AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Frameworks and Theories Track [clear filter]
Thursday, June 26

10:25 BST

OpenSAMM Best Practices: Lessons from the Trenches
Managing all application security activities as part of development and deployment of applications can be an overwhelming challenge. OWASP OpenSAMM gives you a structural and measurable blueprint to integrate OWASP best practices in your software life cycle. This OWASP framework allows you to formulate and implement a strategy for software security that is tailored to the risk profile of your organisation. 

During this talk Bart and Sebastien will get you up to speed on the OpenSAMM framework and share their important challenges they faced in implementing the framework within various organisations. Important topics that will be covered during this presentation are: 

  • What is the optimal OpenSAMM maturity level for your organisation? 

  • At which level to implement OpenSAMM in the organisation: at company, business unit or development team level? 

  • How to integrate OpenSAMM activities in agile development? 

  • How to apply OpenSAMM on suppliers or outsourced development? 

  • What metrics does OpenSAMM provide to manage your secure development life cycle? 

Practical lessons learned and use cases from the trenches that make OWASP OpenSAMM a valuable methodology and which you should apply for your secure development life cycle! 

Prior to the conference we organise a full day training on OpenSAMM, make sure to reserve your seat at this free OWASP training. After the conference the OpenSAMM project team comes together for their first OpenSAMM summit in Cambridge. If you want to contribute to this flagship project, stay and join us at the summit. More details on www.opensamm.org. 

avatar for Sebastien Deleersnyder

Sebastien Deleersnyder

CEO, Toreon
Sebastien (Seba) Deleersnyder is co-founder and CTO of Toreon. He started the Belgian OWASP chapter and was an OWASP Foundation Board member. With a development background and years of security experience, he has trained countless developers to create more secure software. Co-leading... Read More →
avatar for Bart De Win

Bart De Win

Bart De Win has over 20 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection. Since 2009, Bart has been responsible for all application security services within... Read More →

Thursday June 26, 2014 10:25 - 11:15 BST

11:15 BST

Making CSP Work For You

CSP is a valuable defence against XSS and other attacks on web applications. This talk provides an introduction to the technology, why it's needed, how it works and also provides some hints on overcoming a few of the challenges presented by using CSP in the real world.



Mark Goodwin

Mark Goodwin works on application security for Mozilla, creators of the popular Firefox web browser (and CSP!).  At work, Mark works with web applications and browser security. At home, he plays with the security too; web, phone apps, consumer electronics - all sorts. Mark has... Read More →

Thursday June 26, 2014 11:15 - 12:05 BST

12:05 BST

Threat Modeling – A Brief History and the Unified Approach at Intuit
Threat Modeling is a software design analysis method that looks for security weaknesses by juxtaposing software design views against a set of attackers. 

Software engineers and security practitioners at Intuit have been practicing Threat Modeling in various ways for years. Intuit has used a Threat Model methodology based on STRIDE. The approach had many advantages, but also some drawbacks. Some of the drawbacks included amount of time required to translate the information from development (generating the Data Flow Diagrams) and difficulty in modeling different threat agents. 

Intuit and Cigital unified their two Threat Modeling methodologies to produce an approach that satisfies various stakeholders at Intuit. The result was what is called Unified Threat Modeling, an approach that consists of identifying assets and attacker profiles, and documenting and suggesting a list of controls. It works for software architecture and system deployments (using System Threat Modeling approach) as well as for interaction between different software and system components (via Protocol Threat Modeling approach). 


Scott Matsumoto

Principal Consultant, Cigital, Inc.
Scott Matsumoto is a Principal Consultant with Cigital. At Cigital, he is responsible for the mobile security practice within the company. He consults for many of Cigital’s clients on security architecture topics such as mobile security, Cloud Computing Security, as well as SOA... Read More →
avatar for Tin Zaw

Tin Zaw

Director, Security Solutions, Verizon
The author resides in sunny southern California, where he seeks a Zen state of mind amid the chaotic mix of technology, society and cyber threats. Wanting to make the world safer online, he gave up his beloved programming job to focus on cyber security. He is a former president of... Read More →

Thursday June 26, 2014 12:05 - 12:50 BST

13:50 BST

A non-trivial task of Introducing Architecture Risk Analysis into the Software Development Process
Despite many publications and presentations detailing threat modeling and, more generally - Architectural Risk Analysis (ARA) techniques, and widely accepted notion that it is so much cheaper to deal with security issues proactively and upfront, rather than reactively in already released applications, many software development teams still have not embraced ARA as a mandatory part of their SDLC. Why is it so, if the benefits are so obvious? Because establishing ARA as a regularly practiced activity is a very complicated process, and existing industry materials and methodologies do not help development teams make this transition any smoother. This presentation, based on first-hand experiences and observations from introducing ARA into SDLC, will describe the many obstacles to broad adoption of ARA in a software development company as an integral element of regular product development cycle.

The reasons for the existing situation are plenty, ranging from mindset of software engineers, to lack of security-related culture, and to shortage of sufficiently skilled security professionals. Instead of trying to tackle these challenges, many companies aim to placate customers' security assurance demands by going down the easier route of "testing security in" and contract security verification out to external vendors. These problems may be attributed to inertia and general lack of understanding of how to write secure software.

Unfortunately, there are many problems with the threat modeling and ARA methodologies themselves, which complicate their adoption as proactive defense mechanisms. There are no commonly accepted methods to calculate Return on Investment (ROI) of such programs, and senior management, with very few exceptions, remain skeptical when asked to further burden already strained development teams. In the best case, they may tolerate it, but support is far from guaranteed. The concepts and skills, required for practicing those methodologies, remain foreign to regular developers, who have difficulties transitioning from functional into attacker mode of thinking. Broad developers education is challenging because the software industry as a whole has so far failed to produce any meaningful materials on attack patterns that could be relatively easily introduced into software development process. There are efforts under way, but some of them are too academic in nature, while others are way too broad and

inconsistent, making the end result unsuitable for practical applications. This stands in sharp contrast to the reactive mechanism of vulnerability alerts practice, which relies on well established and commonly used vulnerability data sources.

As a result, despite lots of talk about great importance of ARA, and quite a few years after introduction of the concept into the applied software development discipline it remains more of an art than a trade. ARA and threat modeling are still practiced by relatively small and exquisite groups of dedicated security professionals, either within Software Security Groups (SSGs) in large companies, or by highly specialized consultancies.

This presentation will look at the key ingredients necessary for establishing a successful ARA program in a software development organization, recognizing the limitations and obstacles described earlier. The process of bridging the current knowledge gap requires close cooperation of both development and security teams, so the presentation will be particularly useful for development managers and architects involved into implementation of SDLC within software development organizations, as well as application security professionals dealing with software development teams. Finally, we will also discuss specific examples of what is lacking in the currently available public materials for threat modeling/ARA and how this situation could be improved to make those materials more applicable as part of the regular software development process. 

avatar for Denis Pilipchuk

Denis Pilipchuk

Senior Principal Security Program Manager, Global Product Security, Oracle Corporation
Mr. Pilipchuk is a Security Program Manager on the Oracle Global Product Security team. Denis works with all business units to develop security assurance programs, concentrating in the areas of Architectural Risk Analysis, security design, and security tools. He has previously held... Read More →

Thursday June 26, 2014 13:50 - 14:40 BST

16:00 BST

Security Implications of Cross-Origin Resource Sharing
HTML5 has been on the way for a couple of years now. There have been many discussions about its security implications and how they should be handled; however, these discussions usually stop at showing the most hyped and scariest vulnerabilities and their countermeasures. This presentation will continue the discussion on another level. To create state-of-the-art web applications with HTML5, all of its features should be analysed to see the risks they introduce and how they should be used properly. 

This presentation will analyse the Cross-Origin Resource Sharing (CORS). This HTML5 feature allows websites to load resources from other domains, even from restricted environments, using the authentication tokens saved by the browser. This has interesting effects on various actors of the Internet. It affects the clients and the servers alike bringing a whole new trust relationships in the game. It also breaks with the relevant parts of the same-origin policy, one of the most important security features of web browsers and all of these happened without most people noticing. 

The first part of my analysis will introduce the Cross-Origin Resource Sharing, how it works, how JSON-P, it's predecessor, was used and why CORS is interesting from a security perspective. The functional introduction will be followed with a threat analyses to show how CORS affects the traditional usage of XmlHttpRequests (XHR). Because it introduces a change in the way how websites communicate with each other it has an effect on pre-CORS websites as well. Most importantly it introduces a new way to attack web applications and overturns well known attacks such as Cross-Site Request Forgery and Cross-Site Tracing and gives them whole new possibilities. Examples for these will be presented in live demos. 

The presentation will be concluded with outlining the methods to mitigate the security risks of Cross-Origin Resource Sharing. The methods will include ways to prepare a site to handle CORS properly and to build new web applications enjoying the new features of CORS without risking the data of our users.

avatar for Gergely Revay

Gergely Revay

Siemens AG

Thursday June 26, 2014 16:00 - 16:50 BST
Filter sessions
Apply filters to sessions.