AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
LAB002 [clear filter]
Wednesday, June 25

11:00 BST

eXtend Security on Xcode
The mobile industry is now booming. According to Apple, the number of iOS apps in App Store reached 1,000,000 as of October 2013. In this highly competitive market, mobile app developers are required to develop a high-value, high-quality and high-performance app with a short time-to-market. Implementing security into earlier phases of such rapid pace agile development life cycle can be considered as one of the key success factors for organizations. 

We believe that adding an automated security measure into the Xcode IDE itself is essential and can help facilitate secure agile development cycles for iOS developers. Therefore, we are implementing our own security features on top of Xcode.

During the coding phase, developers will be able to automatically spot general security issues in iOS apps and thus prevent them from creating those issues. This can also help security testers to conduct white-box security testing in a shorter amount of time. We will also share the difficulties and problems we faced and how we overcame them during our research.

avatar for Tokuji Akamine

Tokuji Akamine

Lead Security Engineer, Rakuten, Inc.
Tokuji Akamine is a Lead Security Engineer at Rakuten, where he conducts security testing, security training and security research. Before joining Rakuten, he was a senior security consultant at Symantec and provided application security consulting to a variety of enterprise customers... Read More →
avatar for Raymund Pedraita

Raymund Pedraita

Senior Security Engineer, Rakuten, Inc.
Raymund does security audit for web, network and mobile apps. Started his involvement with security when he joined Fourteenforty Research Institute in 2008, doing research and developing security solutions and tools. For almost 9 years he was developing applications for Windows and... Read More →

Wednesday June 25, 2014 11:00 - 11:50 BST

11:50 BST

Intent on Being a Good Android Citizen?
Has Android achieved the impossible? Do intents enable interprocess communications and inter-process collaboration that is actually securable? The answer, as in many platforms, is a definite ‘maybe’. Firstly, intents invite "new" attacks - attacks more traditionally associated with distributed systems - such as spoofing, hijacking, out of order execution and theft of data. Secondly, all is not always as it seems. Like so many things in in life, it is possible to do things right and still get it wrong. Securing intents properly requires a defensive approach of some old techniques plus an added step of validating some assumptions. This talk is aimed mainly at app developers - learn how intents work under the hood, how to secure your intents and how to secure your assumptions to achieve your goal of secure apps. 

avatar for Andrew Lee-Thorp

Andrew Lee-Thorp

Senior Consultant, Cigital
Andrew Lee-Thorp is a security consultant with over 10 years of experience cutting his teeth in development from smart cards through to high-end servers systems. He currently works as a Consultant with Synopsys where he performs code reviews, architectural risk analysis, and Android... Read More →

Wednesday June 25, 2014 11:50 - 12:35 BST

13:50 BST

OWASP Mobile Top Ten 2014 – The New “Lack of Binary Protection” Category
Recently, there has been a new addition to the OWASP Mobile Top Ten; a lack of binary protections. At AppSec California, OWASP debuted it and briefly highlighted examples of the threats to mobile devices in this category. In this talk I will discuss the new category in much more depth, exploring reasons why this risk category has now been included in OWASP’s Top Ten Mobile Security Risks.

In 2013, consumers downloaded more than 83 billion applications from app stores worldwide, with revenues totalling $25 billion. According to Portio research, this is expected to grow to over 200 billion downloads per year by 2017. It is clear that the App Economy is not only thriving, but is driving new app-centric products and services across multiple industries and with the continued adoption of mobile computing, the threats to mobile and applications is continuing to grow.

Based on research conducted by Arxan, we found that over half of the top 100 iOS apps had been hacked or tampered with and made available for download on third party app stores. This included 53 percent of Android, and 23 percent of mobile banking and payment applications.

The talk will specifically highlight the risks that a lack of binary protections poses to mobile applications on both iOS and Android platforms. The speaker will discuss how to leverage specific OWASP projects to solve these issues and secure apps from tampering. By the end of the talk, attendees will have a solid understanding of the risks associated with lack of binary protections and how to begin thinking about incorporating app risk mitigation solutions to protect their applications. Risk mitigation approaches discussed will include how to incorporate processes that harden an app against binary-level integrity and reverse-engineering attacks launched at rest and run-time. 

avatar for Jonathan Carter

Jonathan Carter

Application Security Strategist, Lending Club
Jonathan Carter is an application security professional with over 15 years of security expertise within Canada, United States, Australia, and England.  As a Software Engineer, Jonathan produced software for online gaming systems, payment gateways, SMS messaging gateways, and other... Read More →

Wednesday June 25, 2014 13:50 - 14:40 BST

14:40 BST

Smart Storage Scanning for Mobile Apps - Attacks and Exploit
Mobile application hacking and its security is becoming a major concern in today’s world specially with BYOD and user’s jailbreaking/rooting their devices. Scanning and vulnerabilities detections are two major areas for mobile applications in current state. Attacking techniques and exploit delivery on different platform are evolving, protection is even tougher as code base are different. The frequency of release for the mobile application is significantly higher than the web application. It is imperative to scan these applications before loading and launching for different platforms. 

Amongst the mobile attacks described in OWASP Mobile Top 10 project, Local storage being the key attack which affects the security and privacy of the user. Need for an hour is to have automated program to penetrate local storage in most widely used mobile platform (android and iOS). Interestingly, Android SDK provides an API which can be used to monitor file system. On the iOS, one needs to use jailbreak device to attack local storage. Along with presentation, new version of the free tools (Separate for android and iOS) will be released. Android tool uses API to monitor android file system where iOS tool relies on OS features. Methodology to perform application penetration testing using the tools will be demonstrated along with several different demonstrations on attacking local storage for both platforms along with defense strategies.

avatar for Hemil Shah

Hemil Shah

Hemil Shah, CISSP, CSSLP, ACP is the founder and Director of eSphere Security, a company that provides Professional services in Security Arena. He has worked with HBO, KPMG, IL&FS and Net-Square in security space. He has published several advisories, tools, and Whitepapers, and has... Read More →

Wednesday June 25, 2014 14:40 - 15:30 BST

15:55 BST

Getting a Handle on Mobile Security
Mobile development is one of the largest growth areas in all of software. The last decade has seen an explosion of mobile devices, operating systems, development environments, libraries, toolkits and app stores. Organizations are racing to construct mobile applications that harness the power of the mobile paradigm. 

However, like in the early days of web development, security may be being overlooked or under-emphasized. In this talk, we will go through the array of mobile platforms available to developers, and discuss common security concerns that all platforms have in common. The talk will focuses on securing sensitive data on the phone, proper use of encryption, and proper use of TLS, along with several other security areas critical to writing secure mobile applications. A discussion of hybrid web apps, using frameworks like PhoneGap and the security concerns there, will also be discussed in detail. 

Participants will gain an understanding of the key differences between web and mobile security, and learn what they must do to ensure they are architecting and constructing secure mobile applications. 

avatar for Jerry Hoff

Jerry Hoff

VP, Static Code Analysis Division, WhiteHat Security
Jerry Hoff is the VP of the Static Code Analysis Division at WhiteHat Security. In addition to WhiteHat, he is a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where... Read More →

Wednesday June 25, 2014 15:55 - 16:45 BST

16:45 BST

Wait, Wait! Don't pwn Me!
"Wait, wait! Don't pwn Me!" is a live, security news game show that pits three security experts (Josh Corman, Chris Eng and Space Rogue) against each other in a game of wits. Host Mark Miller, selects topics from the week's security news, posing the news items as limericks, fill-in-the-blank, and audience participation questions. The panel competes against each other, and the audience, for speed and accuracy when answering the questions.

During the AppSec USA 2013 Conference, this was a rollicking, high spirited session, exposing the prevalence of security issues highlighted in the main stream news. It demonstrates how hard it is to keep up to date with security updates, even for the experts. Audience members should come prepared as we test their knowledge against the panel, trying to determine what is real news and what is fake. 

This is a fun filled session where panelists and audience members compete for prizes from the OWASP store. It is sure to put you in a good mood for the rest of the conference.

avatar for Mark Miller

Mark Miller

Senior Storyteller and DevSecOps Advocate, Sonatype
Mark is the co-founder of the "All Day DevOps" live online conference.As part of his community engagement initiatives, he is the Editor-in-Chief of the LinkedIn DevOps Group(65K+ members), Executive Producer of the DevSecOps Days Podcast Series (260,000+ listens), and Producer of... Read More →

Wednesday June 25, 2014 16:45 - 17:35 BST
Thursday, June 26

10:25 BST

DevOps, CI, APIs, Oh My!: Security Gone Agile
As the world of system and application deployment continues to change, the sys admins and security community are having to change with it. With agile development, continuous deployment, the pace of change in IT has only increased. After adding in Dev/Ops and cloud, the traditional sys admin and security processes just don’t work anymore. How can you rapidly deliver servers and applications while making sure they are built reliably and securely. When you are deploying multiple times a day, there is no time to fit in your traditional week long security assessment. 

A new concept of Test Driven Security, which is loosely based on the tenants of Test Driven Development, is beginning to emerge in the application security community. This talk will cover how Matt is putting the practices in place currently at Rackspace and how you can architect your security work to be agile enough to keep up with the pace of change today. The talk will cover agile methods for securing infrastructure, apps & APIs and source code. Even if you are not there today, you will be soon enough. Its time to embrace the change and say "Challenge Accepted".

avatar for Matt Tesauro

Matt Tesauro

Senior AppSec Engineer, Duo Security
Matt Tesauro is currently a Senior AppSec Engineer building an AppSec Pipeline and continuous security program for Duo Security.  Prior, he worked full-time for the OWASP Foundation, adding automation and awesome to OWASP projects as the Operations Director. Previously, he was... Read More →

Thursday June 26, 2014 10:25 - 11:15 BST

11:15 BST

Warning Ahead: Security Storms are Brewing in Your JavaScript
JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language? 

Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to infecting users with malware. Hackers are beginning to recognize this new playground and are quickly adding JavaScript exploitation tools to their Web attack arsenal. 

In this talk we explore the vulnerabilities behind Javascript, including: 
• A new class of vulnerabilities unique only to JavaScript 
• Vulnerabilities in 3rd-party platforms which are exploited through JavaScript code 
• HTML5 is considered the NG-Javascript. In turn, HTML5 introduces a new set of vulnerabilities 

avatar for Maty Siman

Maty Siman

Founder and CTO, Checkmarx
Maty is the CTO and founder of Checkmarx. Maty has more than a decade of experience in software development, IT security and source-code analysis. Prior to founding Checkmarx, Maty worked for two years at the Israeli Prime Minister’s Office as a senior IT security expert and project... Read More →

Thursday June 26, 2014 11:15 - 12:05 BST

12:05 BST

25 Million Flows Later – Large-scale Detection of DOM-based XSS
In recent years, the Web witnessed a move towards sophisticated client-side functionality. This shift caused a significant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnerabilities, with DOM-based Cross-site Scripting being a high impact representative of such security issues.

In this paper, we present a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach. Using these components, we conducted a large-scale analysis of the Alexa top 5000. In this study, we identified 6167 unique vulnerabilities distributed over 480 domains, showing that 9,6% of the examined sites carry at least one DOM- based XSS problem.

avatar for Martin Johns

Martin Johns

Research Expert, SAP SE
Dr. Martin Johns is a Research Expert in the Product Security Research unit within SAP SE, where he leads the Web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the... Read More →

Sebastian Lekies

Sebastian Lekies is a PhD candidate at SAP and the University of Bochum. His main field of research is Web application security.  Thereby, he mainly focuses on client-side Web attacks such as Cross-Site Scripting, ClickJacking, DNS-Rebinding, Cross-Site Request Forgery, etc.  He... Read More →

Thursday June 26, 2014 12:05 - 12:50 BST

13:50 BST

Metro down the Tube. Security Testing Windows Store Apps
This presentation will cover “Metro”, “Modern” or (more correctly) “Windows Store” Apps and how to perform security reviews on them. Like it or not, this is the direction Microsoft are going in, and it seems likely that this style of centrally controlled, sandboxed application is the future for at least some types of Windows programs. The focus of the talk will be Store Apps developed in HTML and JavaScript (although other types of app will be mentioned). I will explain what a Store App is, and how it differs from a normal Windows application, and also from a web site. 

In the first section I cover the architecture and theory of Store apps. I go over the different types of development frameworks which can be used to create them, and how they get from a developer’s PC to the Windows Store, including what Microsoft do (and don’t do) as far as security testing is concerned. I’ll also compare and contrast this type of apps with ones from other architectures (Win32 and mobile). 

The second section of the presentation then explains (and shows) how to set up an environment (Windows 8.1, a web proxy of choice and Visual Studio) to test a Store application – there are some tricks to this which are not well publicised. I’ll point out where apps are stored, how you get access to them, and how to go about testing them including code review examples (focusing on secure and insecure JavaScript). I’ll show the use of a web service in an app and how this technology can present a security hole in the app sandbox. 

In conclusion I will make some comments on where the move to a Store based system in the Windows environment (over 90% of PC class devices) is taking us from a security perspective, and how this fits (in my opinion) with the future development of Windows Phone and RT. 

The presentation as a whole gives an introduction to an area of application testing which is not well known but is likely to become more critical as time advances and the Store system becomes more mature. 

avatar for Marion Mccune

Marion Mccune

Director, ScotSTS Ltd
I'm a director of a small security consultancy specializing in testing Web Applications. My specific fields of interest are ASP.NET, Store Apps and WP8. I live in rural Argyll with my partner Rory, two cats, three Surfaces and a visiting pine marten.

Thursday June 26, 2014 13:50 - 14:40 BST

14:40 BST

Can Application Security Training Make Developers Build Less Vulnerable Code?
This presentation shares the results of a yearlong survey of nearly 600 software developers that captures their knowledge of application security before and after formal training. The survey queries developers from various backgrounds and industries, to better understand their exposure to secure development concepts and to capture a baseline for post-training improvements.

The session also includes the results of a "retest" of a subset of respondents, to identify how much security knowledge they retained after a specific length of time. The results were surprising, and include information every application risk manager should know, particularly those who rely on training as part of an application security strategy.

avatar for John Dickson

John Dickson

VP, Coalfire
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group... Read More →

Thursday June 26, 2014 14:40 - 15:30 BST

16:00 BST

Automatic Detection of Inadequate Authorization Checks in Web Applications
Gaps in the enforcement of access control policy of a software system can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. We describe a novel technique to automatically detect missing and inconsistent authorization checks in web applications with static analysis and conclude with empirical results of using our approach on real-world applications. 

The concept of granting different users different privileges dates back to early software systems. Gaps in the enforcement of access control policies can lead to privilege escalation, allowing unauthorized access to sensitive resources and operations. As software becomes more ubiquitous and is used for tasks ranging from shopping to scheduling doctor’s appointments, providing bulletproof access control remains an imperative. 

Correct placement of authorization checks is a non-trivial task for developers that requires intimate knowledge of the system, its users, and their roles. These challenges are evidenced by the fact that missing authorization checks—like the one that allowed Bloomberg News to leak NetApps’s earnings results in 2010—are still among the most widespread and impactful vulnerabilities. Manually weeding out access control violations is cumbersome and requires a lot of expertise. Existing automated techniques are also inadequate and require either substantial human intervention or are effective only on very targeted code bases, such as operating systems. 

This talk focuses on ensuring well-placed authorization checks in web applications. We discuss different ways access control requirements are specified in web applications, including configuration- and annotation-based approaches. Next, we describe a novel technique to automatically detect missing and inconsistent authorization checks. Our approach lets us detect missing checks statically rather than at runtime and allows us to provide remediation suggestions that allow developers to fix code before it goes to production. 

We conclude with empirical results of our successful application of this approach to a number of real-world web applications. We discuss the classes of issues we found and review specific examples to shed light on the kinds of authorization mistakes developers are making today. 

avatar for Alvaro Muñoz

Alvaro Muñoz

Software Security Researcher, HP

Thursday June 26, 2014 16:00 - 16:50 BST
Filter sessions
Apply filters to sessions.