AppSec California 2018

Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Course Abstract:
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. This course provides web developers deep hands-on knowledge about the OWASP Top 10 most critical web application security risks. 
Participants will first learn the technical details about each vulnerability. Demos, attack examples, threat modeling discussions, code review as well as other methods will be used to describe and discuss each risk.
Participants taking the class will practice security assessment techniques through several hands-on exercises using the free version of Burp Proxy and a safe online hacking environment. We focus on the manual assessment techniques of this popular tool.
The majority of the course will focus on defensive theory. Hacking a web application, as we will find out, is not a difficult task for an experienced web developer armed with the right knowledge. However, defending a web application is difficult and complex work. Mastering web defense is the primary thrust of this course.
Course Objectives:
- Understand how hackers attack web applications in order to better defend them
- Learn how to test your own web application
- Which security safeguards are truly effective (and which ones are not)
- Understand secure coding best practices
Training Outline:
1. OWASP Top 10 web app vulnerabilities:
    A1 - Injection (Command Injection, SQL Injection)
    A2 - Broken Authentication
    A3 - Sensitive Data Exposure
    A4 - XML External Entities (XXE)
    A5 - Broken Access Control
    A6 - Security Misconfiguration
    A7 - Cross-Site Scripting (XSS)
    A8 - Insecure Deserialization
    A9 - Using Components with Known Vulnerabilities
    A10 - Insufficient Logging and Monitoring
2. Password Management
3. Secure Coding Best Practices
4. HTTPS Best Practices
5. Using a Vulnerability Proxy
… and much more!
Hands-on Exercises:
1. Input Validation
2. Cross Site Scripting Filter Bypass
3. Online Password Guessing Attack
4. Account Harvesting
5. Injection Attacks
6. Using a Web Application Vulnerability Proxy
… and much more!
Upon the completion of this training, attendees will know:
- Most critical web application vulnerabilities
- Secure coding best practices
- How to use common security assessment tools
Attendees will be provided with (by trainer):
- The slides in raw PPT format
- Access to the online lab environment during and after class
- “cheat mode” that reveals all answers will be enabled after class
Attendees should bring:
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 4GB of RAM, 30 GB of free disk space and either VMWare Workstation Player (free 30-day trial), VMWare Workstation Pro, VMWare Fusion or Oracle VirtualBox pre-installed. At the beginning of the course, participants will receive a USB thumb drive containing a pre-configured virtual machine.
Prerequisites for attendees:
This course is designed to help intermediate and expert web developers and web architects understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will also benefit from this class.          

Please note: Training Sessions are not included in the Conference price.  Sign up now! Check for availability and pricing on Eventbrite.


Course Abstract:
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. This course provides web developers deep hands-on knowledge about the OWASP Top 10 most critical web application security risks. 
Participants will first learn the technical details about each vulnerability. Demos, attack examples, threat modeling discussions, code review as well as other methods will be used to describe and discuss each risk.
Participants taking the class will practice security assessment techniques through several hands-on exercises using the free version of Burp Proxy and a safe online hacking environment. We focus on the manual assessment techniques of this popular tool.
The majority of the course will focus on defensive theory. Hacking a web application, as we will find out, is not a difficult task for an experienced web developer armed with the right knowledge. However, defending a web application is difficult and complex work. Mastering web defense is the primary thrust of this course.
Course Objectives:
- Understand how hackers attack web applications in order to better defend them
- Learn how to test your own web application
- Which security safeguards are truly effective (and which ones are not)
- Understand secure coding best practices
Training Outline:
1. OWASP Top 10 web app vulnerabilities:
    A1 - Injection (Command Injection, SQL Injection)
    A2 - Broken Authentication
    A3 - Sensitive Data Exposure
    A4 - XML External Entities (XXE)
    A5 - Broken Access Control
    A6 - Security Misconfiguration
    A7 - Cross-Site Scripting (XSS)
    A8 - Insecure Deserialization
    A9 - Using Components with Known Vulnerabilities
    A10 - Insufficient Logging and Monitoring
2. Password Management
3. Secure Coding Best Practices
4. HTTPS Best Practices
5. Using a Vulnerability Proxy
… and much more!
Hands-on Exercises:
1. Input Validation
2. Cross Site Scripting Filter Bypass
3. Online Password Guessing Attack
4. Account Harvesting
5. Injection Attacks
6. Using a Web Application Vulnerability Proxy
… and much more!
Upon the completion of this training, attendees will know:
- Most critical web application vulnerabilities
- Secure coding best practices
- How to use common security assessment tools
Attendees will be provided with (by trainer):
- The slides in raw PPT format
- Access to the online lab environment during and after class
- “cheat mode” that reveals all answers will be enabled after class
Attendees should bring:
Participants are required to bring a laptop (Windows, Mac or Linux) with at least 4GB of RAM, 30 GB of free disk space and either VMWare Workstation Player (free 30-day trial), VMWare Workstation Pro, VMWare Fusion or Oracle VirtualBox pre-installed. At the beginning of the course, participants will receive a USB thumb drive containing a pre-configured virtual machine.
Prerequisites for attendees:
This course is designed to help intermediate and expert web developers and web architects understand how to secure web applications. Candidates are expected to have basic knowledge of web technologies, but no experience in security is required prior to taking this course. However, security professionals who want to learn more about web security will also benefit from this class.          

Abstract :
This talk begins by exploring the answer to the question, why does DevOps matter? Business do what they need to do to survive and succeed. If their customers need agility, then they will evolve to accommodate that.

Next, key differences between the pre-DevOps world and the post-DevOps world are discussed. Before, it was about on-premise, protecting the perimeter, and enforcing gates in the SDLC. Now, supply chain is king. Applications and APIs matter more and more. And everything is mobile.

A detailed look at 10 companies "killing it at DevOps" reveals that for agile companies, security is a strategic business driver. It prevents unplanned work and re-work, and security requirements are explicitly specified during the sales process as part of vendor security assessments.

Additional drivers also include avoiding bad press and compliance reasons - both of which, if you look under the covers, are ultimately about getting more sales. This presentation analyzes the actual language in Bill Gates' Trustworthy Computing memo to see that in fact even Microsoft's "noble" initiative was "all about the money."

That being said, what's a security professional to do? BSIMM has 113 controls, ISO27017 has 121, and CCM has 133. It's enough to make a person's brain explode.

This session concludes with expert recommendations on how to think about security for DevOps in a way that aligns with a modified version of the NIST Cybersecurity Framework. The 5 points (Identify, Prevent, Detect, Respond, and Recover) are simplified down to just 3 (Identify, Prevent, and React) and the end of the session covers detailed recommendations on how to incorporate practical security concepts into a DevOps environment using this uncomplicated framework.

Abstract :
Application Security (AppSec) Teams are usually short-staffed. While this is no surprise in itself. Now there’s the added impetus of continuous delivery of security solutions for the continuous delivery pipelines of myriad engineering teams within an organization. While some teams have leveraged SAST, DAST and IAST as part of the continuous delivery pipeline, AppSec teams could definitely use a helping hand from other teams including QA, Engineering and Infrastructure (Security) Teams. However, this presents a problem, largely because the tools used by AppSec Teams (and security teams in general) are not easily understood or known by Engineering and QA teams. In addition, there are a diverse set of tools ranging from Application Vulnerability Scanners to Recon Tools, etc that are used by Security Teams, Pentest Teams and so on that are typically not meshed together in a common fabric. What if there were a way were we could create security testing recipes and run a battery of security tests right from baseline application security testing, to pre-deployment infrastructure vulnerability assessments, across various environments, and what’s better, UNDER A COMMON FABRIC!! For one, security testing would become much easier to create and execute, with various teams being able to author security testing pipelines themselves with limited involvement from an already-stretched appsec team. That’s what this talk is all about….

Over the last few months, my team and I have leveraged the all-powerful Robot Framework to integrate various security testing tools, including OWASP ZAP, Nmap, Nessus. Robot Framework is a generic test automation framework for acceptance testing and acceptance test-driven development (ATDD). It provides a very extensible test-driven syntax that extend test libraries implemented in Python or Java. We have developed Open Source libraries for popular tools like OWASP ZAP, Nmap, Nessus and some recon tools, which can be invoked with existing libraries like Selenium, etc to perform completely automated, parameterized, security tests across the continuous delivery pipeline with easy-to-write, almost trivial test syntax like

`run nmap scan` OR `start zap active scan`

thereby making it easier for engineering teams to be able to create “recipes” of security tests that they want to run, integrate with functional test automation to run anything from a baseline scan to a complete parameterized security test of the application on various environments. In fact, we have used these libraries to run a “mostly automated pentest as a recipe” replete with recon, mapping, vulnerability discovery phases with evidences and reporting built-in.

Ill be making most of the code available on GitHub for the community to use.

Abstract: 
Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.

Abstract: 
The problem with most compliance, such as PCI, is that when you manage a project, design, or code only to the line of compliance, there are going to be security gaps. When you have gaps, your risk gets higher, and it becomes more costly to fill those gaps later. 
This talk will describe the requirements of some compliance frameworks and the gaps that can occur when you’re following the bare minimum secure coding practices that they require. The presenters will also give suggestions on how to address these gaps and how to plan for future risk as your applications and dependencies grow and requirements change. 
The approach will look at prioritizing security initiatives to better manage risk as they pertain to application security and create more efficient processes as they relate to software development. Together, these will increase the ability to prevent, detect, and respond to security events that threaten your apps while supporting compliance initiatives. 
At the end of the presentation attendees will have a good understanding of how a more mature security posture and implementing a framework that also allows you to follow secure coding practices can help harden even your more robust applications, as well as address compliance requirements for application security.

Abstract:
How do we dismantle the reign of dangerous and prevalent vulnerabilities? "Injection" has crowned the OWASP Top 10 since 2010, while cross-site scripting (a type of injection) has maintained placement in the top four since 2003. If these two vulnerabilities are well-understood, well-documented, and have "clear" solutions, why have they remained on the OWASP Top 10 for nearly 15 years? Let's take a step back to examine what causes injection (and XSS) vulnerabilities and potential plans for their dethronement.

Abstract: Is your pentest report filled with low risk items? Are these projects that you pentest too short for a full-fledged secure SDLC process or are they third party systems that you have little control over? We at eBay had a similar problem wherein more than 25% of our pentesting resources used to get bogged down by these low risk items. We understand that it takes time to find, document and report these items (some which get entangled in a never ending remediation cycle). 
So we built Hunter to help us get ahead of some of these time sinks. Hunter is a simple open source tool that grades any website or rest endpoint. It quickly checks for certain low risk items and provides the requester with a grade (A – F). You can use hunter as a precursor to your pentest. Non security product development managers don’t understand security jargon, but they love to see a grade A on their product. The use of Hunter sits in between doing nothing before a pentest and a full-fledged secure SDLC process that might be an overkill. 
This talk is about our journey of why we built Hunter and how we saved about 10 – 15% of our pentesting budget. This talk is aimed at managers and pentesters who want to optimize their team’s resources and attendees will walk away with the knowledge of how they can leverage this open source tool.

Abstract :
Over the last two years, we've received and analyzed more than ten million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.

We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.

First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.

Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.

Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.

Abstract: 
Artificial Intelligence, or even just Machine Learning for those who prefer organic, is influencing nearly all aspects of modern digital life. Whether it be financial, health, education, energy, transit...emphasis on performance gains and cost reduction has driven the delegation of human tasks to non-human agents. Yet who in infosec today can prove agents worthy of trust? Unbridled technology advances, as we have repeatedly learned in history, bring very serious risks of accelerated and expanded humanitarian disasters. The infosec industry has been slow to address social inequalities and conflict that escalates on the techincal platforms under their watch; we must stop those who would ply vulnerabilities in big data systems, those who strive for quick political (arguably non-humanitarian) power wins. It is in this context that algorithm security increasingly becomes synonymous with security professionals working to avert, or as necessary helping win, kinetic conflicts instigated by digital exploits. This presentation therefore takes the audience through technical details of defensive concepts in algorithmic warfare based on an illumnating history of international relations. It aims to show how and why to seed security now into big data technology rather than wait to unpoison its fruit.