AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

DevOps Track [clear filter]
Thursday, June 26

10:25 BST

DevOps, CI, APIs, Oh My!: Security Gone Agile
As the world of system and application deployment continues to change, the sys admins and security community are having to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. After adding in Dev/Ops and cloud, the traditional sys admin and security processes just don’t work anymore. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. When you are deploying multiple times a day, there is no time to fit in your traditional week long security assessment. 

A new concept of Test Driven Security, which is loosely based on the tenants of Test Driven Development, is beginning to emerge in the application security community. This talk will cover how Matt is putting the practices in place currently at Rackspace and how you can architect your security work to be agile enough to keep up with the pace of change today. The talk will cover agile methods for securing infrastructure, apps & APIs and source code. Even if you are not there today, you will be soon enough. Its time to embrace the change and say "Challenge Accepted".

avatar for Matt Tesauro

Matt Tesauro

Senior AppSec Engineer, Duo Security
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was... Read More →

Thursday June 26, 2014 10:25 - 11:15 BST

10:25 BST

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together
Developers want to write code and security testers want to break it and both groups have specialized tools supporting these goals. The problem is – security testers need to know more about application code to do better testing and developers need to be able to quickly address problems found by security testers. This presentation looks at both groups and their respective toolsets and explores ways they can help each other out. 

Two different interactions are examined: 
• How can knowledge of code make application scanning better? 
• How can application scan results be mapped back to specific lines of code? 

Using open source examples built on OWASP ZAP, ThreadFix and Eclipse, the presentation walks through the process of seeding web applications scans with knowledge gleaned from code analysis as well as the mapping of dynamic scan results to specific line of code. The end result is a combination of testing and remediation workflows that help both security testers and software developers be more effective. Particular attention is give to Java/JSP applications and Java/Spring applications and how teams using these frameworks can best benefit from these interactions.

avatar for Dan Cornell

Dan Cornell

Vice President, Product Strategy, COALFIRE
A globally recognized software security expert, Dan Cornell has over 20 years of experience architecting, developing and securing software systems. As Vice President of Product Strategy at Coalfire, Dan works with customers and industry partners to help drive the direction of their... Read More →

Thursday June 26, 2014 10:25 - 11:15 BST

11:15 BST

Continuous Security Testing in a Devops World
Three key devops principles are the merging of skills in previously separate teams, extensive process automation and faster delivery through more frequent software deploys.

These present some interesting challenges to application security such as:

  • How to effectively communicate and manage security requirements in such a dynamic environment?

  • How to perform rigorous security testing when software is deployed multiple times per day?

  • How to integrate security processes into the existing continuous integration/deployment environments?

In this talk I will explore these questions and present an open source security testing framework that aims to address them through the use of Behaviour Driven Development (BDD).

A key concept from agile software development is that the software tests are the documentation. While this approach works well when all the stakeholders are developers, it can break down when neither the ops nor the security team are proficient in a programming language.

BDD offers a communication bridge between security, development and testing so that security requirements can be defined in a natural language; and yet still be executable as automated software tests.

The BDD-Security framework was created in order to provide a set of pre- defined security requirements that can be executed against most web applications with minimal changes. It uses Selenium and OWASP ZAP in order to mimic the testing that a human security tester would perform including authentication and access control tests that were previously difficult to automate and beyond the capabilities of scanners. Since the framework is based on JBehave, which provides JUnit wrappers, it fits into existing automated deployment and continuous integration pipelines.

The talk will demonstrate how to configure the BDD-Security framework and how to integrate it with the Jenkins CI server in order to provide continuous and in-depth security testing that includes both functional and non-functional testing.

The result is an automated process from code commit, to build, deploy and security testing where the results of the tests are understandable by all stakeholders. 

avatar for Stephen de Vries

Stephen de Vries

Founder, CEO, Continuum Security SL
Stephen is the founder of Continuum Security and focussed on building AppSec tools to support security in the SDLC, including the IriusRisk threat modeling tool and BDD-Security open source security testing framework. His background is in software development and security testing... Read More →

Thursday June 26, 2014 11:15 - 12:05 BST

13:50 BST

Barbican: Protect your Secrets at Scale
For sys admins, your servers hold many pieces of sensitive information, whether they are iron, virtual or cloud boxes. These keys to your kingdom need protection but must also also allow for infrastructure at scale. Application Security current best practices talk about key management, key rotation but have little to no practical advice beyond policy and general statements.

This presentation discusses a proposed solution for key management, named Barbican, an open source project that is part of OpenStack. Its goal was to build a secure, Cloud-ready key management solution. Barbican can be used by OpenStack implementors or anyone willing to run a server or two. This talk will walk through the current state of Barbican, its technical architecture, how to use it as an internal or cloud service and demonstrate our current proof of concept implementation.

avatar for Matt Tesauro

Matt Tesauro

Senior AppSec Engineer, Duo Security
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was... Read More →

Thursday June 26, 2014 13:50 - 14:40 BST

16:00 BST

Shameful Secrets of Proprietary Network Protocols
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful mystery - completely unsecured mechanisms breaking all good coding practices.

We would like to present our approach and a short guideline how to reverse engineer proprietary protocols - a world full of own implementations of asymmetric cryptography, revertible hash algorithms, lack of user authentication and no function or data access control at all.

To demonstrate, we will show 5 case-studies - most interesting examples from real-life financial industry software, which in our opinion are aquintessence of "security by obscurity". We will talk about homeautomation, embedded pull printing software in multifunction printers (MFP), remote desktop protocols and twisted vulnerabilities in FOREX trading software, which is particularly risky business regarding security.


Slawomir Jasek

IT security consultant with over 10 years of experience. Participated in many assessments of systems' and applications' security, for leading financial companies and public institutions, including a few dozen e-banking systems. Currently focuses on consulting design of secure solutions... Read More →
avatar for Jakub Kaluzny

Jakub Kaluzny

Sr. IT Security Consultant, SecuRing
Jakub is a Senior IT Security Consultant at SecuRing and performs penetration tests of high-risk applications, systems and devices. He was a speaker at many internetional conferences: BlackHat Asia, OWASP AppSec EU, PHdays, HackInTheBox, ZeroNights as well at local security events... Read More →

Thursday June 26, 2014 16:00 - 16:50 BST
Filter sessions
Apply filters to sessions.