Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Gold [clear filter]
Thursday, October 11


Authentication as a Microservice: Portable Customer Identity Management
Authentication is a core piece of many applications but it has traditionally been handled in a monolithic manner. Foreign keys to the user table and join tables for roles and permissions is the most common mechanism that applications use to manage user data. Moving to microservices means that applications now need to decouple authentication, user management, and user data. To accomplish this, a portable identity model is required.
In this session, we will discuss the advantages of a microservice architecture, as well as the most common pitfalls including increased network chatter and various security issues. I’ll cover the basics of authentication and authorization as a microservice and JWT revocation. The goal is to allow developers to primarily focus on code and move away from infrastructure concerns.

avatar for Brian Pontarelli

Brian Pontarelli

CEO, FusionAuth and CleanSpeak
Brian Pontarelli is founder and CEO of Inversoft, a Denver-based provider of platform technologies built to help companies manage, moderate and engage their customers. These technologies include Passport, a modern identity and user management API that provides login, registration... Read More →

Thursday October 11, 2018 10:15am - 10:50am
  • NEW FIELD 1 Track 3


Prevent Business Logic Attacks using Dynamic Instrumentation
As application security practitioners, we know that the attacks representing the most significant business risk for our organizations are often attacks targeting sensitive business functions of our applications. Those go far beyond the OWASP Top 10 and make generic (existing?) security tools inefficient. We require very tailor-made solutions to cover our security needs.

This talk will show how to create a security automation tool using dynamic instrumentation that helps to prevent business logic attacks. Sensors are added to the application source code, business events collected in an analysis engine and automated responses are pushed back to the application at runtime. The presented tool is based on open source libraries, and easily extensible and pluggable to analysis engines such as Kibana or Splunk.

Dynamic instrumentation is a game changer because it allows security teams to add sensors remotely, in real time, without asking development teams to trigger a new build and a new deploy of their applications.

The talk will include concrete business examples to help the audience apply this strategy. It will also give tips to navigate through the various teams (fraud, developers, product, …) that own a different piece of this security puzzle.

avatar for Jean-Baptiste Aviat

Jean-Baptiste Aviat

CTO & co-founder, Sqreen
Jean-Baptiste Aviat spent half a decade hunting vulnerabilities at Apple, helping developers solve them, and developing security software.

Thursday October 11, 2018 11:00am - 11:35am
  • NEW FIELD 1 Track 3


Value Driven Threat Modeling * DEV Focused*
What if we could get developers to apply threat modeling techniques, and embed secure design right in the product from the beginning?    

Threat Modeling is a great method to identify potential security weaknesses, and can enable architects and developers to efficiently prioritize their security investment, thus mitigating and preventing those vulnerabilities that would most likely cause the most damage.   
Unfortunately, though threat modeling provides a far greater return than most any other security technique in a development process, it is apparently “common knowledge” that threat modeling is supposed to be heavily resource intensive, require a full team of expensive security professionals, take up far too much developer time, and does not scale at all.    
But the common knowledge is wrong! In fact, using a lightweight, value-driven approach, skilled development teams can very efficiently ensure that the features they build can protect themselves, the application, and the business value that the features are intended to generate. Value Driven Threat Modeling offers an alternative to top-heavy, big-model-up-front threat modeling, in favor of agility, speed, and integration with the existing development cycle to not just to minimize risk, but to lower security costs.    

This talk will describe Value Driven Threat Modeling, and show how to incorporate it into your existing agile methodologies. We will discuss how developers can efficiently threat model their application to improve development, and walkthrough some example scenarios. And of course, we will see how security can participate productively in the agile development process, leveraging developers own habits to their benefit.   

avatar for Avi Douglen

Avi Douglen

Conference Chair, Bounce Security
AviD is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for around 20 years. My research interests include efficient security engineering, usable... Read More →

Thursday October 11, 2018 11:45am - 12:20pm
  • NEW FIELD 1 Track 3


The Anatomy of a Secure Web Application in Java Using Spring Security and Apache Fortress
The Jakarta EE architecture provides the necessary enablement but most developers do not have the time or the training to take full advantage of what it has to offer. This technical session describes and demos an end-to-end application security architecture for an Apache Wicket Web app running in Tomcat. It includes practical, hands-on guidance to properly implementing authentication, authorization, and confidentiality controls using Java, Spring and Apache Fortress controls. In addition to finding out where the security controls must be placed and why, attendees will be provided with code they can use to kick-start their own highly secure Java web applications using Apache products and a few tricks.

avatar for Shawn McKinney

Shawn McKinney

Software Architect, Symas
Over twenty-five years as software developer and architect. Most of that time specializing in software security. Started an open source project called Fortress.
avatar for John Tumminaro

John Tumminaro

VP Technology, GlobalLogic
Passionate Enterprise & Security Architect. Experience/Roles include CTO, Chief Architect, Enterprise Architect, Security Architect & Solution Architect. Areas of specialty include: Transactional/BigData Systems, Integration, Performance/Scale/Resilience, Global Deployment, Cloud... Read More →

Thursday October 11, 2018 1:30pm - 2:05pm
  • NEW FIELD 1 Track 3


Scratching the Surface of your CD?
Continuous Delivery (CD) introduces a new set of challenges for application security testing, even compared with already fast Continuous Integration (CI) and DevOps methodologies. CD development organization can produce hundreds or even thousands of software updates per day, some of them taking no longer than a few hours from beginning to end. This puts pressure even on the best fast AppSec testing methodologies, such as fast incremental testing, restricted testing, etc.

True continuous testing calls for true, inline, continuous security testing, which does not rely on any dedicated testing slots. In this talk we will talk about some of these concepts - how to streamline security testing in the background, how to fit it into modern A/B testing cycles, and how to build an approval process that fits a modern CD workflow, rather than an old security go/no-go approach.

Join this talk if you would like to turn your application security testing methodology into one that can fit whatever development velocity your organization wants to go at!

avatar for Ofer Maor

Ofer Maor

Director, Solutions Management, Synopsys

Thursday October 11, 2018 2:15pm - 2:50pm
  • NEW FIELD 1 Track 3


SCORE Bot: Shift Left, at Scale!
In today’s DevSecOps world, “shift to the left” is not a new mantra for AppSec practitioners. It is imperative to notify developers about potential security issues as early as possible.

While heavy-weight static and dynamic analysis tools and fuzzers exist to find generic technical security flaws, finding custom security issues that are specific to an organization’s proprietary frameworks, APIs, libraries, etc. is often tricky, time-consuming and expensive to capture and maintain as “custom rules” in those tools. IDE plug-ins are often messy to deploy and maintain at scale in the real-world when you are dealing with highly diverse programming languages/frameworks and thus various versions of different IDE products.

Secure COde REview Bot (SCORE Bot) fills that gap and provides real-time, in-context security-oriented code review that focusses on org-specific security issues. It does that by automatically hooking into the GitHub Pull Request (PR) process and posts PR comments with not only the details about the identified security vulnerabilities but also remediation advice so that developers have actionable guidance to fix those security issues.

Driven by insights from behavioral science and experimentation (A/B testing), SCORE Bot became our reliable eyes-and-ears of the code being written at PayPal and a trusted security peer reviewer for our developers.

In this talk, we’ll share the lessons-learned from rolling out SCORE Bot at PayPal with details on what worked, what proved challenging with some real-world metrics from our deployment that scaled to cater to diverse programming languages, frameworks and CI/CD pipelines.

avatar for Vidhu Jayabalan

Vidhu Jayabalan

Security Architect, PayPal Inc.
Vidhu works at PayPal Inc. as a Security Architect in the Application Security Engineering organization and leads the development of a suite of products that enable Secure Product LifeCycle program at PayPal. Vidhu loves spending time on engineering & building products that are at... Read More →
avatar for Laksh Raghavan

Laksh Raghavan

Head of AppSec & Innovation, PayPal Inc.
Laksh Raghavan is the Head of AppSec and Innovation at PayPal Inc. He is currently responsible for managing the Secure Product LifeCycle program for all PayPal applications including the web and mobile apps supporting PayPal's more than 244 million active accounts. Laksh has over... Read More →

Thursday October 11, 2018 3:30pm - 4:05pm
  • NEW FIELD 1 Track 3


Are we using Java Crypto API Securely ?
Do you feel cryptographic libraries are just thrown over the fence for us developers and security professionals to understand and pray its used securely? Java Cryptography Architecture is one such famously used the library, laden by ambiguous documentation, over-abundance of algorithmic and key material choices, insecure defaults, and poor architectural choices. All these collectively make it highly probable to make an unfortunate choice and lands us with a flawed cryptographic system.
In this session, learn how to securely use each of the Java Cryptography Architecture’s primitives (Random Number Generators, Encryption/Decryption algorithms, HMACs, digital signatures etc.) using real-world code examples to highlight areas that require careful attention and difficult choices. Examine both good and flawed implementations, and learn how to spot mistakes. Then learn how to future-proof the crypto in your applications.  

avatar for Mansi Sheth

Mansi Sheth

Principal Security Reseacher, CA Veracode
Mansi Sheth is a Principal Security Researcher at CA Veracode Inc. In her career, she has been involved with breaking, defending and building secure applications. Mansi researches various languages and technologies, finding insecure usages in customer code and suggests automation... Read More →

Thursday October 11, 2018 4:15pm - 4:50pm
  • NEW FIELD 1 Track 3
Friday, October 12


Human factors that influence secure software development
Software is written by people, either alone or in teams. Ultimately secure code development depends on the actions and decisions taken by the people who develop the code. How do we account for the “human factors” that contribute to application security?

By its very nature both automated and manual application security testing are performed retroactively on code that has already been written. Automated AppSec testing can speed up that process to provide security analysts and developers with timely information about the security state of their code, thereby closing the time gap between committing code and discovering weaknesses in it. But automated testing is still performed after code has been committed. Furthermore, both manual and automated source code analyses are done without much prior knowledge about where the vulnerabilities are likely to appear in the code base.

What would happen if we could point to specific code that is more likely to be vulnerable based on other factors, such as the environment (time of day, distracting noise, time pressure) under which the code was written or the characteristics of the individual developers (experience, training, focused attention) or the teams (size, diversity, level of collaboration) that developed the code? This information would allow us to orient our manual code analyses and automated static analyses towards susceptible code. It would also allow us to change up the conditions that are contributing to the introduction of vulnerabilities, and intervene before these conditions impact the security of the code under development.

This is a definitive way to shift security to the left. Become so aware of the factors that contribute to the introduction of vulnerabilities that an organization can mitigate their introduction by changing up the conditions under which the code is being developed.

This session will review the types of research being conducted, and the initial findings, from an emerging area of application security research: the human dimensions that relate to secure code development. We will also open up a discussion with the audience about innovative ways that could be used to further study the human factors that affect secure code development in ongoing projects, not just through historical analyses of well-established repositories.

avatar for Anita Damico

Anita Damico

CEO, Code Dx
Anita D’Amico, PhD is CEO of Code Dx, Inc. which provides open-source and commercial application security solutions based on advanced technologies developed by Secure Decisions, an R&D organization which she also directs. Her roots are in experimental psychology and human factors... Read More →
avatar for Chris Horn

Chris Horn

Product Strategy & Development, Secure Decisions & Code Dx
Chris Horn is a Researcher at Secure Decisions, an R&D organization, and helps guide product development at Code Dx. He is currently engaged in several application security (AppSec) research projects, including: developing a system for benchmarking static code analyzers, studying... Read More →

Friday October 12, 2018 10:15am - 10:50am
  • NEW FIELD 1 Track 3


Pentesting Swift Application for fun and Profit with OWASP iGoat
As enterprises are moving their iOS development towards Swift development from Objective C, it has become essential to adopt skills required to perform penetration testing/security audit of such applications. If you are working as Product Security Engineer or Bug Bounty hunter, it's important to know pentesting Swift application.

Considering such requirements, we're releasing brand new version of OWASP iGoat in Swift. Definitely, there are certain changes while pentesting Swift application over Objective C applications.

This talk is all about how you can find out security loopholes in Swift applications and as a developer how you can defend against them. This talk will help you learn iOS Swift App Pentesting from basics to advanced level using OWASP iGoat project.

This talk will discuss recent case studies of critical findings in iOS apps (Swift) and also help to address important issues as encryption key management, code obfuscation along with OWASP Top 10. We will release the major version of OWASP iGoat (Swift) at AppSec USA 2018.

Project code: https://github.com/OWASP/iGoat-Swift

Technology stack: Swift 4, Ruby

avatar for Swaroop Yermalkar

Swaroop Yermalkar

Senior Security Engineer, Lithium
Swaroop Yermalkar works as Sr Security Engineer at Lithium with a diverse skill set focused on Mobile App Pentest, Web, API and AWS Pentesting. In addition he has authored the popular book “Learning iOS Pentesting” (https://goo.gl/T8jvjJ) and lead an open source project - OWASP... Read More →

Friday October 12, 2018 11:00am - 11:35am
  • NEW FIELD 1 Track 3


Deserialization: what, how and why [not]
Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk.

We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.

avatar for Alexei Kojenov

Alexei Kojenov

Senior Product Security Engineer, Salesforce
Alexei began his career as a software developer. A decade later, he realized that breaking code was way more fun than writing code, and decided to switch direction. He is now a full-time application security professional, with several years of assisting various development teams in... Read More →

Friday October 12, 2018 11:45am - 12:20pm
  • NEW FIELD 1 Track 3


Ecosystem, Interoperability and Standards: The gauntlet of IoT Security and Privacy development lifecycle
Security Development Lifecycle (SDL) methodologies have traditionally served consumer products and enterprise applications. These programs are usually well defined, with established architectures, target markets and product development cycles that span months or years.

Enter the Internet of Things, where there are no pre-defined form factors. An “IoT product” may be a smart fridge, a pacemaker, or a smart city. Makers of these classes of devices are often small/medium sized businesses, who are racing against the large corporates and other similar sized competitors to launch their products first. They look for standards in communication protocols, software stacks, libraries, and reuse them wherever possible. But standards are few and rarely one-size-fits-all. When it comes to securing IoT products, there are myriad of challenges on both process and technical fronts.

Our presentation introduces the audience to a cutting-edge version of Security Development Lifecycle, called the Security & Privacy Development Lifecycle (SPDL). Tailored specifically for IoT platforms, the SPDL is an agile framework that breaks-up a “generic” IoT architecture into its logical sub-components, accounts for the security assessment activities for each of them, as well as for the entire ecosystem. Privacy is woven into the process, and privacy-specific activities are planned at each step of the SPDL. Using standard waterfall-oriented SDL methodologies for IoT programs can be challenging and messy. We talk about the shortcomings of these existing models, and how our proposed SPDL framework addresses them.

As we write this, there’s extensive media coverage on companies collecting and sharing user data with third parties leading to global consequences. Compliance with privacy (for example, consent rules in GDPR) can be very challenging for IoT. We explore some of these topics, and also introduce a privacy vulnerability scoring framework (CPVSS) that can aid in measuring, prioritizing and addressing privacy breaches and data thefts.

avatar for Sumanth Naropanth

Sumanth Naropanth

Information Security Leader - IoT, Cloud and Mobile
CEO of Deep Armor Business and technical leader in information security. Extensive experience in defining and executing security development lifecycle (SDL), hands-on penetration testing, threat modeling, conducting security research, incident response, designing crypto flows and... Read More →
avatar for Kavya Racharla

Kavya Racharla

Head of security and privacy, Intel sports - Artificial Intelligence and Virtual Reality
Kavya Racharla is the head of security and privacy for Intel's sports group. As part of her job at Intel, she has led the end-to-end SDL and privacy efforts for several AR/VR, wearable and IoT devices. She was part of Oracle and Qualcomm's security teams before her current job at... Read More →

Friday October 12, 2018 1:30pm - 2:05pm
  • NEW FIELD 1 Track 3


Fixing Mobile AppSec
Even though modern mobile operating systems like iOS and Android offer great APIs for secure data storage and communication, those APIs have to be used correctly in order to be effective. Data storage, inter-app communication, proper usage of cryptographic APIs and secure network communication are only some of the aspects that require careful consideration. The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for testing the security of mobile apps. It describes processes and techniques for verifying the requirements listed in the Mobile Application Security Verification Standard (MASVS) and provides a baseline for complete and consistent security tests.

In this talk, the final version of the MASVS and MSTG will be introduced and will discuss the many challenges we faced during development, from dealing with the diversity and fragmentation of the Android ecosystem to clarifying the role of software protections in mobile security.

avatar for Sven Schleier

Sven Schleier

Managing Principal, Vantage Point Security Pte Ltd
Sven is an application security expert with over 8 years of hands-on experience in web and mobile penetration testing, network penetration testing and source code review and is leading the penetration testing team for Vantage Point in Singapore. He is an experienced Security Architect... Read More →

Friday October 12, 2018 2:15pm - 2:50pm
  • NEW FIELD 1 Track 3