Loading…
AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

LAB109 [clear filter]
Monday, June 23
 

09:00 BST

Training room 7 - TLS/SSL in Practice
SSL/TLS as used today has more and more problems and it's difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.

This training will give a brief introduction to SSL, how it works i. g., what problems are known according the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure SSL securely.

Topics

The course will be a hands-on-training showing by example how to check the established SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. A great amount of tools will be explained and it will be demonstrated how these tools can be used to detect weaknesses in the SSL connection and such.

The explained tools are for example: openssl, sslaudit, sslscan, ssltest.pl, o-saft, and some more, as well as some online checking tools like ssllabs.com. We show what are these tools useful for, what they can do and what they cannot.

Finally we show how the OWASP tool o-saft can be used to cover most of the previous shown techniques and how to use its advanced features like:



  • checking for special SSL settings



  • check multiple servers at a time



  • customizing the results



  • using private SSL-libraries



  • customizing o-saft itself


  • or simple debugging of various SSL connection problems.



The purpose of this course is to provide a tool set for checking SSL to the participants and teach the participants how and when to use which tool.

The course is intended to teach builders and defenders how to analyse SSL from a client-site view, in particular what an auditor or penetration tester does. It will not go into the details of fuzzing or even breaking SSL such as sslsniff, ssltrap and a like or exploiting vulnerabilities. Instead it should give developers an idea how to use SSL securely and give system architects, administrator or operational people hints how to set-up and configure SSL in a proper secure way. 



Technical Requirements

The participants should bring their own laptop with any operating system (recommended is Linux) and at least following tools installed:



  • openssl (1.0.1e or newer)



  • perl (5.8 or newer), on windows system Strawberry perl is recommended



  • Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)



python (2.7) optional

Optional, for smooth testing, a local SSL-enabled web server should be running on the laptop.

 

Others

All other used tools are open source and available during the course. The participants are reliable on their own for accepting and following the license rules of each tool. 



Speakers
AH

Achim Hoffmann

Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 12 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in... Read More →


Monday June 23, 2014 09:00 - 13:00 BST
LAB109

14:00 BST

Training room 7 - TLS/SSL in Practice
SSL/TLS as used today has more and more problems and it's difficult to understand, what are the root causes of these problems, and how to detect and finally avoid or fix them.

This training will give a brief introduction to SSL, how it works i. g., what problems are known according the protocol, the PKI used, and the known vulnerabilities including potential attacks and provide tools to check for these issues. The main focus will be on SSL used in HTTPS. Other usages i.e. SSL for SMTP are a small subset. As a round-up there will be recommendations how to configure SSL securely.

Topics

The course will be a hands-on-training showing by example how to check the established SSL connection (including ciphers) to a web server and show how to analyse the provided certificate. A great amount of tools will be explained and it will be demonstrated how these tools can be used to detect weaknesses in the SSL connection and such.

The explained tools are for example: openssl, sslaudit, sslscan, ssltest.pl, o-saft, and some more, as well as some online checking tools like ssllabs.com. We show what are these tools useful for, what they can do and what they cannot.

Finally we show how the OWASP tool o-saft can be used to cover most of the previous shown techniques and how to use its advanced features like:



  • checking for special SSL settings



  • check multiple servers at a time



  • customizing the results



  • using private SSL-libraries



  • customizing o-saft itself


  • or simple debugging of various SSL connection problems.



The purpose of this course is to provide a tool set for checking SSL to the participants and teach the participants how and when to use which tool.

The course is intended to teach builders and defenders how to analyse SSL from a client-site view, in particular what an auditor or penetration tester does. It will not go into the details of fuzzing or even breaking SSL such as sslsniff, ssltrap and a like or exploiting vulnerabilities. Instead it should give developers an idea how to use SSL securely and give system architects, administrator or operational people hints how to set-up and configure SSL in a proper secure way. 



Technical Requirements

The participants should bring their own laptop with any operating system (recommended is Linux) and at least following tools installed:



  • openssl (1.0.1e or newer)



  • perl (5.8 or newer), on windows system Strawberry perl is recommended



  • Net::SSLeay (1.53 or newer), IO::Socket::SSL (1.37 or newer)



python (2.7) optional

Optional, for smooth testing, a local SSL-enabled web server should be running on the laptop.

 

Others

All other used tools are open source and available during the course. The participants are reliable on their own for accepting and following the license rules of each tool. 

 

Speakers
AH

Achim Hoffmann

Starting with Linux/network security in the nineties. Achim Hoffmann has been working in web application security since more than 12 years. While working as a developer for web-application for several years he started concentrating on web application security as major subject in... Read More →


Monday June 23, 2014 14:00 - 18:00 BST
LAB109
 
Tuesday, June 24
 

09:00 BST

Training room 7 - Defensive Programming in PHP
This course explores measures that developers can take both from a coding and configuration perspective to secure their PHP applications.

PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.

This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.

This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:



  • PHP Platform Security



  • The PHP Application Risk Landscape



  • Secure Design Principles



  • Defensive Programming Techniques in PHP


  • Secure PHP Architecture and Configuration



Objectives

After successfully completing this course, students will:



  • Comprehend the PHP Platform



  • Appreciate the Risks Affecting PHP Applications



  • Write Secure Web Applications Using PHP



  • Design and Architect Secure PHP Applications


  • Configure Your PHP Applications Securely



Labs and Demonstrations

If students bring their own laptops with VirtualBox software installed, they can install an Ubuntu VM (provided by the instructor) with a vulnerable PHP application on it and participate in two interactive lab sessions. There are also two interactive demonstrations during which the PHP application is ex- ploited to show directory traversal, information leakage, and SQL injection. The labs are not compulso- ry to get the full value of the course. 

Speakers
avatar for Paco Hope

Paco Hope

Principal Consultant, Cigital
Author of two security books and frequent conference speaker, Paco Hope is a Principal Consultant with Cigital Ltd and has been working in the field of software security for over 12 years. The oldest PHP code he could find on his systems was dated 3 November 1999. Paco helps clients... Read More →


Tuesday June 24, 2014 09:00 - 13:00 BST
LAB109

14:00 BST

Training room 7 - Defensive Programming in PHP
This course explores measures that developers can take both from a coding and configuration perspective to secure their PHP applications.

PHP is a powerful and versatile web development platform that is widely used throughout the industry. PHP applications are generally affected by most of the same risks that affect web applications written in other languages. Although it has a lot in common with other web platforms, there are specific aspects of PHP that set it apart from the other technologies. This is also true from a risk perspective. Some PHP risks are unique or amplified by the platform.

This course highlights the features and specifics of the platform that can potentially introduce risks including (but not limited to) unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. Once PHP features and risks are understood by the student, this course builds upon this knowledge and teaches a set of defensive programming techniques that can be followed to create secure PHP applications including in the areas of file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks.

This course is structured into modules that cover the areas of concentration for defensive programming for the PHP platform and includes code analysis and remediation exercises. The high-level topics for this course are:



  • PHP Platform Security



  • The PHP Application Risk Landscape



  • Secure Design Principles



  • Defensive Programming Techniques in PHP


  • Secure PHP Architecture and Configuration



Objectives

After successfully completing this course, students will:





  • Comprehend the PHP Platform



  • Appreciate the Risks Affecting PHP Applications



  • Write Secure Web Applications Using PHP



  • Design and Architect Secure PHP Applications


  • Configure Your PHP Applications Securely



Labs and Demonstrations

If students bring their own laptops with VirtualBox software installed, they can install an Ubuntu VM (provided by the instructor) with a vulnerable PHP application on it and participate in two interactive lab sessions. There are also two interactive demonstrations during which the PHP application is ex- ploited to show directory traversal, information leakage, and SQL injection. The labs are not compulso- ry to get the full value of the course. 

Speakers
avatar for Paco Hope

Paco Hope

Principal Consultant, Cigital
Author of two security books and frequent conference speaker, Paco Hope is a Principal Consultant with Cigital Ltd and has been working in the field of software security for over 12 years. The oldest PHP code he could find on his systems was dated 3 November 1999. Paco helps clients... Read More →


Tuesday June 24, 2014 14:00 - 18:00 BST
LAB109
 
Thursday, June 26
 

10:25 BST

Chapter Leader Workshop 1
Join our newly appointed Community Manager, GK Southwick, as she talks you through the various concerns and questions you have regarding running your chapters. As the questions posed so far have been wide and varied, this will be an open format conversation, so bring your best and most baffling to the table and what GK can't answer straight, we'll discuss in the round.
Please bring your laptops, so we can walk through various steps and pages of the Wiki together, to ensure that everything is as clear as it can be.

Thursday June 26, 2014 10:25 - 11:15 BST
LAB109

11:15 BST

Chapter Leader Workshop 2
Join our newly appointed Community Manager, GK Southwick, as she talks you through the various concerns and questions you have regarding running your chapters. As the questions posed so far have been wide and varied, this will be an open format conversation, so bring your best and most baffling to the table and what GK can't answer straight, we'll discuss in the round.
Please bring your laptops, so we can walk through various steps and pages of the Wiki together, to ensure that everything is as clear as it can be.

Thursday June 26, 2014 11:15 - 12:05 BST
LAB109

12:05 BST

Chapter Leader Workshop 3
Join our newly appointed Community Manager, GK Southwick, as she talks you through the various concerns and questions you have regarding running your chapters. As the questions posed so far have been wide and varied, this will be an open format conversation, so bring your best and most baffling to the table and what GK can't answer straight, we'll discuss in the round.
Please bring your laptops, so we can walk through various steps and pages of the Wiki together, to ensure that everything is as clear as it can be.

Thursday June 26, 2014 12:05 - 12:50 BST
LAB109

14:05 BST

Project Leader Workshop
The Project Leader Workshop is a 2 hour event activity that brings together current and potential OWASP project leaders to discuss project related issues and topics. The Project Leader Workshop is an optional event activity for our leaders that takes on a presentation and discussion format. It is an interactive tool used to bring together project leaders from across the globe in an effort to have participants share valuable insights and recommendations with their fellow members.

Leaders can expect to learn more about the OWASP Projects Infrastructure, the benefits of having an OWASP Project, and how they can leverage the infrastructure to help promote their project to the community and beyond. OWASP Project Leader, Simon Bennetts, will lead the session

Please check attached file for location (MAP FLOOR) 

Moderators
avatar for Johanna Curiel

Johanna Curiel

Security Engineer and Researcher, Mobiquity
Johanna Curiel is a security engineer and researcher with 18 years experience in programming, testing and quality control. Her early encounters with hackers and cybercrime was a turning point in her career to work in the area of Cyber security.Between 2005 and 2007, she worked as... Read More →

Speakers
avatar for Simon Bennetts

Simon Bennetts

ZAP Project Lead, Jit
Simon Bennetts is the OWASP Zed Attack Proxy (ZAP) Founder and Project Leader, and a Distinguished Engineer at Jit.He has talked about and demonstrated ZAP at conferences all over the world, including Blackhat, JavaOne, FOSDEM and OWASP AppSec EU, USA & AsiaPac.Prior to making the... Read More →



Thursday June 26, 2014 14:05 - 16:10 BST
LAB109
 
Filter sessions
Apply filters to sessions.