with knowledge gleaned from code analysis as well as the mapping of dynamic scan results to specific line of code. The end result is a combination of testing and remediation workflows that help both security testers and software developers be more effective. Particular attention is give to Java/JSP applications and Java/Spring applications and how teams using these frameworks can best benefit from these interactions.

Speakers
avatar for Dan Cornell

Dan Cornell

CTO, Denim Group
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.


Thursday June 26, 2014 10:25 - 11:15
LAB003
  • Company 66

10:25

OpenSAMM Best Practices: Lessons from the Trenches
Managing all application security activities as part of development and deployment of applications can be an overwhelming challenge. OWASP OpenSAMM gives you a structural and measurable blueprint to integrate OWASP best practices in your software life cycle. This OWASP framework allows you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation. 

During this talk Bart and Sebastien will get you up to speed on the OpenSAMM framework and share their important challenges they faced in implementing the framework within various organisations. Important topics that will be covered during this presentation are: 


  • What is the optimal OpenSAMM maturity level for your organisation? 

  • At which level to implement OpenSAMM in the organisation: at company, business unit or development team level? 

  • How to integrate OpenSAMM activities in agile development? 

  • How to apply OpenSAMM on suppliers or outsourced development? 

  • What metrics does OpenSAMM provide to manage your secure development life cycle? 



Practical lessons learned and use cases from the trenches that make OWASP OpenSAMM a valuable methodology and which you should apply for your secure development life cycle! 

Prior to the conference we organise a full day training on OpenSAMM, make sure to reserve your seat at this free OWASP training. After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge. If you want to contribute to this flagship project, stay and join us at the summit. More details on www.opensamm.org. 

Speakers
avatar for Seba Deleersnyder

Seba Deleersnyder

managing partner application security, Toreon
Co-founder & managing partner application security at Toreon.com | As application security specialist for more than 10 years, Sebastien has helped various companies improve their ICT-, Web- and Mobile Security, including BNP Paribas Fortis, Atos Worldline, KBC, NationaleNederlanden (ING), Isabel, Fluxys, OLAF, EU Council, TNT Post, Flemish Community, Agfa-Gevaert and ING Insurance International. | Sebastien is the Belgian OWASP Chapter... Read More →
avatar for Bart De Win

Bart De Win

Bart De Win has over 15 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection.  Since 2009, Bart has been responsible for all application security services within Ascure & PwC Belgium.  He has extensive project experience in software testing and in assisting companies improving their secure software development... Read More →


Thursday June 26, 2014 10:25 - 11:15
LAB026
  • Company 72

11:15

Warning Ahead: Security Storms are Brewing in Your JavaScript
JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language? 

Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to infecting users with malware. Hackers are beginning to recognize this new playground and are quickly adding JavaScript exploitation tools to their Web attack arsenal. 

In this talk we explore the vulnerabilities behind Javascript, including: 
• A new class of vulnerabilities unique only to JavaScript 
• Vulnerabilities in 3rd-party platforms which are exploited through JavaScript code 
• HTML5 is considered the NG-Javascript. In turn, HTML5 introduces a new set of vulnerabilities 

Speakers
avatar for Maty Siman

Maty Siman

Founder and CTO, Checkmarx
Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project manager. Prior to that, he spent six years with the Israel Defense Forces (IDF), where he established and led a development team in the IDF’s... Read More →


Thursday June 26, 2014 11:15 - 12:05
LAB002
  • Company 74

11:15

Chapter Leader Workshop 2
Join our newly appointed Community Manager, GK Southwick, as she talks you through the various concerns and questions you have regarding running your chapters. As the questions posed so far have been wide and varied, this will be an open format conversation, so bring your best and most baffling to the table and what GK can't answer straight, we'll discuss in the round.
Please bring your laptops, so we can walk through various steps and pages of the Wiki together, to ensure that everything is as clear as it can be.

Thursday June 26, 2014 11:15 - 12:05
LAB109

11:15

Continuous Security Testing in a Devops World
Three key devops principles are the merging of skills in previously separate teams, extensive process automation and faster delivery through more frequent software deploys.

These present some interesting challenges to application security such as:



  • How to effectively communicate and manage security requirements in such a dynamic environment?



  • How to perform rigorous security testing when software is deployed multiple times per day?


  • How to integrate security processes into the existing continuous integration/deployment environments?



In this talk I will explore these questions and present an open source security testing framework that aims to address them through the use of Behaviour Driven Development (BDD).

A key concept from agile software development is that the software tests are the documentation. While this approach works well when all the stakeholders are developers, it can break down when neither the ops nor the security team are proficient in a programming language.

BDD offers a communication bridge between security, development and testing so that security requirements can be defined in a natural language; and yet still be executable as automated software tests.

The BDD-Security framework was created in order to provide a set of pre- defined security requirements that can be executed against most web applications with minimal changes. It uses Selenium and OWASP ZAP in order to mimic the testing that a human security tester would perform including authentication and access control tests that were previously difficult to automate and beyond the capabilities of scanners. Since the framework is based on JBehave, which provides JUnit wrappers, it fits into existing automated deployment and continuous integration pipelines.

The talk will demonstrate how to configure the BDD-Security framework and how to integrate it with the Jenkins CI server in order to provide continuous and in-depth security testing that includes both functional and non-functional testing.

The result is an automated process from code commit, to build, deploy and security testing where the results of the tests are understandable by all stakeholders. 



Speakers
avatar for Stephen de Vries

Stephen de Vries

Founder, CEO, Continuum Security SL
Stephen is the founder of Continuum Security and focussed on building AppSec tools to support security in the SDLC, including the IriusRisk threat modeling tool and BDD-Security open source security testing framework. | | His background is in software development and security testing of web and mobile applications. He has worked at Corsaire, KPMG and on the ISS/IBM X-Force team and contributed to the OWASP Java project, ASVS and the testing... Read More →


Thursday June 26, 2014 11:15 - 12:05
LAB003

11:15

Making CSP Work For You

CSP is a valuable defence against XSS and other attacks on web applications. This talk provides an introduction to the technology, why it's needed, how it works and also provides some hints on overcoming a few of the challenges presented by using CSP in the real world.

 


Speakers
MG

Mark Goodwin

Mark Goodwin works on application security for Mozilla, creators of the popular Firefox web browser (and CSP!).  | At work, Mark works with web applications and browser security. At home, he plays with the security too; web, phone apps, consumer electronics - all sorts. | Mark has previously worked on Internet banking, e-commerce, embedded systems and logistics software.


Thursday June 26, 2014 11:15 - 12:05
LAB026
  • Company 15

12:05

25 Million Flows Later – Large-scale Detection of DOM-based XSS
In recent years, the Web witnessed a move towards sophisticated client-side functionality. This shift caused a significant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnerabilities, with DOM-based Cross-site Scripting being a high impact representative of such security issues.

In this paper, we present a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach. Using these components, we conducted a large-scale analysis of the Alexa top 5000. In this study, we identified 6167 unique vulnerabilities distributed over 480 domains, showing that 9,6% of the examined sites carry at least one DOM- based XSS problem.

Speakers
avatar for Martin Johns

Martin Johns

Research Expert, SAP SE
Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990ties and the early years of the new millennium he earned his living as a software engineer in... Read More →
SL

Sebastian Lekies

Sebastian Lekies is a PhD candidate at SAP and the University of Bochum. His main field of research is Web application security.  Thereby, he mainly focuses on client-side Web attacks such as Cross-Site Scripting, ClickJacking, DNS-Rebinding, Cross-Site Request Forgery, etc.  He regularly publishes his work at academic and non-academic security conferences such as CCS, Usenix Security, Blackhat, OWASP Appsec, Deepsec, etc.


Thursday June 26, 2014 12:05 - 12:50
LAB002
  • Company 58

12:05

ActiveScan++: Augmenting manual testing with attack proxy plugins
This presentation will introduce ActiveScan++ and demonstrate how it can be used to easily identify complex vulnerabilities in real world applications. ActiveScan++ is an open source Python plugin that builds upon Burp Suite's basic active scanning functionality. This talk will cover the classic and exotic vulnerabilities it can detect, as well as the pros and pitfalls that can be found with the proxy-plugin approach to automated vulnerability hunting.

ActiveScan++ uses heuristic probes to efficiently assess the susceptibility of the target to a range of cutting edge attack techniques, such as host header poisoning and relative path overwrites. In addition, ActiveScan++ provides robust identification of blind attack issues, helping to locate rare but critical vulnerabilities such as code injection that pentesters can't afford to miss. Demonstrations of the underlying mechanics of these attacks, how they can be automatically detected, and how we can actively exploit them once they have been identified will be performed throughout the presentation.

The presentation will finish with a discussion of current research into automated detection of 'suspicious' behaviour, in a manner similar to the initial stages of manual testing. These new techniques allow generic detection of entire vulnerability classes by combining platform-independent payload sets with fuzzy pattern matching.

This presentation will host the first public release of this open source tool.


Speakers
JK

James Kettle

Context Information Security
James Kettle has  extensive experience vulnerability bounty hunting across Mozilla's and Google's heavily secured infrastructure, resulting in being ranked 6th in Google's 0x0A list for 2012/13. As part of this he has  performed security research culminating in novel attack techniques such as password reset and cache poisoning, affecting numerous popular web frameworks including Django, Drupal, Symfony and Joomla.


Thursday June 26, 2014 12:05 - 12:50
LAB003
  • Company 29

12:05

Chapter Leader Workshop 3
Join our newly appointed Community Manager, GK Southwick, as she talks you through the various concerns and questions you have regarding running your chapters. As the questions posed so far have been wide and varied, this will be an open format conversation, so bring your best and most baffling to the table and what GK can't answer straight, we'll discuss in the round.
Please bring your laptops, so we can walk through various steps and pages of the Wiki together, to ensure that everything is as clear as it can be.

Thursday June 26, 2014 12:05 - 12:50
LAB109

12:05

Threat Modeling – A Brief History and the Unified Approach at Intuit
Threat Modeling is a software design analysis method that looks for security weaknesses by juxtaposing software design views against a set of attackers. 

Software engineers and security practitioners at Intuit have been practicing Threat Modeling in various ways for years. Intuit has used a Threat Model methodology based on STRIDE. The approach had many advantages, but also some drawbacks. Some of the drawbacks included amount of time required to translate the information from development (generating the Data Flow Diagrams) and difficulty in modeling different threat agents. 

Intuit and Cigital unified their two Threat Modeling methodologies to produce an approach that satisfies various stakeholders at Intuit. The result was what is called Unified Threat Modeling, an approach that consists of identifying assets and attacker profiles, and documenting and suggesting a list of controls. It works for software architecture and system deployments (using System Threat Modeling approach) as well as for interaction between different software and system components (via Protocol Threat Modeling approach). 

Speakers
SM

Scott Matsumoto

Principal Consultant, Cigital, Inc.
Scott Matsumoto is a Principal Consultant with Cigital. At Cigital, he is responsible for the mobile security practice within the company. He consults for many of Cigital’s clients on security architecture topics such as mobile security, Cloud Computing Security, as well as SOA Security and Governance. His prior experience encompasses development of component-based middleware, performance management systems, graphical UIs, language compilers... Read More →
avatar for Tin Zaw

Tin Zaw

Volunteer, OWASP
Tin Zaw currently co-leads the OWASP project on Automated Threats to Web Applications, along with Colin Watson. At his day day job, he leads a global practice to help Verizon customers secure web properties at Verizon Digital Media. | | He started his career programming network protocols at QUALCOMM, participated in early days of the web infrastructure at Inktomi, made security products for 100+ million users at Symantec, and led web and... Read More →


Thursday June 26, 2014 12:05 - 12:50
LAB026
  • Company 35

12:50

13:30

Capture the Flag (Day 2 PM)
Volunteers

Thursday June 26, 2014 13:30 - 16:00
LAB027

13:50

Metro down the Tube. Security Testing Windows Store Apps
This presentation will cover “Metro”, “Modern” or (more correctly) “Windows Store” Apps and how to perform security reviews on them. Like it or not, this is the direction Microsoft are going in, and it seems likely that this style of centrally controlled, sandboxed application is the future for at least some types of Windows programs. The focus of the talk will be Store Apps developed in HTML and JavaScript (although other types of app will be mentioned). I will explain what a Store App is, and how it differs from a normal Windows application, and also from a web site. 

In the first section I cover the architecture and theory of Store apps. I go over the different types of development frameworks which can be used to create them, and how they get from a developer’s PC to the Windows Store, including what Microsoft do (and don’t do) as far as security testing is concerned. I’ll also compare and contrast this type of apps with ones from other architectures (Win32 and mobile). 

The second section of the presentation then explains (and shows) how to set up an environment (Windows 8.1, a web proxy of choice and Visual Studio) to test a Store application – there are some tricks to this which are not well publicised. I’ll point out where apps are stored, how you get access to them, and how to go about testing them including code review examples (focusing on secure and insecure JavaScript). I’ll show the use of a web service in an app and how this technology can present a security hole in the app sandbox. 

In conclusion I will make some comments on where the move to a Store based system in the Windows environment (over 90% of PC class devices) is taking us from a security perspective, and how this fits (in my opinion) with the future development of Windows Phone and RT. 

The presentation as a whole gives an introduction to an area of application testing which is not well known but is likely to become more critical as time advances and the Store system becomes more mature. 

Speakers
avatar for Marion Mccune

Marion Mccune

Director, ScotSTS Ltd
I'm a director of a small security consultancy specializing in testing Web Applications. | My specific fields of interest are ASP.NET, Store Apps and WP8. | | I live in rural Argyll with my partner Rory, two cats, three Surfaces and a visiting pine marten.


Thursday June 26, 2014 13:50 - 14:40
LAB002
  • Company 28

13:50

Barbican: Protect your Secrets at Scale
For sys admins, your servers hold many pieces of sensitive information, whether they are iron, virtual or cloud boxes. These keys to your kingdom need protection but must also also allow for infrastructure at scale. Application Security current best practices talk about key management, key rotation but have little to no practical advice beyond policy and general statements.

This presentation discusses a proposed solution for key management, named Barbican, an open source project that is part of OpenStack. Its goal was to build a secure, Cloud-ready key management solution. Barbican can be used by OpenStack implementors or anyone willing to run a server or two. This talk will walk through the current state of Barbican, its technical architecture, how to use it as an internal or cloud service and demonstrate our current proof of concept implementation.

Speakers
avatar for Matt Tesauro

Matt Tesauro

OWASP Foundation
Matt Tesauro is currently working full-time for the OWASP Foundation, adding automation and awesome to OWASP projects. Previously, he was a founder and CTO of Infinitiv, a Senior Software Security Engineer at Pearson and the Senior Product Security Engineer at Rackspace. He is also an Adjunct Professor for the University of Texas Computer Science department teaching the next generation of CS students about Application Security. Matt is... Read More →


Thursday June 26, 2014 13:50 - 14:40
LAB003
  • Company 80

13:50

A non-trivial task of Introducing Architecture Risk Analysis into the Software Development Process
Despite many publications and presentations detailing threat modeling and, more generally - Architectural Risk Analysis (ARA) techniques, and widely accepted notion that it is so much cheaper to deal with security issues proactively and upfront, rather than reactively in already released applications, many software development teams still have not embraced ARA as a mandatory part of their SDLC. Why is it so, if the benefits are so obvious? Because establishing ARA as a regularly practiced activity is a very complicated process, and existing industry materials and methodologies do not help development teams make this transition any smoother. This presentation, based on first-hand experiences and observations from introducing ARA into SDLC, will describe the many obstacles to broad adoption of ARA in a software development company as an integral element of regular product development cycle.

The reasons for the existing situation are plenty, ranging from mindset of software engineers, to lack of security-related culture, and to shortage of sufficiently skilled security professionals. Instead of trying to tackle these challenges, many companies aim to placate customers' security assurance demands by going down the easier route of "testing security in" and contract security verification out to external vendors. These problems may be attributed to inertia and general lack of understanding of how to write secure software.

Unfortunately, there are many problems with the threat modeling and ARA methodologies themselves, which complicate their adoption as proactive defense mechanisms. There are no commonly accepted methods to calculate Return on Investment (ROI) of such programs, and senior management, with very few exceptions, remain skeptical when asked to further burden already strained development teams. In the best case, they may tolerate it, but support is far from guaranteed. The concepts and skills, required for practicing those methodologies, remain foreign to regular developers, who have difficulties transitioning from functional into attacker mode of thinking. Broad developers education is challenging because the software industry as a whole has so far failed to produce any meaningful materials on attack patterns that could be relatively easily introduced into software development process. There are efforts under way, but some of them are too academic in nature, while others are way too broad and

inconsistent, making the end result unsuitable for practical applications. This stands in sharp contrast to the reactive mechanism of vulnerability alerts practice, which relies on well established and commonly used vulnerability data sources.

As a result, despite lots of talk about great importance of ARA, and quite a few years after introduction of the concept into the applied software development discipline it remains more of an art than a trade. ARA and threat modeling are still practiced by relatively small and exquisite groups of dedicated security professionals, either within Software Security Groups (SSGs) in large companies, or by highly specialized consultancies.

This presentation will look at the key ingredients necessary for establishing a successful ARA program in a software development organization, recognizing the limitations and obstacles described earlier. The process of bridging the current knowledge gap requires close cooperation of both development and security teams, so the presentation will be particularly useful for development managers and architects involved into implementation of SDLC within software development organizations, as well as application security professionals dealing with software development teams. Finally, we will also discuss specific examples of what is lacking in the currently available public materials for threat modeling/ARA and how this situation could be improved to make those materials more applicable as part of the regular software development process. 

Speakers
avatar for Denis Pilipchuk

Denis Pilipchuk

Senior Principal Security Program Manager, Global Product Security, Oracle Corporation
Mr. Pilipchuk is a Security Program Manager on the Oracle Global Product Security team. Denis works with all business units to develop security assurance programs, concentrating in the areas of Architectural Risk Analysis, security design, and security tools. He has previously held security architecture positions in various organizations (including BEA, Netegrity, Eclipsys) and industries. While working in these roles, Denis was involved in... Read More →


Thursday June 26, 2014 13:50 - 14:40
LAB026
  • Company 32

14:05

Project Leader Workshop
The Project Leader Workshop is a 2 hour event activity that brings together current and potential OWASP project leaders to discuss project related issues and topics. The Project Leader Workshop is an optional event activity for our leaders that takes on a presentation and discussion format. It is an interactive tool used to bring together project leaders from across the globe in an effort to have participants share valuable insights and recommendations with their fellow members.

Leaders can expect to learn more about the OWASP Projects Infrastructure, the benefits of having an OWASP Project, and how they can leverage the infrastructure to help promote their project to the community and beyond. OWASP Project Leader, Simon Bennetts, will lead the session

Please check attached file for location (MAP FLOOR) 

Moderators
avatar for Johanna Curiel

Johanna Curiel

Security Researcher, Banking Sector
Johanna has mainly worked in the area of C# and ASP.NET development, Testing and Quality Control. She is an experienced developer and understands different types of programming languages such as Java and PHP and different types of scripting languages. Johanna has ample experience in Microsoft Technologies and Security Engineering, and is also a Certified PCI -Professional... Read More →

Speakers
avatar for Simon Bennetts

Simon Bennetts

Security, Mozilla
Simon Bennetts has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He is the OWASP Zed Attack Proxy Project Leader and works for Mozilla as part of the Cloud Security Team.



Thursday June 26, 2014 14:05 - 16:10
LAB109

14:40

Can Application Security Training Make Developers Build Less Vulnerable Code?
This presentation shares the results of a yearlong survey of nearly 600 software developers that captures their knowledge of application security before and after formal training. The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements.

The session also includes the results of a "retest" of a subset of respondents, to identify how much security knowledge they retained after a specific length of time. The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.

Speakers
avatar for John Dickson

John Dickson

Principal, Denim Group
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. Dickson is a popular speaker on security at industry venues including the RSA Security Conference, the SANS Institute, the Open Web Application Security Project (OWASP) and at... Read More →


Thursday June 26, 2014 14:40 - 15:30
LAB002
  • Company 85

14:40

Freedom Issues for Websites
Web sites continually raise several issues of concern that affect individual users' freedom. As part of their design, such web sites often make users run nonfree software (perhaps in Javascript) whilst others collect data about people or help both commercial and clandestine entities to do so. Some websites may help do the user's own computing and thus deny users control over it. Dr Richard Stallman will speak about these problems and how to avoid them.

Speakers
DR

Dr Richard Stallman

Dr Richard Stallman , President of the Free software Foundation | | Dr. Richard Stallman launched the free software movement in 1983 and started the development of the GNU operating system (see www.gnu.org) in 1984. GNU is free software: everyone has the freedom to copy it and redistribute it, with or without changes. The GNU/Linux system, basically the GNU operating system with Linux added, is used on tens of millions of computers today... Read More →


Thursday June 26, 2014 14:40 - 15:40
LAB026
  • Company 47

15:40

Afternoon Coffee
Thursday June 26, 2014 15:40 - 16:00
LAB005 and LAB006

16:00

Automatic Detection of Inadequate Authorization Checks in Web Applications
Gaps in the enforcement of access control policy of a software system can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. We describe a novel technique to automatically detect missing and inconsistent authorization checks in web applications with static analysis and conclude with empirical results of using our approach on real-world applications. 

The concept of granting different users different privileges dates back to early software systems. Gaps in the enforcement of access control policies can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. As software becomes more ubiquitous and is used for tasks ranging from shopping to scheduling doctor’s appointments, providing bulletproof access control remains an imperative. 

Correct placement of authorization checks is a non-trivial task for developers that requires intimate knowledge of the system, its users, and their roles. These challenges are evidenced by the fact that missing authorization checks—like the one that allowed Bloomberg News to leak NetApps’s earnings results in 2010—are still among the most widespread and impactful vulnerabilities. Manually weeding out access control violations is cumbersome and requires a lot of expertise. Existing automated techniques are also inadequate and require either substantial human intervention or are effective only on very targeted code bases, such as operating systems. 

This talk focuses on ensuring well-placed authorization checks in web applications. We discuss different ways access control requirements are specified in web applications, including configuration- and annotation-based approaches. Next, we describe a novel technique to automatically detect missing and inconsistent authorization checks. Our approach lets us detect missing checks statically rather than at runtime and allows us to provide remediation suggestions that allow developers to fix code before it goes to production. 

We conclude with empirical results of our successful application of this approach to a number of real-world web applications. We discuss the classes of issues we found and review specific examples to shed light on the kinds of authorization mistakes developers are making today. 

Speakers
avatar for Alvaro Muñoz

Alvaro Muñoz

Software Security Researcher, HP


Thursday June 26, 2014 16:00 - 16:50
LAB002
  • Company 60

16:00

Shameful Secrets of Proprietary Network Protocols
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful mystery - completely unsecured mechanisms breaking all good coding practices.

We would like to present our approach and a short guideline how to reverse engineer proprietary protocols - a world full of own implementations of asymmetric cryptography, revertible hash algorithms, lack of user authentication and no function or data access control at all.

To demonstrate, we will show 5 case-studies - most interesting examples from real-life financial industry software, which in our opinion are aquintessence of "security by obscurity". We will talk about homeautomation, embedded pull printing software in multifunction printers (MFP), remote desktop protocols and twisted vulnerabilities in FOREX trading software, which is particularly risky business regarding security.

Speakers
SJ

Slawomir Jasek

IT security consultant with over 10 years of experience. Participated in | many assessments of systems' and applications' security, for leading | financial companies and public institutions, including a few dozen | e-banking systems. Currently focuses on consulting design of secure | solutions for various projects during all the phases - starting from a | scratch. For 8 years has been working with SecuRing.
avatar for Jakub Kaluzny

Jakub Kaluzny

Sr. IT Security Consultant, SecuRing
Jakub is a Senior IT Security Consultant at SecuRing and performs penetration tests of high-risk applications, systems and devices. He was a speaker at many internetional conferences: BlackHat Asia, OWASP AppSec EU, PHdays, HackInTheBox, ZeroNights as well at local security events. Previously working for European Space Agency and internet payments intermediary. Apart from testing applications, he digs into proprietary network protocols... Read More →


Thursday June 26, 2014 16:00 - 16:50
LAB003
  • Company 83

16:00

Security Implications of Cross-Origin Resource Sharing
HTML5 has been on the way for a couple of years now. There have been many discussions about its security implications and how they should be handled; however, these discussions usually stop at showing the most hyped and scariest vulnerabilities and their countermeasures. This presentation will continue the discussion on another level. To create state-of-the-art web applications with HTML5, all of its features should be analysed to see the risks they introduce and how they should be used properly. 

This presentation will analyse the Cross-Origin Resource Sharing (CORS). This HTML5 feature allows websites to load resources from other domains, even from restricted environments, using the authentication tokens saved by the browser. This has interesting effects on various actors of the Internet. It affects the clients and the servers alike bringing a whole new trust relationships in the game. It also breaks with the relevant parts of the same-origin policy, one of the most important security features of web browsers and all of these happened without most people noticing. 

The first part of my analysis will introduce the Cross-Origin Resource Sharing, how it works, how JSON-P, it's predecessor, was used and why CORS is interesting from a security perspective. The functional introduction will be followed with a threat analyses to show how CORS affects the traditional usage of XmlHttpRequests (XHR). Because it introduces a change in the way how websites communicate with each other it has an effect on pre-CORS websites as well. Most importantly it introduces a new way to attack web applications and overturns well known attacks such as Cross-Site Request Forgery and Cross-Site Tracing and gives them whole new possibilities. Examples for these will be presented in live demos. 

The presentation will be concluded with outlining the methods to mitigate the security risks of Cross-Origin Resource Sharing. The methods will include ways to prepare a site to handle CORS properly and to build new web applications enjoying the new features of CORS without risking the data of our users.

Speakers
avatar for Gergely Revay

Gergely Revay

Siemens AG


Thursday June 26, 2014 16:00 - 16:50
LAB026
  • Company 44

16:50

Keynote - Reflections on Scoping Trust
In the modern Web environment, far from heeding Ken Thompson's admonition that "you can't trust code that you did not totally create yourself," we're required to trust a whole host of things we didn't create ourselves, including code, devices, infrastructure, and institutions. Sometimes, quite visibly of late, we've seen that trust betrayed by failures in components we shouldn't have needed to trust so broadly in the first place. This talk will examine gaps in our current models of trust and security scope, and consider how, short of writing our own compiler-compilers and everything on top, we can create a more trustworthy Web.

Speakers
avatar for Wendy Seltzer

Wendy Seltzer

and Chilling Effects founder, W3C Policy Counsel
Wendy Seltzer is Policy Counsel and Technology & Society Domain Lead at the World Wide Web Consortium (W3C), where she leads work on privacy, security, and social web standards. As a visiting Fellow with Yale Law School's Information Society Project, she researches openness in intellectual property, innovation, privacy, and free expression online. As a Fellow with Harvard's Berkman Center for Internet & Society, Wendy founded and leads the... Read More →


Thursday June 26, 2014 16:50 - 17:40
LAB026

17:40

Conference Closing Ceremony
Thursday June 26, 2014 17:40 - 18:00
LAB026
 
Monday, June 30
 

14:00

Summit Session - TBD
Monday June 30, 2014 14:00 - 18:00
LAB215