AppSec US 2018 (Please, make sure you register to attend): Full Schedule

Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

8:00am PDT

Registration Desk

Someone will be available for questions at the registration desk and walk-in registrations

Monday October 8, 2018 8:00am - 5:00pm PDT
Market St Foyer

Market Street Foyer

9:00am PDT

1-day training: Building an AppSec Program with OWASP

Limited Capacity filling up

Explore the OWASP universe and how to build an application security program with a budget of $0. Experience a practitioner's guide for how to take the most famous OWASP projects and meld them together into a working program. Projects are broken down into awareness/process/tools, with an explanation of the human resources required to make this successful.

This course is a mix of lecture and hands-on activities to put OWASP projects to use to build a successful and inexpensive AppSec program. The course covers seventeen different OWASP projects, so most will be covered in a lecture and tabletop exercise format. Select projects will be explored using hands-on exercises. Participants will work in small groups throughout the course to facilitate peer to peer learning and sharing of experiences.

Speakers

Chris Romeo

CEO, Kerr Ventures

Chris Romeo is a leading voice and thinker in application security, threat modeling, security champions, and the CEO of Kerr Ventures. Chris hosts the award-winning “Application Security Podcast” and “The Security Table” and is a highly rated industry speaker and trainer... Read More →

Monday October 8, 2018 9:00am - 5:00pm PDT
Piedmont

Piedmont

9:00am PDT

1-day training: Machine Learning for Cyber Security Experts

This is a zero to hero course. We will start with no (or little) knowledge about machine learning and end the day with creating our custom APT detection that matches commercial grade tools.

Along the way, we will look at different types of machine learning, explore their limitations, and discuss typical problems. We will answer relevant questions, like how to identify that the machine has really learned something useful, how to deal with resource constraints, perform feature selection, and how to fine tune towards our goal.

The whole course is filled with real-world applications: After playing with artificial data, we will create a classifier for a polymorphic malware family, and end the day with your own threat prevention AI that uses features from ClamAV.

Speakers

Felix Leder

Symantec

Do you share a passion about IT security? Do you like playing cat and mouse? Do you enjoy working with the latest and greatest technology? Then let's catch up and tell about your exciting projects.If you want to have a break from the IT stuff and tell about your favorite hiking locations... Read More →

Monday October 8, 2018 9:00am - 5:00pm PDT
California

Valley

9:00am PDT

2-day training: Mobile Security Testing Guide - Hands on

Limited Capacity full

Course Abstract: 

Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communication, those APIs have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration. The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for testing the security of mobile apps. It describes processes and techniques for verifying the requirements listed in the Mobile Application Security Verification Standard (MASVS), and provides a baseline for complete and consistent security tests.   The proposed training is based on the Mobile Security Testing Guide (MSTG) and will offer hands-on exercises in the form of different iOS and Android Apps. They will demonstrate bad practices and current security best practices to avoid vulnerabilities and flaws within mobile Apps.

The goal of this course is to learn  the technical skills to execute a penetration test against iOS and Android mobile applications and utilise the Mobile Security Testing Guide (MSTG) as a baseline and comprehensive methodology during mobile security assessments.

Training Syllabus:
- iOS and Android security fundamentals
- Mobile Security Testing Environment Setup
- Overview of Mobile security vulnerabilities
- Hands-on testing on iOS and Android Apps
- Security best practices to mitigate Mobile security vulnerabilities
- Alternative iOS App testing without a jailbroken device
 - Reverse Engineering of iOS and Android Apps

Key areas of training:
- Static and Dynamic Analysis of iOS and Android Apps
- Local Data Storage 
- Communication with Trusted Endpoints 
- Authentication and Authorization 
- Client-side Security control bypass
- Advanced dynamic instrumentation use cases

 The following prerequisites need to be fulfilled by the participants in order to be able to execute and follow all exercises:
  - Laptop (> 4 GB Ram, 20GB of free disk space, working Wifi) with administrative access 
- Docker
- Latest Android Studio and SDK 
- Burp Suite Community Edition (Professional not needed)  
- An iOS device with at least iOS 9.0 (without jailbreak) is needed and need to be brought by the participant, this will not be provided by the trainer.

Speakers

Jinkun Ong

Senior Consultant, Vantage Point Security Pte Ltd

Jinkun is a security enthusiast with years of Penetration Testing experience and has conducted numerous Web, Mobile, and source code reviews assessments. He is currently a Senior Consultant for Vantage Point in Singapore.Besides holding a variety of widely recognized professional... Read More →

Sven Schleier

Managing Principal, Vantage Point Security Pte Ltd

Sven is an application security expert with over 8 years of hands-on experience in web and mobile penetration testing, network penetration testing and source code review and is leading the penetration testing team for Vantage Point in Singapore. He is an experienced Security Architect... Read More →

Monday October 8, 2018 9:00am - Tuesday October 9, 2018 5:00pm PDT
Atherton

Atherton

9:00am PDT

2-day training: Webservice and Web Application Secure Coding with the OWASP Top 10 and the OWASP ASVS

This 2-day class is an introduction to secure coding and application security for webservice and web application professionals. Any web developer, architect, security professional or other software development professional who needs to build and maintain secure webservice and web application software will benefit.The class begins with a hands-on CTF and series of hacking demonstrations to illustrate how webservices and web applications are attacked. The class will then continue with a combination of lecture, discussion, code review and group labs covering the following topics.

Speakers

Jim Manico

Founder, Manicode Security

Jim Manico is the founder of Manicode Security, where he specializes in training software developers on secure coding and security engineering. He is actively involved in multiple ventures, serving as an investor/advisor for companies like SemGrep, Nucleus Security, Defect Dojo, KSOC... Read More →

Monday October 8, 2018 9:00am - Tuesday October 9, 2018 5:00pm PDT
Belvedere

Belvedere

9:00am PDT

2-day training: Seth & Ken’s Excellent Adventures (in Code Review)

Have you ever been tasked with reviewing 3.2 million lines of code manually for SQL Injection, XSS, and Access Control flaws? Have you been asked to review a new framework on short notice? Does the idea of reviewing Ruby, Go, or Node code leave you with heartburn? This course addresses all of these common challenges in modern code review. We have concentrated on taking our past adventures in code review, the lessons we’ve learned along the way way, and made them applicable for others who perform code reviews. We will share our methodology to perform analysis of any source code and suss out security flaws, no matter the size of the code base, or the framework, or the language.

You as a student will learn the methodology, techniques, approach, and tools used by Seth Law and Ken Johnson to understand code flows, trace user input, identify vulnerabilities, and effectively secure an application code base.

Speakers

Ken Johnson

CTO & Co-Founder, DryRun Security

Ken Johnson has been hacking web applications professionally for 14 years and given security training for 11 of those years. Ken is both a breaker and builder and is the CTO & Co-Founder of DryRun Security. Previously, Ken was a Director with GitHub's Product Security Engineering... Read More →

Seth Law

President and Principal Security Consultant, Redpoint Security, Inc.

Seth Law is the President and Principal Consultant at Redpoint Security, Inc. (rdpt.io). During the last 15 years, Seth has worked within multiple security disciplines, including application development, cloud architecture, and network protection, both as a manager and individual... Read More →

Monday October 8, 2018 9:00am - Tuesday October 9, 2018 5:00pm PDT
Hillsborough

Hillsborough

9:00am PDT

3-day training: Python Hacker Bootcamp: Zero to Hero

More and more security professionals have turned to scripting languages to automate tasks and complete work faster. If you've been wanting to learn Python and couldn't figure out how to start, or tried and can't get the hang of it this course will take you from zero to hero. This course was designed to follow a hacker's methodology of programming. Instead of learning formal programming practices that you'll never use, this course focuses on core concepts taught in recipe-like modules. Throughout the course, we will reuse and build on past modules to quickly complete more complex projects. Each module has lab time for continuous hands-on opportunity and practical application exercises.

The course is taught in phases with each phase containing multiple modules and hands-on labs which build on previous modules and phases.

Phase 1: Getting up to speed

Introduction and Environment Setup
Variables and data types
Decisions and loops
Functions, error handling, and imports

Phase 2: Data parsing and I/O

Parsing text files, CSV and XML
Handling networking connections and parsing pcaps
Multi-Threading vs Multi-Processing with Locks, Mutexes, and Semaphores

Phase 3: Advanced data manipulation

Building regex
Scraping the web
Handling JSON
Working with APIs

Phase 4: Practical Application Projects

Build a Pastebin scraping bot
Automate malicious domain discovery from PCAPs with VirusTotal
Generate meaningful reports with a custom log parser
Create a multithreaded port scanner

WHO SHOULD TAKE THIS COURSE
Anyone that wants to take their nonexistent or basic Python skills to the next level and create complex security projects that automate large or daunting tasks.

WHAT STUDENTS SHOULD BRING
A Windows 7 or 10 laptop with full administrative rights and WiFi network connectivity for downloading third-party libraries. Sublime Text and Jupyter Notebook will be the IDE used throughout the course.

WHAT STUDENTS WILL BE PROVIDED WITH
Students will be provided with:

A course book containing the slides from the course
A lab book
Cheat sheets
Thumbdrive containing sample code and software

Speakers

JC

Snowfensive

Perry Jones

Reverse Engineer/Software Engineer, Snowfensive

Perry Jones is an experienced information security researcher from Montreal, Canada with more than 10 years of experience. At a young age, Perry found his passion in the field of information security, and spent his spare time studying and reverse engineering malware, researching windows... Read More →

Monday October 8, 2018 9:00am - Wednesday October 10, 2018 5:00pm PDT
Cupertino

Cupertino

9:00am PDT

3-day training: Intro to Hacking Blockchain Applications and Smart Contracts

Limited Capacity seats available

As Blockchain platforms become more and more developed, many companies are beginning to investigate how this emerging technology might affect their business. In this three day course we dive deep into state of the art methodologies used when developing smart contracts for Blockchain enabled Decentralized Applications (DApps) using Web3 technology. We focus the training on the Ethereum Blockchain and the Solidity language, as these are currently the most used platforms for building decentralized applications.

The course will be a tutorial that guides participants through the Solidity programming language and its constructs so that students will be capable of developing these applications themselves and identifying the most common vulnerabilities on this platform.

Since the consequences of insecure smart contracts are so public and costly, often resulting in immediate theft of funds, we focus the course primarily on common vulnerabilities found in this platform and how to prevent them.

We will be using our custom Blockchain CTF platform for exercises and demos. With this platform, we have constructed a series of vulnerable smart contracts and DApps with real-life use cases, ranging from decentralized trust funds and open source lottery systems, to ICOs and automated royalty agreements. Each of these applications contain a vulnerability commonly found in smart contracts. Participants can practice exploiting these bugs to steal fake crypto-currencies and win points on a leaderboard.

This platform contains challenges that demonstrate many of the common vulnerabilities found in Solidity smart contracts, including the following:

- Reentrancy
- Integer Underflows/Overflows
- Predictable Randomness
- Insecure Authorization
- Unchecked Low Level Function Calls
- Denial of Service

Exploiting these vulnerabilities will require a deep understanding of the following concepts, all of which will be covered and demonstrated in this course.

* Identifying and avoiding client-side protections
* Communicating with smart contracts directly using a tool like MyEtherWallet
* Understanding and constructing an ABI
* Code reviewing Solidity projects for vulnerabilities
* Writing and deploying attack contracts written in Solidity on the test network

Speakers

Mick Ayzenberg

Senior Security Engineer, Security Innovation

Monday October 8, 2018 9:00am - Wednesday October 10, 2018 5:00pm PDT
Fairfield

Fairfield

9:00am PDT

3-day training: Hacking Your Organization (One step at a time)

Limited Capacity seats available

Hacking Your Organization (One step at a time) covers OWASP top 10 and the most commonly found vulnerabilities in web applications followed by a series of labs based on real life scenarios in bug bounties or pentests.

Speakers

Behrouz Sadeghipour

Monday October 8, 2018 9:00am - Wednesday October 10, 2018 5:00pm PDT
Glen Ellen

Glen Ellen Room

9:00am PDT

3-day training: Hands-on Secure Coding in Node.js

Limited Capacity seats available

This course provides essential practical knowledge to build secure and resilient Node.js applications. It starts with a brief primer on Node.js fundamentals, related Idiosyncrasies, and then flows into exploiting and fixing the most common web application vulnerabilities, identified as the top OWASP 10 risks, and beyond.
Topics covered include:

Node.js fundamentals
Security implications of JavaScript language constructs and Node.js specific Idiosyncrasies
Client-side attacks and mitigations
Building secure REST and GraphQL APIs
Building Authentication with JSON Web Tokens (JWT)
Securing data in transit and at rest
Eliminating Security Misconfiguration pitfalls
Common sources of Denial of Service attacks and mitigations
Securing against Components with known vulnerabilities
Logging & Monitoring
Preparing for the Production Environment
Security considerations for the Cloud and Serverless environment

During the course, participants will also gain valuable insights from the security mistakes frequently found in known Node package vulnerabilities.

This course includes a balanced combination of essential theory and hands-on lab exercises. With the practical knowledge gained during the class, participants can introduce a security culture into their teams and immediately improve the security posture of the Node applications they ship.

Speakers

Chetan Karande

Chetan Karande is a security researcher, speaker, and author of Securing Node Applications (O’Reilly). He is the project leader for the OWASP NodeGoat project and contributor to multiple open source projects.

Monday October 8, 2018 9:00am - Wednesday October 10, 2018 5:00pm PDT
Piedmont

Sacramento

10:30am PDT

Coffee Break

Monday October 8, 2018 10:30am - 11:00am PDT
Regency Ballroom

Regency Ballrooms

12:30pm PDT

Lunch

Monday October 8, 2018 12:30pm - 1:30pm PDT
Imperial

Imperial Room - Lunch

3:00pm PDT

Coffee Break

Monday October 8, 2018 3:00pm - 3:30pm PDT
Regency Ballroom

Regency Ballrooms

8:00am PDT

Registration Desk

Tuesday October 9, 2018 8:00am - 5:00pm PDT
Market St Foyer

Market Street Foyer

9:00am PDT

1-day training: So You Want to Run a Secure Service on AWS?

Limited Capacity seats available

Learn how to secure your AWS environment.
Areas within AWS that will be covered:
1. The 3 Layers in AWS
2. Security Constructs in AWS
3. What does an ideal architecture look like
4. How do I build it
5. How do I maintain/monitor it
6. How do I break it
Students will have the opportunity to learn about core services and the security concerns with each while chatting with security engineers at Netflix. In the end, students will walk away with a better understanding of AWS and a multi-account AWS environment.

Speakers

William Bengtson

Security, Capital One

Will Bengtson is senior security engineer at Netflix focused on security operations and tooling. Prior to Netflix, Bengtson led security at a healthcare data analytics startup, consulted across various industries in the private sector, and spent many years in the Department of Defense... Read More →

Nag Medida

Sr. Security Engineer, Netflix

Nag Medida is a Senior Security Engineer at Netflix working in the SecOps team, where he loves to spend his time on AWS, building tools and automating stuff with a passion for cloud security. Nag's expertise lies in security automation for the cloud in big data world, penetration... Read More →

Tuesday October 9, 2018 9:00am - 5:00pm PDT
Atherton

Atherton

9:00am PDT

2-day training: Container Security, Serverless and Orchestration Training

Containers have changed the way we do deployments. Organizations have openly embraced containerization, to supplement traditional deployment paradigms like Virtual Machines and Hypervisors. Docker, has emerged as the leading container technology that is used by organizations, large and small for packaging and deploying consistent-state applications.
Serverless on the other hand seems to be taking over at a rapid rate with increased usage of micro-services across organizations.

However, as always, security is a challenge that organizations face with containerized and serverless deployments. While containers may be vulnerable to security threats that plague any typical application deployments, they face specific security threats related to the containerization daemon, the shared kernel and other shared resources like the network and the filesystem. Serverless deployments face risks such as insecure serverless deployment configurations, Inadequate function monitoring and logging, Broken authentication, Function event data injection & Insecure application secrets storage.

Speakers

Abhay Bhargav

Founder, we45

"Abhay Bhargav is the Founder of we45, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron"", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering... Read More →

Nithin Jois

Senior Security Solutions Engineer, we45

Nithin Jois dons two hats - Apart from being one of the lead trainers at AppSecEngineer, he is also a Senior Solutions Architect at We45 where he has helped build multiple solutions ranging from Vulnerability management to scalable scanner orchestrating systems that leveraged container... Read More →

Tuesday October 9, 2018 9:00am - Wednesday October 10, 2018 5:00pm PDT
Sacramento

Atherton

10:30am PDT

Coffee Break

Tuesday October 9, 2018 10:30am - 11:00am PDT
Regency Ballroom

Regency Ballrooms

12:30pm PDT

Lunch

Tuesday October 9, 2018 12:30pm - 1:30pm PDT
Imperial

Imperial Room - Lunch

3:00pm PDT

Coffee Break

Tuesday October 9, 2018 3:00pm - 3:30pm PDT
Regency Ballroom

Regency Ballrooms

8:00am PDT

Registration Desk

Wednesday October 10, 2018 8:00am - 5:00pm PDT
Market St Foyer

Market Street Foyer

9:00am PDT

1-day training: Small Team's guide to Security and Compliance in AWS

Limited Capacity seats available

Are you the first security hire for a growing startup? Is your company aim to rapidly ramp up security controls for Compliance or based on customer requests? Do you feel lost in the acronym and regulatory alphabet soup? If the answers to any of these are yes, you may want to join this course. I have been in exactly same state for the last two years in a high growth Enterprise-Wifi startup, hosted primarily in AWS. This duration has overlapped with everchanging new AWS tools aimed at security and product development as we were bootstrapping our product and rapid growth in revenue, risk and headcount in the company. This training distills the lessons learned into how a small security team still be effective in instilling a security culture and build infrastructure that can withstand the ever changing regulatory landscape. We will be using existing open source tools and systems to help you bring up your enterprise cloud security in the modern cloud era.

Speakers

Prasanna Gautam

Wednesday October 10, 2018 9:00am - 5:00pm PDT
Atherton

Atherton

9:00am PDT

Women In AppSec - Hands-On Penetration Testing Training - 1 day Training

Limited Capacity full

Interested in getting in on the insight and action of application security?
Join us for a free workshop constructed to satisfy your curiosity and professional development, given the modern Internet and its various associate risks.
Why a free workshop?
The OWASP volunteer community and our Women in AppSec Committee (WIA) Committee commit to training the leaders behind securing the World Wide Web… That’s YOU! Your learning path starts (or continues) here. We’re excited to form mentorships at this year’s AppSec USA conference.
Breakdown of Topics:
This will be an interactive one day workshop on how to test applications for security issues. Participants of this course will learn how to do the following:

Scope a security review and prioritise the work
Understand the manual and automated tools and techniques available and when to apply them
Learn how to determine the real risk value.
In order to achieve these goals assess the OWASP Top Ten security areas within a real world application.

Audience:
The workshop is intended for web application developers, students and application security testers

Prerequisites:
This is an introductory training for those new to application security. The course has been developed to train learners at all levels… Just remember to bring your enthusiasm!
1. Laptop with administrator access (mandatory)
2. Minimum 4 GB RAM
3. Atleast 10 GB of free hard disk space
4. Oracle VirtualBox 5.x or later installed.
5. Burp Suite Community Edition installed (https://portswigger.net/burp/communitydownload)

Instructor:
The course is taught by Vandana Verma, an experienced application security practitioner, and OWASP WIA Committee Secretary and Asia Volunteer Coordinator

Speakers

Vandana Verma Sehgal

Chair, Global Board of Directors, OWASP Foundation

Vandana Verma Sehgal is Security Leader at Snyk. She is a member of the OWASP Global Board of Directors. She has experience ranging from Application Security to Infrastructure and now dealing with Product Security. She also works in various communities towards diversity initiatives... Read More →

Wednesday October 10, 2018 9:00am - 5:00pm PDT
Belvedere

Belvedere

10:00am PDT

Project Reviews

Limited Capacity seats available

We will be reviewing the following projects:
Lab to Flagship Status
OWASP Benchmark Project
OWASP Dependency Track Project

Incubator to Lab Status
OWASP Mobile Security Testing Guide
OWASP Glue Tool Project

Other projects may be added as they come up. Project leader help in reviewing these projects would be greatly appreciated.

Speakers

Harold Blankenship

OWASP Foundation

Wednesday October 10, 2018 10:00am - 5:00pm PDT
California

California Room

10:30am PDT

Coffee Break

Wednesday October 10, 2018 10:30am - 11:00am PDT
Regency Ballroom

Regency Ballrooms

12:00pm PDT

OWASP Board Meeting

Limited Capacity seats available

Meeting Date: October 10th, 2018
Meeting Time: 3:00 to 4:30 PM EDT (time zones)
Meeting Location: Physical Meeting at AppSec USA 2018 Conference + Virtual
Address: N/A
Virtual: https://www3.gotomeeting.com/join/861328838

International Toll Free Calling Info
https://global.gotomeeting.com/join/861328838
The board meeting ID is: 861-328-838
The complete invitation content is below
1. Please join my Go To Meeting. https://www3.gotomeeting.com/join/861328838
Meeting ID: 861-328-838
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone. OWASP Board Meeting
Please join my meeting from your computer, tablet or smartphone. https://global.gotomeeting.com/join/861328838
You can also dial in using your phone. United States : +1 (805) 309-0027 Access Code: 861-328-838
More phone numbers
Argentina (Toll Free): 0 800 266 1378 Australia (Toll Free): 1 800 191 358 Australia: +61 2 8355 1038 Austria (Toll Free): 0 800 202144 Austria: +43 7 2081 5337 Bahrain (Toll Free): 800 81 305 Belarus (Toll Free): 8 820 0011 0331 Belgium (Toll Free): 0 800 81382 Belgium: +32 28 93 7002 Brazil (Toll Free): 0 800 025 8726 Bulgaria (Toll Free): 00800 120 4413 Canada (Toll Free): 1 877 777 3281 Canada: +1 (647) 497-9380 Chile (Toll Free): 800 395 146 China (Toll Free): 4008 866143 Colombia (Toll Free): 01 800 012 9057 Czech Republic (Toll Free): 800 500453 Denmark (Toll Free): 8025 3112 Denmark: +45 32 72 03 69 Finland (Toll Free): 0 800 94473 Finland: +358 923 17 0556 France (Toll Free): 0 805 541 052 France: +33 170 950 590 Germany (Toll Free): 0 800 723 5274 Germany: +49 692 5736 7300 Greece (Toll Free): 00 800 4414 4282 Hong Kong (Toll Free): 800 900 221 Hungary (Toll Free): (06) 80 986 259 Iceland (Toll Free): 800 9993 India (Toll Free): 000 800 100 8227 Indonesia (Toll Free): 001 803 852 9155 Ireland (Toll Free): 1 800 818 263 Ireland: +353 15 621 583 Israel (Toll Free): 1 809 388 020 Italy (Toll Free): 800 906955 Italy: +39 0 230 57 81 80 Japan (Toll Free): 0 120 242 200 Korea, Republic of (Toll Free): 0806180880 Luxembourg (Toll Free): 800 29524 Malaysia (Toll Free): 1 800 81 6860 Mexico (Toll Free): 01 800 083 5535 Netherlands (Toll Free): 0 800 020 0178 Netherlands: +31 207 941 375 New Zealand (Toll Free): 0 800 47 0051 New Zealand: +64 9 913 2226 Norway (Toll Free): 800 69 055 Norway: +47 21 93 37 37 Panama (Toll Free): 001 800 507 2789 Peru (Toll Free): 0 800 55465 Philippines (Toll Free): 1 800 1110 1669 Poland (Toll Free): 00 800 1124748 Portugal (Toll Free): 800 819 683 Romania (Toll Free): 0 800 410 025 Russian Federation (Toll Free): 8 800 100 6217 Saudi Arabia (Toll Free): 800 844 3636 Singapore (Toll Free): 18007231322 South Africa (Toll Free): 0 800 999 068 Spain (Toll Free): 800 900 593 Spain: +34 932 75 1230 Sweden (Toll Free): 0 200 330 924 Sweden: +46 853 527 818 Switzerland (Toll Free): 0 800 000 452 Switzerland: +41 225 4599 60 Taiwan (Toll Free): 0 800 666 846 Thailand (Toll Free): 001 800 658 129 Turkey (Toll Free): 00 800 4488 29001 Ukraine (Toll Free): 0 800 60 9142 United Arab Emirates (Toll Free): 800 018 1948 United Kingdom (Toll Free): 0 800 031 4727 United Kingdom: +44 20 3713 5011 Uruguay (Toll Free): 0004 019 1017 Viet Nam (Toll Free): 122 80 106Access Code: 861-328-838

Wednesday October 10, 2018 12:00pm - 3:00pm PDT
Garden

Garden Room

12:30pm PDT

Lunch

Wednesday October 10, 2018 12:30pm - 1:30pm PDT
Imperial

Imperial Room - Lunch

3:00pm PDT

Coffee Break

Wednesday October 10, 2018 3:00pm - 3:30pm PDT
Regency Ballroom

Regency Ballrooms

5:00pm PDT

Welcome Reception

Kick off your networking early at the private Welcome Reception.
Join us for a drinks, hors d’oeuvres, and a special opportunity to connect with speakers, colleagues, and sponsors prior to the start of the conference.

The Welcome Reception is open exclusively to AppSec USA attendees. Pick up your badge at the registration desk, then join us in the Market Street Foyer.

Wednesday October 10, 2018 5:00pm - 6:15pm PDT
Market St Foyer

Networking Event

6:30pm PDT

OWASP Leaders' Workshop

Matt Tesauro. Director of Community and Operations
Harold Blankenship. Director, Projects and Technology Support Dawn Aitken. Community Manager

The OWASP Leader Workshop is designed for OWASP members currently leading or interested in starting a chapter in their local area or a project .
We are hosting a sessions to learn from each other how to run chapter activities, what types of events to host and how to promote them, outreach with education and other organizations, as well as where to access funding and how to spend it. Here you will also learn about ongoing efforts as well as be able to give insight into how better to tailor them. The session description is a starting point for discussion, but the discussion is yours.
Attendees will receive special edition OWASP Leader's shirts.

Wednesday October 10, 2018 6:30pm - 9:30pm PDT
California

California Room

8:00am PDT

Registration Desk

Limited Capacity filling up

Thursday October 11, 2018 8:00am - 5:00pm PDT
Market St Foyer

Market Street Foyer

8:00am PDT

Press Room

Thursday October 11, 2018 8:00am - 5:00pm PDT
Plaza

Press Room

9:00am PDT

(in)Security is eating the world; speed and autonomy is our only hope for defense

Technology has transformed nearly every segment of our lives and will continue to dramatically impact the future. From transportation, to medicine, to communication, technology underpins every aspect of how we interact with the world, and with each other. However, every day we see examples of critical security failures impacting technology, and ultimately our lives. The fundamentals of security may be simple, but the implementation is far from it. There is a massive interconnection of technologies, an explosion of data, time to market drivers, and human interpretation is mixed throughout. The solution to this chaos is not to employ more humans toiling for security. Automate or die. The future of security is a dramatic shift to autonomy, scale and speed. Join me as we journey through a talk of controversial stances and hard realities to uncover a strategy for securing the future of technology.

Speakers

Michael Coates

Co-founder and CEO, Altitude Networks

Michael Coates is the CEO & co-founder of Altitude Networks. Previously, Michael was the Chief Information Security Officer at Twitter. Michael has also served for six years on the OWASP global board of directors, three of those years as the chairman.Prior to Twitter, Michael was... Read More →

Thursday October 11, 2018 9:00am - 9:45am PDT
The Fairmont

Imperial Room

9:00am PDT

Exhibit

Thursday October 11, 2018 9:00am - 6:00pm PDT
Market St Foyer

Market Street Foyer

9:45am PDT

Coffee Break

Thursday October 11, 2018 9:45am - 10:15am PDT
Regency Ballroom

Regency Ballrooms

10:00am PDT

Member Lounge

OWASP Members Lounge at AppSec USA 2018

Thursday, October 11th 10am-5pm & Friday, October 12th 10am-3pm

Looking for a place to recharge your electronics?
Feeling a bit hungry or thirsty?
Maybe you are looking for some cool OWASP Member Only swag?
Or just looking to take a break from the hectic conference atmosphere?

Head on over to the Members Lounge located in the Empire Room on the Banquet Level at the Fairmont.

Here you can grab a snack, quench your thirst, recharge your electronics, kick up your feet, and network with other OWASP members all within a relaxed atmosphere.

Not an OWASP Member? No problem! Swing on over to the lounge, and you can sign up on the spot, or join here!

Look for the signs or ask a volunteer how to find us!

Thursday October 11, 2018 10:00am - 5:00pm PDT
Empire

Empire Room

10:00am PDT

Capture the Flag

This hands-on Capture The Flag (CTF) event will be held live during both days of the conference and will be targeted towards beginner and intermediate level application hackers.
Participants in this event will be required to find and exploit OWASP Top-Ten related vulnerabilities, as well as other common application security vulnerabilities. Mentors will be available to help get you started. Prizes (i.e. tech-friendly gadgets) will be awarded to the top individual performers (must be present on the last day to win).
What to bring:

A laptop with working wifi
Make sure to download the ZAP proxy from OWASP.org or your favorite proxy (e.g. BurpSuite) and have it working properly.

** Thanks to our Sponsor DUO**

Speakers

Joaquin Fuentes

Director, Security Threat Management, Early Warning

Thursday October 11, 2018 10:00am - Friday October 12, 2018 3:00pm PDT
Valley

Valley

10:15am PDT

Authentication as a Microservice: Portable Customer Identity Management

Authentication is a core piece of many applications but it has traditionally been handled in a monolithic manner. Foreign keys to the user table and join tables for roles and permissions is the most common mechanism that applications use to manage user data. Moving to microservices means that applications now need to decouple authentication, user management, and user data. To accomplish this, a portable identity model is required.
In this session, we will discuss the advantages of a microservice architecture, as well as the most common pitfalls including increased network chatter and various security issues. I’ll cover the basics of authentication and authorization as a microservice and JWT revocation. The goal is to allow developers to primarily focus on code and move away from infrastructure concerns.

Speakers

Brian Pontarelli

CEO, FusionAuth and CleanSpeak

Brian Pontarelli is founder and CEO of Inversoft, a Denver-based provider of platform technologies built to help companies manage, moderate and engage their customers. These technologies include Passport, a modern identity and user management API that provides login, registration... Read More →

Thursday October 11, 2018 10:15am - 10:50am PDT
Gold

Gold, Beginner

NEW FIELD 1 Track 3

10:15am PDT

Domino's Delivery of a Faster Response was No Standard Order

Come listen to Domino's Pizza share how they transformed a complex, multi-ticket, time-consuming process into an Automated Application Security Engagement workflow. Using deep knowledge of Atlassian tools, a little ingenuity, and a lot of ITSM, a great partner in Forty8Fifty Labs, Security Enablement approach and DevOps best practices, Domino's Information Security Team responds faster than ever.

Speakers

Michael Sheppard

Application Security Manager, Dominos

Mr. Michael Sheppard is a seasoned Application Security and Secure Software Development professional with over 10 years experience reducing business risk throughout the Development Lifecycle. He expertise's in building out complex, comprehensive, cobust, continuous Application Security... Read More →

Thursday October 11, 2018 10:15am - 10:50am PDT
Regency 1

Regency Ballroom 1, Intermediate

10:15am PDT

Web application compromise mitigation with crypto anchoring

Today’s world of Equifax breaches is the same old data security problem. In the past you’d need a solid SQL injection to pull all the records of a database. Now days, you need an RCE on the application server. The root problem has not changed. The app server has keys to database, decryption, and a public presence. How do you protect data in this architecture. A solution is crypto anchoring paired with effective monitoring.

Speakers

Jon Debonis

Head of Security / CSO, Blend

Hi. I'm Jon. I study companies who've kept huge amounts of data secure, and try to replicate their success.

Thursday October 11, 2018 10:15am - 10:50am PDT
Regency Ballroom

Regency Ballroom 2, Intermediate

NEW FIELD 1 Track 2

11:00am PDT

Prevent Business Logic Attacks using Dynamic Instrumentation

As application security practitioners, we know that the attacks representing the most significant business risk for our organizations are often attacks targeting sensitive business functions of our applications. Those go far beyond the OWASP Top 10 and make generic (existing?) security tools inefficient. We require very tailor-made solutions to cover our security needs.

This talk will show how to create a security automation tool using dynamic instrumentation that helps to prevent business logic attacks. Sensors are added to the application source code, business events collected in an analysis engine and automated responses are pushed back to the application at runtime. The presented tool is based on open source libraries, and easily extensible and pluggable to analysis engines such as Kibana or Splunk.

Dynamic instrumentation is a game changer because it allows security teams to add sensors remotely, in real time, without asking development teams to trigger a new build and a new deploy of their applications.

The talk will include concrete business examples to help the audience apply this strategy. It will also give tips to navigate through the various teams (fraud, developers, product, …) that own a different piece of this security puzzle.

Speakers

Jean-Baptiste Aviat

Staff Engineer, Datadog

Jean-Baptiste Aviat spent half a decade hunting vulnerabilities at Apple, helping developers solve them, and developing security software.

Thursday October 11, 2018 11:00am - 11:35am PDT
Gold

Gold, Intermediate

NEW FIELD 1 Track 3

11:00am PDT

Teach a man how to fish

So you were asked by a few devops teams to make them more secure. So you pick up their assets, review them and help them forward. But after that, when you leave them behind, more vulnerabilities get introduced. The question is: did your hacks bring long term value? Did you help them to get sustainable? Probably not. So how can you help them on the long term? How can you teach them how to fish instead of feed them?

Join us for a journey in how you can help teams to become sustainable in security when devops and agile are applied. We will start our journey with an assessment, then go through training the SRE, Devops and security teams, after we coach people to make better decisions. In the mean time we can do some sightseeing in automation, agile risk management and some darker pitfalls we fell for more than once.

Speakers

Jeroen Willemsen

PSA, Xebia

Jeroen Willemsen is a Principal Security Architect at Xebia. With a love for mobile security, he recently became one of the projectleaders for the OMTG project (MASV & MSTG). Jeroen is more or less a jack of all trades with interest in infrastructure security, risk management and... Read More →

Thursday October 11, 2018 11:00am - 11:35am PDT
Regency 1

Regency Ballroom 1, Intermediate

NEW FIELD 1 Track 1

11:00am PDT

SDL at Scale: Growing Security Champions

If you’re tasked with securing a portfolio of applications it’s a practice in extremes. You’ve got a small team of security experts trying to help a multitude of developers, testers, and other engineers. You have to find a way to work with the team that’s been around forever doing Waterfall on one huge product, and at the same time, you have to support all the microservices that the new Agile and DevOps teams are building. And to make things extra exciting, those agile teams are pushing for production anywhere from once a month to several times a day. Even if your security team is fully staffed, there still aren’t enough security experts to go around. Do you focus all your attention on the highly engaged team, the noisy and demanding team, or the team that never replies to your emails? They all need you.

By partnering with your development organization to create a guild of Security Champions you can help them all. Establishing a Security Champion role on your development teams enables them to be more self-sufficient while maintaining and even improving their security posture. With careful selection and well-defined goals, you can train Security Champions that go beyond just interfacing with the security team but also handle a range of security activities completely within their teams, helping you scale your program.

This presentation will examine the value of the Security Champion role within the development team, which groups need to commit for the program to succeed, how to find good champions, and what benefits everyone involved can expect to gain. Based on lessons learned building a successful Security Champion program over the past 5 years, it will detail actionable steps you can take to bootstrap, monitor, and maintain a customized program that fosters these champions in your organization.

Speakers

Ryan O' Boyle

Manager, Product Security, Veracode

Ryan O'Boyle is the Manager of Product Security at Veracode. Prior to joining Veracode, he helped create the internal penetration testing team at Fidelity Investments. He has presented at conferences including AppSec USA & EU, BlackHat EU, and RSA Europe. Throughout his career, Ryan... Read More →

Thursday October 11, 2018 11:00am - 11:35am PDT
Regency 2

Regency Ballroom 2, Beginner

NEW FIELD 1 Track 2

11:45am PDT

Value Driven Threat Modeling * DEV Focused*

What if we could get developers to apply threat modeling techniques, and embed secure design right in the product from the beginning?

Threat Modeling is a great method to identify potential security weaknesses, and can enable architects and developers to efficiently prioritize their security investment, thus mitigating and preventing those vulnerabilities that would most likely cause the most damage.

Unfortunately, though threat modeling provides a far greater return than most any other security technique in a development process, it is apparently “common knowledge” that threat modeling is supposed to be heavily resource intensive, require a full team of expensive security professionals, take up far too much developer time, and does not scale at all.

But the common knowledge is wrong! In fact, using a lightweight, value-driven approach, skilled development teams can very efficiently ensure that the features they build can protect themselves, the application, and the business value that the features are intended to generate. Value Driven Threat Modeling offers an alternative to top-heavy, big-model-up-front threat modeling, in favor of agility, speed, and integration with the existing development cycle to not just to minimize risk, but to lower security costs.

This talk will describe Value Driven Threat Modeling, and show how to incorporate it into your existing agile methodologies. We will discuss how developers can efficiently threat model their application to improve development, and walkthrough some example scenarios. And of course, we will see how security can participate productively in the agile development process, leveraging developers own habits to their benefit.

Speakers

Avi Douglen

OWASP BoD, Bounce Security

AviD is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for around 20 years. My research interests include efficient security engineering, usable... Read More →

Thursday October 11, 2018 11:45am - 12:20pm PDT
Gold

Gold, Intermediate - Dev focused

NEW FIELD 1 Track 3

11:45am PDT

Identity Theft: Attacks on SSO Systems

SAML is often the trust anchor for Single Sign-On (SSO) in most modern day organizations. This presentation will discuss a new vulnerability discovered which has affected multiple independent SAML implementations, and more generally, can affect any systems reliant on the security of XML signatures. The issues found through this research affected multiple libraries, which in turn may underpin many SSO systems.

The root cause of this issue is due to the way various SAML implementations traverse the XML DOM after validating signatures. These vulnerabilities allow an attacker to tamper with signed XML documents, modifying attributes such as an authenticating user, without invalidating the signatures over these attributes. In many cases, this allows an attacker with authenticated access to a SAML Identity Provider to access services as an entirely different user - and more easily than you’d expect.

This talk will also discuss another demonstrated class of vulnerabilities in user directories that amplify the impact of the previously mentioned vulnerability, and in some cases, can enable authentication bypasses on their own.

Speakers

Kelby Ludwig

Principal AppSec Engineer, Duo

Thursday October 11, 2018 11:45am - 12:20pm PDT
Regency 1

Regency Ballroom 1, Advanced

NEW FIELD 1 Track 1

11:45am PDT

Identifying and Remediating Security Vulnerabilities in AI Assistant Based Applications

Intelligent assistants are and will be everywhere. You might be thinking that you cannot hack assistants because you can't say "What's the weather in Boston' or 1=1--" or your assistant is safe in your house. Unfortunately, there are ways around both. This talk helps you understand how assistant applications are attacked, work, and how to identify and address vulnerabilities in them.

Speakers

Abraham Kang

Senior Director Software, Samsung Research America

Abraham Kang is fascinated with the nuanced details associated with machine learning algorithms, programming languages and their associated APIs. Kang has a B.S. from Cornell University and JD from Lincoln Law School of San Jose. He has worked for various companies helping to drive... Read More →

Thursday October 11, 2018 11:45am - 12:20pm PDT
Regency 2

Regency Ballroom 2, Intermediate

NEW FIELD 1 Track 2

12:30pm PDT

Lunch

Thursday October 11, 2018 12:30pm - 1:30pm PDT
Imperial

Imperial Room - Lunch

1:30pm PDT

The Anatomy of a Secure Web Application in Java Using Spring Security and Apache Fortress

The Jakarta EE architecture provides the necessary enablement but most developers do not have the time or the training to take full advantage of what it has to offer. This technical session describes and demos an end-to-end application security architecture for an Apache Wicket Web app running in Tomcat. It includes practical, hands-on guidance to properly implementing authentication, authorization, and confidentiality controls using Java, Spring and Apache Fortress controls. In addition to finding out where the security controls must be placed and why, attendees will be provided with code they can use to kick-start their own highly secure Java web applications using Apache products and a few tricks.

Speakers

Shawn McKinney

Software Architect, Symas

Over twenty-five years as software developer and architect. Most of that time specializing in software security. Started an open source project called Fortress.

John Tumminaro

VP Technology, GlobalLogic

Passionate Enterprise & Security Architect. Experience/Roles include CTO, Chief Architect, Enterprise Architect, Security Architect & Solution Architect. Areas of specialty include: Transactional/BigData Systems, Integration, Performance/Scale/Resilience, Global Deployment, Cloud... Read More →

Thursday October 11, 2018 1:30pm - 2:05pm PDT
Gold

Gold, Advanced - Dev focused

NEW FIELD 1 Track 3

1:30pm PDT

My journey through building an advanced bot detection product

Bot activity represents a significant part of the overall Internet traffic. In the past, bots were concentrating on scraping content from ecommerce sites but in more recent years, bots are also being used to conduct fraudulent activity such as account checking, automated account creation, gift card or loyalty point theft.

As a web security product architect, my focus over the last 5 years has been to design and develop a comprehensive product that can detect and classify bots to protect the largest ecommerce and finance web site from the most sophisticated bots. Because taking over an account or stealing gift cards is lucrative, bot operators that focus on fraud are by far the most sophisticated, knowledgeable and motivated and as such, the most challenging to defend against. In this talk, I will discuss my journey through the product development life cycle and provide some insight into:

- The different type of bots I’ve come across

- The detection techniques developed over time

- How bot operators typically react (war stories from the trenches)

- The difficult challenge of accuracy

Detecting fraud for an organization is crucial but can also be a significant engineering effort. However, combining home-grown detection methods, commercial bot detection products, and good web design practices can dramatically reduce or eliminate the attack surface and discourage the attacker.

Speakers

David Senecal

Product Architect, Akamai Technologies

15 years of Network technology, web performance and web security support and consulting background from 50+ large scale projects for Global 1000 companies as well as start-up companies. Proven ability to conceive, develop, deploy and operate complex systems and applications.- Large... Read More →

Thursday October 11, 2018 1:30pm - 2:05pm PDT
Regency 1

Regency Ballroom 1, Intermediate

NEW FIELD 1 Track 1

1:30pm PDT

Paving the road for Developers: Lessons from integrating third party library scanning in DevOps workflows

The necessity of securing third-party libraries and packages is not a new concept, however, not many organizations understand its importance in a world where open source is mainstream. There is an exponential growth in the usage of third party libraries and reusing code is the norm for developers. Adding a library can end up adding several other dependencies without the developer even being explicitly aware of them. Now combine this with the rapid pace of shipping new code on a daily basis, and the security challenge all of a sudden seems insurmountable.

In this talk, we will share our story of how we tackled this challenge head-on and leveraged DevOps tooling to build security that enables the developers. You should attend this talk if you want to learn about the technical and architectural choices of library scanning that worked for us at scale, and the ones that didn’t. You will learn how to drive automation while maintaining the consistency of overall developer experience.

And while you may have heard great talks about how DevOps (or DevSecOps) enables security, it also sets you up for losing credibility at DevOps speed if you’re not careful. We will give you tips and tricks, the Do’s and Don'ts that will enable you to implement third-party library security automation in your developer workflow, make it the path of least resistance and empirically measure success over time.

Speakers

Tim Champagne

Sr. Product Security Engineer, Medallia

Harshil Parikh

Director of Security, Medallia

Harshil Parikh leads the security team at Medallia, Inc. He is currently helping democratize security within Medallia for functions like Secure Product Development Lifecycle, DevSecOps, Monitoring & IR.

Thursday October 11, 2018 1:30pm - 2:05pm PDT
Regency 2

Regency Ballroom 2, Intermediate

NEW FIELD 1 Track 2

2:00pm PDT

Career Fair

Join us at our 2 hour career fair during the OWASP AppSecUSA conference. Located in the Club Regent Lobby Level of the Fairmont.

Please sign in on the event website.

Thursday October 11, 2018 2:00pm - 4:00pm PDT
Club

Club Regent

2:15pm PDT

Scratching the Surface of your CD?

Continuous Delivery (CD) introduces a new set of challenges for application security testing, even compared with already fast Continuous Integration (CI) and DevOps methodologies. CD development organization can produce hundreds or even thousands of software updates per day, some of them taking no longer than a few hours from beginning to end. This puts pressure even on the best fast AppSec testing methodologies, such as fast incremental testing, restricted testing, etc.

True continuous testing calls for true, inline, continuous security testing, which does not rely on any dedicated testing slots. In this talk we will talk about some of these concepts - how to streamline security testing in the background, how to fit it into modern A/B testing cycles, and how to build an approval process that fits a modern CD workflow, rather than an old security go/no-go approach.

Join this talk if you would like to turn your application security testing methodology into one that can fit whatever development velocity your organization wants to go at!

Speakers

Ofer Maor

Director, Solutions Management, Synopsys

Thursday October 11, 2018 2:15pm - 2:50pm PDT
Gold

Gold, Intermediate

NEW FIELD 1 Track 3

2:15pm PDT

Empowering the Employee: Incident Response with a Security Bot

As organizations scale, it can become increasingly difficult for a small security team to process the large volumes of alerts. In addition, the employee who triggered the alert frequently has the most context as to what transpired. At our organization, we use a Slack bot to engage employees after suspicious activity. Involving employees has the dual benefit of raising company-wide security awareness and lightening the load on our security team. Employees also give us valuable insight into why an alert was triggered, so we can take the appropriate action as quickly as possible. We’re here to share some of the lessons learned after using this system for one year.

Speakers

Jeremy Krach

Software Engineer, Pinterest

Thursday October 11, 2018 2:15pm - 2:50pm PDT
Regency 1

Regency Ballroom 1, Intermediate

NEW FIELD 1 Track 1

2:15pm PDT

Chromebooks and network motes to enforce security posture from the device to the cloud

Chromebooks and network motes to enforce security posture from the device to the cloud. Telling a developer they cannot have admin access on their local machine is not practical. We want them to get work done. For any company that doesn’t have an IT security team greater than 4 to 5 people, monitoring devices is not practical. How do we both provide secure access to production where the stakes are very high, and provide admin rights on personal devices? Our solution was to roll out chrome books, and it was fraught with technical challenges.

Speakers

Jon Debonis

Head of Security / CSO, Blend

Hi. I'm Jon. I study companies who've kept huge amounts of data secure, and try to replicate their success.

Thursday October 11, 2018 2:15pm - 2:50pm PDT
Regency 2

Regency Ballroom 2, Intermediate

NEW FIELD 1 Track 2

3:00pm PDT

Coffee Break

Thursday October 11, 2018 3:00pm - 3:30pm PDT
Regency Ballroom

Regency Ballrooms

3:30pm PDT

SCORE Bot: Shift Left, at Scale!

In today’s DevSecOps world, “shift to the left” is not a new mantra for AppSec practitioners. It is imperative to notify developers about potential security issues as early as possible.

While heavy-weight static and dynamic analysis tools and fuzzers exist to find generic technical security flaws, finding custom security issues that are specific to an organization’s proprietary frameworks, APIs, libraries, etc. is often tricky, time-consuming and expensive to capture and maintain as “custom rules” in those tools. IDE plug-ins are often messy to deploy and maintain at scale in the real-world when you are dealing with highly diverse programming languages/frameworks and thus various versions of different IDE products.

Secure COde REview Bot (SCORE Bot) fills that gap and provides real-time, in-context security-oriented code review that focusses on org-specific security issues. It does that by automatically hooking into the GitHub Pull Request (PR) process and posts PR comments with not only the details about the identified security vulnerabilities but also remediation advice so that developers have actionable guidance to fix those security issues.

Driven by insights from behavioral science and experimentation (A/B testing), SCORE Bot became our reliable eyes-and-ears of the code being written at PayPal and a trusted security peer reviewer for our developers.

In this talk, we’ll share the lessons-learned from rolling out SCORE Bot at PayPal with details on what worked, what proved challenging with some real-world metrics from our deployment that scaled to cater to diverse programming languages, frameworks and CI/CD pipelines.

Speakers

Vidhu Jayabalan

Security Architect, PayPal Inc.

Vidhu works at PayPal Inc. as a Security Architect in the Application Security Engineering organization and leads the development of a suite of products that enable Secure Product LifeCycle program at PayPal. Vidhu loves spending time on engineering & building products that are at... Read More →

Laksh Raghavan

Head of AppSec & Innovation, PayPal Inc.

Laksh Raghavan is the Head of Security Products Development at PayPal Inc. He is currently responsible for managing the Secure Product Lifecycle Program for all PayPal applications including the web and mobile apps supporting PayPal's more than 325 million active accounts. Laksh has... Read More →

Thursday October 11, 2018 3:30pm - 4:05pm PDT

Gold, Intermediate

NEW FIELD 1 Track 3

3:30pm PDT

Defense in depth with semantic static analysis

Facebook employs a defense-in-depth approach to product security; we use a range of preventative and detection-based approaches to help ensure that our Hack/PHP codebase and its myriad backend services behave as intended. In this context, ‘preventative’ might refer to secure-by-default libraries for doing privacy-aware data fetching. ‘Detection’ might refer to the manual review by a security engineer, automated static analysis before the code is employed in production, runtime detection (e.g. Invariant Detector), or our bug bounty program.

In this talk, I will discuss a static analyzer that we built to surface potential security and privacy issues in the facebook.com codebase. We have developed a bottom-up, inter-procedural, abstract interpreter that focuses on security issues that are difficult to prevent using the type system (i.e., Hack) or secure libraries and frameworks. We designed the tool based on guidance from Facebook’s security engineering teams. When a new class of vulnerabilities is discovered, we evaluate whether it is amenable to static analysis. If that is the case, we prototype the new rule, refine it based on feedback from security engineers, and then evaluate the rule against the whole codebase. In some cases, we are able to generate a patch automatically. Concurrently, we run this tool on every code change, thus preventing the reintroduction of this type of issue.

I will also describe some of the advances in the static analysis that enable the tool to scale to thousands of changes per day in a codebase that measures tens of millions of lines of code with a very low ratio of false positives.

Speakers

Francesco Logozzo

Software Engineer, Facebook

I am a static analysis junkie. I wrote static analyzers for Facebook and Microsoft, published Academic papers full of Greek symbols, and gave keynote speeches at major conferences.I am also a theoretical and experimental cyclist.

Thursday October 11, 2018 3:30pm - 4:05pm PDT
Regency 1

Regency Ballroom 1, Advanced

NEW FIELD 1 Track 1

3:30pm PDT

Mobile BDD security tests on steroids: A new framework to automate MSTG and MASVS in your CI/CD pipeline

In the era of Agile, DevOps and CI/CD, enterprises are constantly facing security challenges, especially in mobile where security is still underestimating. One of the main issues is speed and repeatability of security tests for each release/build. Being Agile means, being fast, flexible, being able to go to production continuously through continuous integration and deployment pipeline (CI/CD). This all applies especially to the development of mobile apps, where no common approach for automated security testing is defined yet.

As mobile development teams become more mature in terms of security, they have the need to release often and this requires changes in the traditional way of how security was handled. In order to reach the needed speed of deployment a new approach of how security fits into the process, automation and evidence of security tests become a valid option to facilitate this.

In the security maturity model, this maps to the DevSecOps teams and their capability to release faster. So, as security engineers, we have a few challenges to tackle:

- provide security at DevSecOps speed,

- detect vulnerabilities in early stages of development,

- have developers understand security,

- follow SDLC and

- have penetration testers focus on more sophisticated attack patterns against iOS and Android apps.
So, how do we get there? Let's look at the challenges:

1. Mobile security testing is complex if we consider the number of technologies, OS, security controls and libraries, and a different way of testing. Manual security testing alone is not an option anymore and automation frameworks must be adopted. OWASP Mobile AppSec Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG), are becoming more and more the de facto standard for mobile application security testing but one of the biggest challenges of adopting MASVS is how to make the test automated, repeatable and scalable at the DevOps speed throughout the whole SDLC.

2. Mobile developers already test their apps using UI mobile automation frameworks such us Calaba.sh, Appium, Espresso and so on. In order to make their tests understandable by multiple profiles in the company (from the testers itself to the upper management), DevOps introduced BDD testing (Behaviour Driven Development) using Cucumber and the famous Gherkin language.

So, with this in mind what is the solution that would fit best the needs of stakeholders, developers and security experts? The developers already have UI testing in place. Even though this doesn't relate directly to security, at the end of the day it is just another way of testing where maybe security can fit. Imagine combining some of the features of the frameworks used by developers and adding a new set of security tests.

This talk introduces a new process and practical solution that achieves this – automation of mobile security tests. We are using a combination of existing penetration testing frameworks (Drozer and Needle), UI automation, underlying system commands available in the mobile OS for execution of tests and describe (write) tests in BDD fashion. In this way, you can cover all kind of security tests, such as testing for not encrypted PII, input validation, cryptography, network security, SQL injection and so on! Basically, the goal is to translate MASVS (and its sister project MSTG) into automated BDD security tests and give pentesters more time to focus on "crazy stuff"

After the talk, the audience will understand how to create security tests using different mobile UI automation frameworks and different languages (Java, Ruby). We will also show practical examples on how to write, execute and integrate these tests into a CI/CD pipeline, retrieve results of tests and kick-off automatic tests when a flaw is discovered in a manual penetration test. A GitHub repo will be available after the Open Summit in London and will be shared during the talk, in order to initiate a community effort, so people can contribute to this automation framework for the MASVS by sharing their automation scripts.

Speakers

Davide Cioccia

Security Engineer, ING

Being in love with everything around computers, Davide Cioccia joined the cyber security scene few years back in 2009 when Stuxnet hit the nuclear plants of Iran. He developed a framework to understand how "diversity" in the assets in the plants, could stop the malware to reach its... Read More →

Thursday October 11, 2018 3:30pm - 4:05pm PDT
Regency 2

Regency Ballroom 2, Intermediate - Dev focused

NEW FIELD 1 Track 2

4:15pm PDT

Threat Model-as-Code: A Framework to go from Codified Threat Modeling to Automated Application Security Testing

Threat Modeling is critical for Product Engineering Team. Yet, even in the rare event that it’s performed, its performed without actionable outputs emerging from the exercise. It is relegated to the status of what a “Policy/Best Practice Document”, which it shouldn’t be. I believe that Threat Models are playbooks of Product Security Engineering. I feel that the best way to do threat modeling is to integrate it into the Software Development Lifecycle (SDL). In addition, I believe that Threat Models should produce actionable outputs that can be acted up on by various teams within the organization. To address this lacuna, I have developed “Automaton” - An Open Source “Threat Modeling as Code” framework, that allows product teams to capture User Stories, Abuser Stories, Threat Models and Security Test Cases in YAML Files (like Ansible). With the help of Test Automation Frameworks (in this case, Robot Framework) Automaton allows the product engineering team to not only capture Threat Models as code, but also trigger specific security test cases with tools like OWASP ZAP, BurpSuite, WFuzz, Sublist3r, Nmap and so on. The benefits are three-fold. One - For teams to use Threat Modeling as a first-class citizen(with code). Facilitating Iterative and Updated Threat Models and Security Test Cases, as the product evolves (not a stationary document). Two - For Threat Modeling to become actionable. Product Teams can use this Framework to compose “Recipes” where User Stories (Functionality) leads to Abuser Stories (Threat Profiles) which lead to Threat Models (scenarios), that are used to create Security Test Cases (which kick off certain tools) based on the Recipes written for the Test Cases. Three - This approach leads to a convergence of Threat Modeling and Security Testing, allowing teams to improve both security testing and threat modeling based on results produced through this framework.

Speakers

Abhay Bhargav

Founder, we45

Thursday October 11, 2018 4:15pm - 4:34pm PDT
Regency 2

Regency Ballroom 2, Advanced

NEW FIELD 1 Track 2

4:15pm PDT

Are we using Java Crypto API Securely ?

Do you feel cryptographic libraries are just thrown over the fence for us developers and security professionals to understand and pray its used securely? Java Cryptography Architecture is one such famously used the library, laden by ambiguous documentation, over-abundance of algorithmic and key material choices, insecure defaults, and poor architectural choices. All these collectively make it highly probable to make an unfortunate choice and lands us with a flawed cryptographic system.
In this session, learn how to securely use each of the Java Cryptography Architecture’s primitives (Random Number Generators, Encryption/Decryption algorithms, HMACs, digital signatures etc.) using real-world code examples to highlight areas that require careful attention and difficult choices. Examine both good and flawed implementations, and learn how to spot mistakes. Then learn how to future-proof the crypto in your applications.

Speakers

Mansi Sheth

Principal Security Reseacher, CA Veracode

Mansi Sheth is a Principal Security Researcher at CA Veracode Inc. In her career, she has been involved with breaking, defending and building secure applications. Mansi researches various languages and technologies, finding insecure usages in customer code and suggests automation... Read More →

Thursday October 11, 2018 4:15pm - 4:50pm PDT
Gold

Gold, Advanced - Dev focused

NEW FIELD 1 Track 3

4:15pm PDT

How to get the best AppSec test of your life

The Internet is full of advice on delivering a better pen test. That’s great but what if you are the one arranging or receiving the test? In this talk, I want to use my experience of scoping and delivering these tests (as well as feedback from test recipients) to suggest ideas on how to get the best value from AppSec tests. I will talk about how you can "hack your test" to better tailor it to your needs, how you can be best prepared for a smooth test and how you can make sure the report is focused and actionable.

Defenders/builders will hopefully leave this talk with ideas that you can apply today, tomorrow and in the future to ensure that AppSec tests aren’t just a compliance tick-box but rather deliver real value and make an application more secure. Breakers will hopefully leave this talk wondering whether you are ready to provide this level of value added application test.

Speakers

Josh Grossman

Chief Technology Officer, Bounce Security

Josh has worked as a consultant in IT Security and Risk for over a decade and also as a Software Developer. He currently works as a Team Leader in Comsec Group's Application Security division where he leads and delivers web and mobile application security tests with the aim of not... Read More →

Thursday October 11, 2018 4:15pm - 4:50pm PDT
Regency 1

Regency Ballroom 1, Intermediate

NEW FIELD 1 Track 1

7:00pm PDT

Networking Event

This networking event will provide attendees with heavy bowl Hors d’oeuvres, fun entertainment, networking and a really relaxed enjoyable time in the heart of San Jose in front of the Conference Venue. If you are interested in attending this wonderful event, then register for the conference - tickets to the event are included in the conference package for paying attendees. Also extra tickets can be purchased on line through the registration system.

Thursday October 11, 2018 7:00pm - 9:45pm PDT
The Tech Museum of Innovation 201 S Market St, San Jose, CA 95113

Networking Event

8:00am PDT

Registration Desk

Friday October 12, 2018 8:00am - 4:00pm PDT
Market St Foyer

Market Street Foyer

8:15am PDT

Project Showcase: ZAP Heads Up Display

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing. Come and learn about ZAP and the new feature: Heads Up Display

Speakers

David Scrobonia

Friday October 12, 2018 8:15am - 8:50am PDT
California

California Room

9:00am PDT

Defensible Application Security for the Artificial Intelligence Era

From the very beginning of the Internet, humans have struggled with how to trust in the digital world. Neuroscience studies are gradually uncovering clues as to how our brains process digital cues, and how we adapt to an increasingly extensive digital presence around us. As the scale of that presence increase exponentially so is the complexity of applications that process, represent, and protect the digital transactions, the identities, and the actions that we undertake every day. Today application security is a race against bad actors. We have fairly effective tools to separate humans from digital entities and test trustworthiness of certain actions, but we are wholly unprepared for a world when a digital entity passes the Turing test. This talk takes us through the concept of trust, how our brains process trust, and how we may arrive to decision making based on trust in the digital realm. We will examine how the infusion of machine learning and AI impact design principles for application security. Why we must design applications and systems with real-time controls that operate at scale and respond automatically to dynamic and intelligent adversaries.

Speakers

Chenxi Wang

Founder, Rain Capital

Dr. Chenxi Wang is the Founder of the Jane Bond Project, an independent security research and advisory firm. Wang also serves on the boards of various startups and VC funds. Previously,Wang was the Chief Strategy Officer at Twistlock. Wang is the 2016 and 2017 program Co-Chair for... Read More →

Friday October 12, 2018 9:00am - 9:45am PDT
Imperial

Imperial Room

9:00am PDT

Exhibit

Friday October 12, 2018 9:00am - 4:00pm PDT
Market St Foyer

Market Street Foyer

9:45am PDT

Coffee Break

Friday October 12, 2018 9:45am - 10:15am PDT
Regency Ballroom

Regency Ballrooms

10:00am PDT

Member Lounge

Friday October 12, 2018 10:00am - 3:00pm PDT
Empire

Empire Room

10:00am PDT

Hunter2: Repair The Flag

Repair The Flag

Once you've Captured some Flags, learn strategies for preventing the OWASP 10 weaknesses in your tech stack by solving a series of challenges.

Participants will be able to interact with and modify real vulnerable web applications to identify, exploit, and then patch common vulnerabilities. Application examples are written in NodeJS, Python, Golang and C++. Secure the most applications in the least time to win prizes!

Show up in person to register anytime, then stick around for mentorship or explore the challenges on your own.

Who should attend: Developers and anyone who works with them! We will have challenges spanning a range of technical difficulties and experience levels.

What to bring: A laptop with wifi - nothing to download.

Speakers

Fletcher Heisler

CEO & Founder, Hunter2

Friday October 12, 2018 10:00am - 3:00pm PDT
California

Redwood

10:15am PDT

Project Showcase: Amass

Amass is an in-depth DNS Enumeration and Network Mapping written in Go. It helps organizations fill in blind spots for their their presence and exposure to the internet. Amass reaches out to more than 30 passive data sources to learn about the DNS namespace of a target domain.

Speakers

Jeff Foley

Manager, Penetration Testing & Red Teaming, National Grid

Friday October 12, 2018 10:15am - 10:50am PDT
California

California Room

10:15am PDT

Campaign Security is Hard

Speakers

Dylan Ayrey

Bio Dylan is an active member of the security open source community, and authored projects such as Trufflehog. He's spoken at a number of conferences including Defcon, BsidesSF, Toorcon, and others. He graduated college in 2015 and has been working in the security industry ever since... Read More →

Ben Hagen

Ben Hagen is likely the only security professional in the world who has won both a presidential election and an Emmy. He loves security and both building and breaking things. Ben is currently helping several organizations solve interesting security problems. Previously, he was head... Read More →

Friday October 12, 2018 10:15am - 10:50am PDT
Crystal

Crystal Room

10:15am PDT

Human factors that influence secure software development

Software is written by people, either alone or in teams. Ultimately secure code development depends on the actions and decisions taken by the people who develop the code. How do we account for the “human factors” that contribute to application security?

By its very nature both automated and manual application security testing are performed retroactively on code that has already been written. Automated AppSec testing can speed up that process to provide security analysts and developers with timely information about the security state of their code, thereby closing the time gap between committing code and discovering weaknesses in it. But automated testing is still performed after code has been committed. Furthermore, both manual and automated source code analyses are done without much prior knowledge about where the vulnerabilities are likely to appear in the code base.

What would happen if we could point to specific code that is more likely to be vulnerable based on other factors, such as the environment (time of day, distracting noise, time pressure) under which the code was written or the characteristics of the individual developers (experience, training, focused attention) or the teams (size, diversity, level of collaboration) that developed the code? This information would allow us to orient our manual code analyses and automated static analyses towards susceptible code. It would also allow us to change up the conditions that are contributing to the introduction of vulnerabilities, and intervene before these conditions impact the security of the code under development.

This is a definitive way to shift security to the left. Become so aware of the factors that contribute to the introduction of vulnerabilities that an organization can mitigate their introduction by changing up the conditions under which the code is being developed.

This session will review the types of research being conducted, and the initial findings, from an emerging area of application security research: the human dimensions that relate to secure code development. We will also open up a discussion with the audience about innovative ways that could be used to further study the human factors that affect secure code development in ongoing projects, not just through historical analyses of well-established repositories.

Speakers

Anita D'Amico

CEO, Code Dx, Inc.

Anita D’Amico, PhD. is CEO of Code Dx, Inc., which provides application security orchestration and correlation solutions that automate AppSec workflows. Prior to taking on the role of CEO, Anita was the Director of Secure Decisions, a cybersecurity R&D organization that developed... Read More →

Chris Horn

Senior Researcher, Secure Decisions

Chris Horn is a Senior Researcher at Secure Decisions, an R&D division of Applied Visions, Inc. He has 18 years of experience in research, software systems, and new product development. Currently, he leads cybersecurity research & development projects and focuses on developing technology... Read More →

Friday October 12, 2018 10:15am - 10:50am PDT
Gold

Gold, Beginner

NEW FIELD 1 Track 3

10:15am PDT

Better Deserialization Vulnerability Remediation with Automated Gadget Chain Discovery

Although vulnerabilities stemming from the deserialization of untrusted data have been understood for many years, unsafe deserialization continues to be a vulnerability class that isn't going away. Attention on Java deserialization vulnerabilities skyrocketed in 2015 when Frohoff and Lawrence published an RCE gadget chain in the Apache Commons library and as recently as last year's Black Hat Muñoz and Miroshis presented a survey of dangerous JSON deserialization libraries. While much research and automated detection technology has so far focused on the discovery of vulnerable entry points (i.e. code that deserializes untrusted data), finding a "gadget chain" to actually make the vulnerability exploitable has thus far been a largely manual exercise. In this talk I present a new technique for the automated discovery of deserialization gadget chains in Java, allowing defensive teams to quickly identify the significance of a deserialization vulnerability. This allows developers to properly prioritize remediation and weigh the tradeoff of potential exploits against refactoring an application's entire RPC mechanism. In this talk I will also present a FOSS toolkit developed to utilize this methodology and which has already been used to evaluate deserialization vulnerabilities in both internal applications and open source projects.

Speakers

Ian Haken

Senior Security Software Engineer, Netflix

I'm a senior security software engineer at Netflix where I work on the platform security team to develop tools and services that defend the Netflix platform. Before working at Netflix, I spent two years as security researcher at Coverity where I developed defensive application security... Read More →

Gadget Inspector AppSec USA pdf

Friday October 12, 2018 10:15am - 10:50am PDT
Regency 1

Regency Ballroom 1, Advanced

NEW FIELD 1 Track 1

10:15am PDT

Battle Tested Application Security

Building Application Security programs from scratch or dropping into existing organizations with some AppSec functions can be a war zone. As practitioners are on the front lines of implementing AppSec programs, there is no one-size fits all or a magic supplier who can come in and solve all opportunities. It takes a dedicated staff to drive an effective program beyond the check the box mentality, with a critical focus on security culture.

Through the talk, I'd like to provide insight into the nuances of dealing with different environments large to small and the associated lessons learned to help drive the culture of security to truly provide defensive capabilities and empower the organization.

Speakers

Ty Sbano

Head of Information Security, Periscope Data

Ty Sbano is an Information Security leader with over 12 years of experience mainly in Financial Technology organizations. Ty’s career has been focused on developing application and product security programs for LendingClub, Capital One, JPMorgan Chase, and Target. Key areas of knowledge... Read More →

Friday October 12, 2018 10:15am - 10:50am PDT
Regency 2

Regency Ballroom 2, Beginner

NEW FIELD 1 Track 2

11:00am PDT

Tears From the Cloud

"When “getting pwned” doesn’t even fully describe what happened"

When building your systems and infrastructure in the cloud, you should always consider the attack vectors you open yourself up to and to continually strive to proactively close them. It’s common knowledge that when bringing up cloud computing resources you should do things like preventing SSH logins as the root user, disable password authentication for all users, as well as do things like limit which IP addresses can talk to the different services on your virtual machines. In more recent years, as our usage of SaaS and IaaS has grown, the importance of securing employee credentials has become even more crucial. So in addition to securing the infrastructure, you require that all employees who need access to the control panel use multi-factor authentication (using TOTP, making sure it’s not SMS-based).

By segmenting access, configuring an intrusion detection system, keeping the systems and packages up to date, and by implementing multiple factors of authentication for your cloud control panel you’re confident in the setup. You’re fairly certain that an alarm would go off if an attacker was able to gain access, and even then their access would be limited to an unprivileged user on only the infrastructure they have access to. But what happens if an employee’s credentials aren’t phished, and instead your infrastructure provider is compromised? Are your systems protected from that vector, and will your heuristics catch it? What can you do to protect yourself from this vector, and can you even reasonably do that?

In this talk, we’ll tell a story from the not too distant past around a successful targeted attack against a company using infrastructure providers as the vector. Details surrounding the methods used by the attacker will be shared, and the explicit steps they took to attempt to cover their tracks. We’ll also look at the other things they did after the attack vector was closed, while attempting to regain access to the systems. Finally, we’ll look at what things you can do to help mitigate the risks you incur if your infrastructure provider is compromised.

Speakers

Tim Heckman

SRE, Netflix

Tim is a Site Reliability Engineer at Netflix, working on the team responsible for the reliability of the Streaming Platform. Prior to becoming an SRE at Netflix, he worked at startups in roles focused on the operation, reliability, and security of their applications and infrastructure... Read More →

Friday October 12, 2018 11:00am - 11:30am PDT
Crystal

Crystal Room

11:00am PDT

Project Showcase: Glue Tool

The OWASP Glue Tool Project is a tools based project intended to make security automation easier. It is essentially a ruby gem that co-ordinates the running of different analysis tools and reporting from those tools.

Speakers

Matt Konda

Friday October 12, 2018 11:00am - 11:35am PDT
California

California Room

11:00am PDT

Pentesting Swift Application for fun and Profit with OWASP iGoat

As enterprises are moving their iOS development towards Swift development from Objective C, it has become essential to adopt skills required to perform penetration testing/security audit of such applications. If you are working as Product Security Engineer or Bug Bounty hunter, it's important to know pentesting Swift application.

Considering such requirements, we're releasing brand new version of OWASP iGoat in Swift. Definitely, there are certain changes while pentesting Swift application over Objective C applications.

This talk is all about how you can find out security loopholes in Swift applications and as a developer how you can defend against them. This talk will help you learn iOS Swift App Pentesting from basics to advanced level using OWASP iGoat project.

This talk will discuss recent case studies of critical findings in iOS apps (Swift) and also help to address important issues as encryption key management, code obfuscation along with OWASP Top 10. We will release the major version of OWASP iGoat (Swift) at AppSec USA 2018.

Project code: https://github.com/OWASP/iGoat-Swift

Technology stack: Swift 4, Ruby

Speakers

Swaroop Yermalkar

Senior Security Engineer, Lithium

Swaroop Yermalkar works as Sr Security Engineer at Lithium with a diverse skill set focused on Mobile App Pentest, Web, API and AWS Pentesting. In addition he has authored the popular book “Learning iOS Pentesting” (https://goo.gl/T8jvjJ) and lead an open source project - OWASP... Read More →

Friday October 12, 2018 11:00am - 11:35am PDT
Gold

Gold, Intermediate

NEW FIELD 1 Track 3

11:00am PDT

Serverless Infections: Malware Just Found a New Home

We are seeing more and more organizations leverage the advantages introduced by serverless computing. But what does serverless computing entail when it comes to security? With no dedicated server, is the security risk higher or lower? Can malware live inside the code? These are critical questions every organization shifting to a serverless environment should be asking.

Our research team took on the challenge of implementing the first-ever RCE (Remote Code Execution) attack in a serverless environment that is both stored and viral. Using Amazon’s Lambda as the first test subject, we were able to build a PoC which showed how information extraction and exfiltration is done. We also demonstrated how the payload persists and can be injected into other non-vulnerable functions. We then went ahead and tested to see if the same would work on Azure and Google Cloud. Curious to know the outcome? The findings will be presented in our session along with best practices and tips for ensuring security prevails in a serverless environment.

Those who will join this talk will:

- Understand the architecture and advantages of a serverless computing environment

- Learn the security challenges entailed in working in a serverless environment

- View a live demo on how data is infiltrated, infected, and exfiltrated in a serverless environment

- See how we built self-duplicating attacks that survive persistently within the code

- Watch as the attack is executed on platforms running on serverless environments

Speakers

Erez Yalon

VP of Security Research, Checkmarx

Erez Yalon is the VP of Security Research at Checkmarx. Yalon oversees Checkmarx’s research group comprising analysts, pen testers, security engineers, and threat hunters. He brings vast experience to his position and his efforts to empower today’s developers and organizations... Read More →

Friday October 12, 2018 11:00am - 11:35am PDT
Regency 1

Regency Ballroom 1, Intermediate

NEW FIELD 1 Track 1

11:00am PDT

Open Source Security Tools for Kubernetes Applications

Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important.

In this talk, we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain a secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.

Speakers

Michael Ducy

Director of Community & Evangelism, Sysdig

Michael Ducy currently works as Director of Community & Evangelism for Sysdig where he is responsible for growing adoption of Sysdig’s open source solutions. Previously, Michael worked at Chef where we held a variety of roles helping customers and community members leverage Chef’s... Read More →

Friday October 12, 2018 11:00am - 11:35am PDT
Regency 2

Regency Ballroom 2, Intermediate

NEW FIELD 1 Track 2

11:45am PDT

Project Showcase: Dependency Track

Dependency-Track is an intelligent Software Composition Analysis (SCA) platform that allows organizations to identify and reduce risk from the use of third-party and open source components. The platform integrates with multiple sources of vulnerability intelligence including the National Vulnerability Database (NVD), NPM Public Advisories, Sonatype OSS Index, and VulnDB from Risk Based Security.

In this session you'll learn about Dependency-Track, it's bill-of-material approach to providing continuous component analysis, and many of the automation options that are available with the platform.

https://dependencytrack.org/

https://github.com/DependencyTrack

https://twitter.com/DependencyTrack

Speakers

Steve Springett

Sr Manager, Secure Software Engineering, ServiceNow

Steve educates teams on the strategy and specifics of developing secure software.He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive... Read More →

Dependency Track (AppSecUSA2018) pdf

Friday October 12, 2018 11:45am - 12:20pm PDT
California

California Room

11:45am PDT

Empowering Modern Development with Security Automation - Trials and Tribulations from the Trenches

The adoption of agile development practices and DevOps has enabled companies to iterate more quickly, allowing them to be more responsive to customer needs and deliver features in a fraction of the time. While this rapid release cycle has a number of benefits for the engineering team, it can tax already time- and person-limited security teams, who are usually outnumbered by engineers 100:1 or more. To keep up with growing engineering teams and the rapid pace of development, security teams have begun investing heavily in tools, processes, and policies that more efficiently and effectively amplify their efforts.
Join us for a candid panel discussion of how several companies have worked to scale their AppSec program, including senior security team members from Netflix, Datadog, DocuSign, and Signal Sciences. We’ll discuss a number of relevant topics, including:
* What are some initial, high ROI minimal security engineering efforts that are valuable to pursue first?
* Which security tools, processes, or libraries have been the biggest wins at your company?
* What are three things you’d do in any organization you join?
* What are three spectacular failures you’ve had?
Attendees will leave with specific, practical and actionable lessons they can apply immediately to their organizations. We’ll leave extra time for questions at the end to ensure we answer the audience’s most pressing needs.

Speakers

Devdatta Akhawee

Director of Security Enginering, Dropbox

Devdatta heads the Product Safety Organization at Dropbox. Before that, he received a PhD in Computer Science from UC Berkeley. His graduate research focused on browser and web application security, during which time he also collaborated with the Firefox and Chrome teams. He is... Read More →

Scott Behrens

Senior Application Security Engineer, Netflix

Scott Behrens is a senior application security engineer for Netflix. Before Netflix, Scott worked as a senior security consultant at Neohapsis (Cisco) and as an adjunct professor at DePaul University where he taught a graduate course on software security assessment. Scott's expertise... Read More →

Doug DePerry

Director, Product Security, Datadog

Doug DePerry is the Director of Product Security for Datadog. Prior to his current position, Doug lead the bug bounty program at Yahoo. Much of his 10+ years of experience in the security industry is on the offensive side, as a security researcher and consultant at Leaf SR and iSec... Read More →

Clint Gibler

Research Director, NCC Group

Dr. Clint Gibler is a senior security consultant and research director at NCC Group, a global information assurance specialist providing organizations with security consulting services. By day, he performs penetration tests of web applications, mobile apps, and networks for companies... Read More →

John Heasman

Deputy CISO, DocuSign

John Heasman is the Deputy CISO at DocuSign, focused on proactive approaches to securing software. Prior to DocuSign, he spent 10 years working as a consultant for the NCC Group. John has released numerous security advisories in widely used software and has presented original research... Read More →

Zane Lackey

Chief Security Officer, Signal Sciences

Zane Lackey is the Co-Founder / Chief Security Officer at Signal Sciences and the Author of Building a Modern Security Program (O’Reilly Media). He serves on multiple public and private advisory boards and is an investor in emerging cybersecurity companies. Prior to co-founding... Read More →

Friday October 12, 2018 11:45am - 12:20pm PDT
Crystal

Crystal Room

11:45am PDT

Deserialization: what, how and why [not]

Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk.

We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.

Speakers

Alexei Kojenov

Lead Product Security Engineer, Salesforce

Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting engineering teams in delivering... Read More →

Friday October 12, 2018 11:45am - 12:20pm PDT
Gold

Gold, Advanced - Dev focused

NEW FIELD 1 Track 3

11:45am PDT

Are You Trading Stocks Securely? Exposing Security Flaws in Trading Technologies

With the advent of electronic trading platforms and networks, the exchange of financial securities now is easier and faster than ever; but this comes with inherent risks. Nowadays not only rich people can invest in the money markets, but also anyone with as little as $10 could start trading stocks from either a website, a desktop application or a mobile phone

The problem is that this area of the fintech industry has not been fully under the cybersecurity umbrella. Sometimes we assume that a product is secure by its nature, such as technologies that are used to trade hundreds of billions per day, but security testing tells us a different story.

In this talk, vulnerabilities that affect millions of traders will be shown in detail. Among them are unencrypted authentication, communications, passwords and trading data; remote DoS that leave the applications useless, weak password policies, hardcoded secrets, poor session management, etc. Also, many of these applications lack of countermeasures such as SSL certificate validation and root detection in mobile apps, privacy mode to mask sensitive values, anti-exploitation and anti-reversing mitigations

Moreover, the risk of social trading will be discussed too as well as how malicious expert advisors (trading robots) and other plugins could include backdoors or hostile code that would be hard to spot for non-tech-savvy traders.

The analysis encompassed the following platforms, which are some of the most used ones:
- 30 Websites (7 focused on cryptocurrencies)
- 17 Desktop applications
- 34 Mobile apps

Finally, the gap between the security in online banking vs trading technologies will be clearly observed. There's still a long way to go to improve the security of the trading ecosystem, but the wheel is already invented and common security countermeasures could be applied.

Speakers

Alejandro Hernandez

Sr. Consultant, IOActive

Alejandro Hernandez is a security consultant who works for IOActive, where he has had the chance to work in companies in different countries including Mexico, South Africa, Germany, China, Netherlands, United States, South Corea and England. As a research enthusiast, he had the... Read More →

Friday October 12, 2018 11:45am - 12:20pm PDT
Regency 1

Regency Ballroom 1, Intermediate

NEW FIELD 1 Track 1

11:45am PDT

Security as a Service: Work where You Engineers Live

Product Engineers and Managers live in git, JIRA, and wikis to develop and release software, so why do security engineers use a fully different set of tools and dashboards to try to drive security fixes onto product teams' roadmaps?

Our team decided to use the 'live where they work' approach to see if we could increase the effectiveness and measurability of our engineering teams' participation in the SDLC.

In this talk, we will show you how our roots on the product engineering team inspired us to live where our engineers live, and leverage existing software development processes to enable our engineers to get security work done when and where it needs to get done, without the overhead of constantly trying to reinforce security-specific processes.

We will talk through the case study of setting up our 3rd Party Library vulnerability detection program. The case study will highlight how we were able to create a zero-overhead approach by leveraging automation and processes that we in had previously put in place. The new system ensures we have an accurate view of the 3rd Party Libraries in use by our products at all times. We integrated this with our project tracking software to automatically file tickets with the team at the discovery of a vulnerability or a vulnerable library. This approach enables us to respond as quickly as possible to disclosure of a vulnerability in a library used by one of our 15+ products with tons of moving pieces. We will also talk about our vulnerability management program and strategy, which heavily leverages our JIRA project tracking system as our source of data, so we’re working from the same dataset as our engineers.

By working where our engineers live, we are able to immediately cut down barriers to getting security work done where and when it needs to be done, and consolidate the source of truth about se. We empower our engineers to know

Speakers

Julia Knecht

Manager, Security & Privacy Architecture, Adobe

Taylor Lobb

Manager, Security and Privacy Architecture, Adobe

Friday October 12, 2018 11:45am - 12:20pm PDT
Regency 2

Regency Ballroom 2, Beginner

NEW FIELD 1 Track 2

12:30pm PDT

Lunch

Friday October 12, 2018 12:30pm - 1:30pm PDT
Imperial

Imperial Room - Lunch

1:00pm PDT

Project Showcase: Lunch with the Internet of Things Top Ten

Grab your lunch and bring it to the California room: The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies. The project defines a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

Speakers

Daniel Miessler

Friday October 12, 2018 1:00pm - 1:20pm PDT
California

California Room

1:30pm PDT

Project Showcase: Code Pulse and Attack Surface Detector

White hat penetration testers are generally at a disadvantage compared to the malicious attackers they help defend against. They have limited time and resources to secure the entire application, whereas attackers have unlimited time and may only need a single vulnerability. This session will discuss how web application penetration testers can improve the efficiency and comprehensiveness of their white box testing using two new open source OWASP tools. These tools leverage access to application source code and server bytecode to provide an advantage to the penetration tester working with the development team.

The first tool, OWASP Code Pulse, uses glass box testing techniques to instrument the web application server bytecode to provide real-time code coverage while testing the application. This allows the penetration tester to measure how much of the application’s server code their testing has touched, and visually displays gaps in their testing coverage. This real-time feedback helps testers tune their testing to maximize the amount of code covered, compare performance of different testing tools and activities, and communicate useful metrics of testing activity to others.

The second tool, Attack Surface Detector performs static code analysis to first detect the web application endpoints, parameters, and parameter datatypes. This information is then pulled into the Burp Suite and OWASP ZAP web application testing suites to allow for rapid dynamic testing of the discovered attack surface. The benefit of this approach over traditional spidering techniques is that hidden endpoints are found without brute force guessing, and optional parameters not seen in the client-side code are discovered. The Attack Surface Detector is being continually updated; the most recently added functionality includes seeing endpoint differences between application versions, so penetration testers can focus their testing only on the changes.

Recent features and major releases will be discussed, a brief demonstration of the tools will be given, and a question and answer portion will complete the session. We are particularly interested in feedback from the audience on whether these tools help their specific needs and what future improvements would make them even better.

Speakers

Ken Prole

CTO, CodeDx

Ken Prole is the CTO of Code Dx and Principal Investigator for Secure Decisions. He has a passion for helping organizations through the process of building secure applications. He has published several articles on cyber security in peer-reviewed journals and is active in the application... Read More →

Friday October 12, 2018 1:30pm - 2:05pm PDT
California

California Room

1:30pm PDT

Cheaters, cheaters, video game eater

An overview of performing enhancing software in League of Legends and what Riot does to combat it.

Speakers

Clint Sereday

Security Manager, Riot Games

Clint Sereday is the product owner for Anti-cheat at Riot Games. After ten years of building teams in the payment risk space, Clint followed his passion for video games to Riot. After initially building out their fraud prevention program, Clint has spent the last 4 years focusing... Read More →

Friday October 12, 2018 1:30pm - 2:05pm PDT
Crystal

Crystal Room

1:30pm PDT

Ecosystem, Interoperability and Standards: The gauntlet of IoT Security and Privacy development lifecycle

Security Development Lifecycle (SDL) methodologies have traditionally served consumer products and enterprise applications. These programs are usually well defined, with established architectures, target markets and product development cycles that span months or years.

Enter the Internet of Things, where there are no pre-defined form factors. An “IoT product” may be a smart fridge, a pacemaker, or a smart city. Makers of these classes of devices are often small/medium sized businesses, who are racing against the large corporates and other similar sized competitors to launch their products first. They look for standards in communication protocols, software stacks, libraries, and reuse them wherever possible. But standards are few and rarely one-size-fits-all. When it comes to securing IoT products, there are myriad of challenges on both process and technical fronts.

Our presentation introduces the audience to a cutting-edge version of Security Development Lifecycle, called the Security & Privacy Development Lifecycle (SPDL). Tailored specifically for IoT platforms, the SPDL is an agile framework that breaks-up a “generic” IoT architecture into its logical sub-components, accounts for the security assessment activities for each of them, as well as for the entire ecosystem. Privacy is woven into the process, and privacy-specific activities are planned at each step of the SPDL. Using standard waterfall-oriented SDL methodologies for IoT programs can be challenging and messy. We talk about the shortcomings of these existing models, and how our proposed SPDL framework addresses them.

As we write this, there’s extensive media coverage on companies collecting and sharing user data with third parties leading to global consequences. Compliance with privacy (for example, consent rules in GDPR) can be very challenging for IoT. We explore some of these topics, and also introduce a privacy vulnerability scoring framework (CPVSS) that can aid in measuring, prioritizing and addressing privacy breaches and data thefts.

Speakers

Sumanth Naropanth

Information Security Leader - IoT, Cloud and Mobile

CEO of Deep Armor Business and technical leader in information security. Extensive experience in defining and executing security development lifecycle (SDL), hands-on penetration testing, threat modeling, conducting security research, incident response, designing crypto flows and... Read More →

Kavya Racharla

Head of security and privacy, Intel sports - Artificial Intelligence and Virtual Reality

Kavya Racharla is the head of security and privacy for Intel's sports group. As part of her job at Intel, she has led the end-to-end SDL and privacy efforts for several AR/VR, wearable and IoT devices. She was part of Oracle and Qualcomm's security teams before her current job at... Read More →

Friday October 12, 2018 1:30pm - 2:05pm PDT
Gold

Gold, Intermediate

NEW FIELD 1 Track 3

1:30pm PDT

Breaking fraud & bot detection solutions

Browser fingerprinting and user behavior tracking are powerful techniques used by most fraud and bot detection solutions. These are implemented via JavaScript snippets running in the user browser. In this presentation, we’ll demystify the signals these snippets collect and describe why these signals are unreliable. Using a realistic threat model, we’ll describe various attacks against defenses relying on these signals. Finally, we'll share war stories of architectural and implementation flaws we found in real world deployments.

Speakers

Mayank Dhiman

Security Engineer, Dropbox

Mayank is a security researcher with an extensive background in network security, fraud/abuse prevention, threat intelligence and authentication. His research on browser fingerprinting and passive network fingerprinting has helped build rule-based systems and ML models to tackle fraud... Read More →

Friday October 12, 2018 1:30pm - 2:05pm PDT
Regency 1

Regency Ballroom 1, Intermediate

NEW FIELD 1 Track 1

1:30pm PDT

Security Culture Hacking: Disrupting the Security Status Quo

This session is an exploration into the world of security culture hacking. In the wake of the "data breach of the day", organizations claim they are more serious about security. The truth is that many still have weak security cultures. At the end of the day, how much actual security culture change occurs post-breach? The answer is not enough. This session describes how to change security culture from the inside out, utilizing best practices and real-world examples. With security culture disruption, the security team attempts to impact employees through positive security learning and experience.

The session begins by introducing the audience to the concepts of security culture and security culture hacking and then explains the security status quo. Security culture hacking is the skills and creativity necessary to disrupt an existing culture and redirect it towards a more secure future. Security status quo is the idea that companies move in a herd mentality and believe that their security must only be an average of their peers. To prove this point, we profile some anonymous organizations based on their external security story versus reality. Next, we'll discuss what makes a good security culture hacker, including the skills required for success in this type of endeavor.

The middle of this session includes a how-to of hacking security culture. Each section includes various tips and stories from real life experience about how to influence security culture. The phases of security culture improvement are explored, including awareness, big learning, and community. In addition, a discussion of organizational reach, marketing, rewards, recognition, and metrics surrounding security culture improvement are explored. It's time to make security fun.

At the conclusion, a plan is laid out for how a learner could put true security culture change into practice in their organization. Audience members receive a 30-60-90-1-year plan for how to implement true security culture change.

Speakers

Chris Romeo

CEO, Kerr Ventures

Friday October 12, 2018 1:30pm - 2:05pm PDT
Regency 2

Regency Ballroom 2, Beginner

NEW FIELD 1 Track 2

2:15pm PDT

Project Showcase: SEDATED

The SEDATED Project (Sensitive Enterprise Data Analyzer To Eliminate Disclosure) focuses on preventing sensitive data such as user credentials and tokens from being pushed to GitHub. Developers are constantly pushing changes to GitHub and may try pushing a commit that contains sensitive information. The SEDATED application will help catch and prevent that.

Speakers

Simeon Cloutier

Dennis Kennedy

Friday October 12, 2018 2:15pm - 2:50pm PDT
California

California Room

2:15pm PDT

Fixing Mobile AppSec

Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communication, those APIs have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration. The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for testing the security of mobile apps. It describes processes and techniques for verifying the requirements listed in the Mobile Application Security Verification Standard (MASVS) and provides a baseline for complete and consistent security tests.

In this talk, the final version of the MASVS and MSTG will be introduced and will discuss the many challenges we faced during development, from dealing with the diversity and fragmentation of the Android ecosystem to clarifying the role of software protections in mobile security.

Speakers

Sven Schleier

Managing Principal, Vantage Point Security Pte Ltd

Friday October 12, 2018 2:15pm - 2:50pm PDT
Gold

Gold, Intermediate

NEW FIELD 1 Track 3

2:15pm PDT

Flying Above the Clouds: Securing Kubernetes

Cloud-native architectures built using Kubernetes are composed of containerized microservices managed by an orchestration system. They are distributed systems that run on top of the cloud (or sometimes physical) infrastructure and abstract away details of platform integrations in order to promote portability. Automation, scalability, and resiliency are all important properties of cloud-native systems and all factor into design choices. Security touches every aspect of the architecture, at the application, container, orchestration, and cloud infrastructure layers.

In this presentation, we will explore the Kubernetes attack surface and present methods to keep your cloud-native systems resilient to attack. Building a secure architecture requires carefully considering authentication, authorization, network segmentation, storage, and logging/auditing. There are some no-brainer security controls to take advantage of for quick wins, while others require careful consideration and design-level choices. We will demonstrate how container runtime security factors into the equation as well as what we need to consider in our underlying cloud infrastructure. Microservice security will be discussed along with steps we can take to deploy secure services and meshes.

Our goal is to keep our engineers moving fast, but securely. At the end of the presentation, you’ll understand the cloud-native attack surface and how to approach building a hardened infrastructure and deploy secure services with Kubernetes.

Speakers

Jack Mannino

CEO, nVisium

Jack Mannino is the CEO of nVisium. Passionate about security and impossible to keep away from a keyboard, his expertise spans over 15 years of building, breaking, and securing software. Jack founded nVisium in 2009, and since then has helped the world's largest software teams enhance... Read More →

Friday October 12, 2018 2:15pm - 2:50pm PDT
Regency 1

Regency Ballroom 1, Intermediate

NEW FIELD 1 Track 1

2:15pm PDT

Single Page Applications: Is your design secure?

In the current landscape of web development, Single Page Applications (SPA) have been utilized more frequently due to its versatile capabilities. Also, popularity of frameworks such as Angular and React have enabled fast paced development of SPAs. For that reason, even more traditional web applications have migrated to SPAs without considering the security implications this new paradigm introduces. In this presentation we will describe some of the security pitfalls that affect SPA applications and how to mitigate them.

Speakers

Rafael Dreher

Security Software Engineer, Microsoft

Rafael Dreher is a Security Engineer at Microsoft and co-founder of OWASP Porto Alegre chapter. He is interested in ways to improve and scale static code analysis in large enterprises. Rafael spends most of his time digging into code of web applications to find interesting patterns... Read More →

Murali Vadakke Puthanveetil

Security Software Engineer, Microsoft

Murali Vadakke Puthanveetil works as a Security Engineer at Microsoft and a previous speaker at AppSec USA. He is particularly interested in figuring out authentication and authorization logic used by web applications. Murali spends most of his time digging into code of web applications... Read More →

Friday October 12, 2018 2:15pm - 2:50pm PDT
Regency 2

Regency Ballroom 2, Intermediate - Dev focused

NEW FIELD 1 Track 2

3:00pm PDT

Coffee Break/Vendor Passport Program Drawing

Friday October 12, 2018 3:00pm - 3:30pm PDT
Regency Ballroom

Regency Ballrooms

3:30pm PDT

Making Security Approachable for Developers and Operators

Security is a complex topic filled with jargon and subtle nuances. The "weakest link" challenge in security means we must be concerned with every threat vector and apply best practices universally. This becomes challenging when we need to bring developers and operators into the fold, since our infrastructure and applications are critical to the our security posture. Instead of expecting everybody to become an expert in security, we need to make security more approachable for these audiences. In this talk, we discuss how to apply best practices and make them accessible to developers and operators through APIs, secure by default platforms, and policy as code.

Speakers

Armon Dadgar

Co-Founder and CTO, HashiCorp

I have a passion for security and distributed systems and their application to real world problems. As a co-founder and CTO of HashiCorp, I bring both those interests into the world of DevOps tooling. As a former practitioner and proponent of open source software, I have helped design... Read More →

Friday October 12, 2018 3:30pm - 4:15pm PDT
The Fairmont

Imperial Room