AppSec Europe 2014

The mobile industry is now booming. According to Apple, the number of iOS apps in App Store reached 1,000,000 as of October 2013. In this highly competitive market, mobile app developers are required to develop a high-value, high-quality and high-performance app with a short time-to-market. Implementing security into earlier phases of such rapid pace agile development life cycle can be considered as one of the key success factors for organizations. 

We believe that adding an automated security measure into the Xcode IDE itself is essential and can help facilitate secure agile development cycles for iOS developers. Therefore, we are implementing our own security features on top of Xcode.

During the coding phase, developers will be able to automatically spot general security issues in iOS apps and thus prevent them from creating those issues. This can also help security testers to conduct white-box security testing in a shorter amount of time. We will also share the difficulties and problems we faced and how we overcame them during our research.

Has Android achieved the impossible? Do intents enable interprocess communications and inter-process collaboration that is actually securable? The answer, as in many platforms, is a definite ‘maybe’. Firstly, intents invite "new" attacks - attacks more traditionally associated with distributed systems - such as spoofing, hijacking, out of order execution and theft of data. Secondly, all is not always as it seems. Like so many things in in life, it is possible to do things right and still get it wrong. Securing intents properly requires a defensive approach of some old techniques plus an added step of validating some assumptions. This talk is aimed mainly at app developers - learn how intents work under the hood, how to secure your intents and how to secure your assumptions to achieve your goal of secure apps. 

Recently, there has been a new addition to the OWASP Mobile Top Ten; a lack of binary protections. At AppSec California, OWASP debuted it and briefly highlighted examples of the threats to mobile devices in this category. In this talk I will discuss the new category in much more depth, exploring reasons why this risk category has now been included in OWASP’s Top Ten Mobile Security Risks.

In 2013, consumers downloaded more than 83 billion applications from app stores worldwide, with revenues totalling $25 billion. According to Portio research, this is expected to grow to over 200 billion downloads per year by 2017. It is clear that the App Economy is not only thriving, but is driving new app-centric products and services across multiple industries and with the continued adoption of mobile computing, the threats to mobile and applications is continuing to grow.

Based on research conducted by Arxan, we found that over half of the top 100 iOS apps had been hacked or tampered with and made available for download on third party app stores. This included 53 percent of Android, and 23 percent of mobile banking and payment applications.

The talk will specifically highlight the risks that a lack of binary protections poses to mobile applications on both iOS and Android platforms. The speaker will discuss how to leverage specific OWASP projects to solve these issues and secure apps from tampering. By the end of the talk, attendees will have a solid understanding of the risks associated with lack of binary protections and how to begin thinking about incorporating app risk mitigation solutions to protect their applications. Risk mitigation approaches discussed will include how to incorporate processes that harden an app against binary-level integrity and reverse-engineering attacks launched at rest and run-time. 

Mobile application hacking and its security is becoming a major concern in today’s world specially with BYOD and user’s jailbreaking/rooting their devices. Scanning and vulnerabilities detections are two major areas for mobile applications in current state. Attacking techniques and exploit delivery on different platform are evolving, protection is even tougher as code base are different. The frequency of release for the mobile application is significantly higher than the web application. It is imperative to scan these applications before loading and launching for different platforms. 

Amongst the mobile attacks described in OWASP Mobile Top 10 project, Local storage being the key attack which affects the security and privacy of the user. Need for an hour is to have automated program to penetrate local storage in most widely used mobile platform (android and iOS). Interestingly, Android SDK provides an API which can be used to monitor file system. On the iOS, one needs to use jailbreak device to attack local storage. Along with presentation, new version of the free tools (Separate for android and iOS) will be released. Android tool uses API to monitor android file system where iOS tool relies on OS features. Methodology to perform application penetration testing using the tools will be demonstrated along with several different demonstrations on attacking local storage for both platforms along with defense strategies.

Mobile development is one of the largest growth areas in all of software. The last decade has seen an explosion of mobile devices, operating systems, development environments, libraries, toolkits and app stores. Organizations are racing to construct mobile applications that harness the power of the mobile paradigm. 

However, like in the early days of web development, security may be being overlooked or under-emphasized. In this talk, we will go through the array of mobile platforms available to developers, and discuss common security concerns that all platforms have in common. The talk will focuses on securing sensitive data on the phone, proper use of encryption, and proper use of TLS, along with several other security areas critical to writing secure mobile applications. A discussion of hybrid web apps, using frameworks like PhoneGap and the security concerns there, will also be discussed in detail. 

Participants will gain an understanding of the key differences between web and mobile security, and learn what they must do to ensure they are architecting and constructing secure mobile applications. 

"Wait, wait! Don't pwn Me!" is a live, security news game show that pits three security experts (Josh Corman, Chris Eng and Space Rogue) against each other in a game of wits. Host Mark Miller, selects topics from the week's security news, posing the news items as limericks, fill-in-the-blank, and audience participation questions. The panel competes against each other, and the audience, for speed and accuracy when answering the questions.

During the AppSec USA 2013 Conference, this was a rollicking, high spirited session, exposing the prevalence of security issues highlighted in the main stream news. It demonstrates how hard it is to keep up to date with security updates, even for the experts. Audience members should come prepared as we test their knowledge against the panel, trying to determine what is real news and what is fake. 

This is a fun filled session where panelists and audience members compete for prizes from the OWASP store. It is sure to put you in a good mood for the rest of the conference.

As the world of system and application deployment continues to change, the sys admins and security community are having to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. After adding in Dev/Ops and cloud, the traditional sys admin and security processes just don’t work anymore. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. When you are deploying multiple times a day, there is no time to fit in your traditional week long security assessment. 

A new concept of Test Driven Security, which is loosely based on the tenants of Test Driven Development, is beginning to emerge in the application security community. This talk will cover how Matt is putting the practices in place currently at Rackspace and how you can architect your security work to be agile enough to keep up with the pace of change today. The talk will cover agile methods for securing infrastructure, apps & APIs and source code. Even if you are not there today, you will be soon enough. Its time to embrace the change and say "Challenge Accepted".

JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language? 

Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to infecting users with malware. Hackers are beginning to recognize this new playground and are quickly adding JavaScript exploitation tools to their Web attack arsenal. 

In this talk we explore the vulnerabilities behind Javascript, including: 
• A new class of vulnerabilities unique only to JavaScript 
• Vulnerabilities in 3rd-party platforms which are exploited through JavaScript code 
• HTML5 is considered the NG-Javascript. In turn, HTML5 introduces a new set of vulnerabilities 

In recent years, the Web witnessed a move towards sophisticated client-side functionality. This shift caused a significant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnerabilities, with DOM-based Cross-site Scripting being a high impact representative of such security issues.

In this paper, we present a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach. Using these components, we conducted a large-scale analysis of the Alexa top 5000. In this study, we identified 6167 unique vulnerabilities distributed over 480 domains, showing that 9,6% of the examined sites carry at least one DOM- based XSS problem.

This presentation will cover “Metro”, “Modern” or (more correctly) “Windows Store” Apps and how to perform security reviews on them. Like it or not, this is the direction Microsoft are going in, and it seems likely that this style of centrally controlled, sandboxed application is the future for at least some types of Windows programs. The focus of the talk will be Store Apps developed in HTML and JavaScript (although other types of app will be mentioned). I will explain what a Store App is, and how it differs from a normal Windows application, and also from a web site. 

In the first section I cover the architecture and theory of Store apps. I go over the different types of development frameworks which can be used to create them, and how they get from a developer’s PC to the Windows Store, including what Microsoft do (and don’t do) as far as security testing is concerned. I’ll also compare and contrast this type of apps with ones from other architectures (Win32 and mobile). 

The second section of the presentation then explains (and shows) how to set up an environment (Windows 8.1, a web proxy of choice and Visual Studio) to test a Store application – there are some tricks to this which are not well publicised. I’ll point out where apps are stored, how you get access to them, and how to go about testing them including code review examples (focusing on secure and insecure JavaScript). I’ll show the use of a web service in an app and how this technology can present a security hole in the app sandbox. 

In conclusion I will make some comments on where the move to a Store based system in the Windows environment (over 90% of PC class devices) is taking us from a security perspective, and how this fits (in my opinion) with the future development of Windows Phone and RT. 

The presentation as a whole gives an introduction to an area of application testing which is not well known but is likely to become more critical as time advances and the Store system becomes more mature. 

This presentation shares the results of a yearlong survey of nearly 600 software developers that captures their knowledge of application security before and after formal training. The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements.

The session also includes the results of a "retest" of a subset of respondents, to identify how much security knowledge they retained after a specific length of time. The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.

Gaps in the enforcement of access control policy of a software system can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. We describe a novel technique to automatically detect missing and inconsistent authorization checks in web applications with static analysis and conclude with empirical results of using our approach on real-world applications. 

The concept of granting different users different privileges dates back to early software systems. Gaps in the enforcement of access control policies can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. As software becomes more ubiquitous and is used for tasks ranging from shopping to scheduling doctor’s appointments, providing bulletproof access control remains an imperative. 

Correct placement of authorization checks is a non-trivial task for developers that requires intimate knowledge of the system, its users, and their roles. These challenges are evidenced by the fact that missing authorization checks—like the one that allowed Bloomberg News to leak NetApps’s earnings results in 2010—are still among the most widespread and impactful vulnerabilities. Manually weeding out access control violations is cumbersome and requires a lot of expertise. Existing automated techniques are also inadequate and require either substantial human intervention or are effective only on very targeted code bases, such as operating systems. 

This talk focuses on ensuring well-placed authorization checks in web applications. We discuss different ways access control requirements are specified in web applications, including configuration- and annotation-based approaches. Next, we describe a novel technique to automatically detect missing and inconsistent authorization checks. Our approach lets us detect missing checks statically rather than at runtime and allows us to provide remediation suggestions that allow developers to fix code before it goes to production. 

We conclude with empirical results of our successful application of this approach to a number of real-world web applications. We discuss the classes of issues we found and review specific examples to shed light on the kinds of authorization mistakes developers are making today.